saintbot | 7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4

General

Target

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
Size

242KB
MD5

67b8f4bb9c81aca61abf8d49640a85b9
SHA1

fbf00a827bf1a44340a1e4bb1698285b27dab56c
SHA256

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4
SHA512

81cf99cc0561cff8efa04cb583e437d9c1d9d6f6ba50845fb404a6d120bb87302093a9b464662f1201341914421ea887f5d78d20a5c480491b82999d12608d98
SSDEEP

3072:YFwP8VUgQInIb1gL8ed0HbJoyZP0EUvKqdeJiIg5KMHDrDjQ0E2AjBwHX50CqEZk:YqPsQWIb+LLd0RD2KqUsPQ0EjV7lQbg

Score

10^/10

saintbot discovery dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2764-2-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral2/memory/2764-3-0x00000000001C0000-0x00000000001C9000-memory.dmp	family_saintbot
behavioral2/memory/4512-22-0x00000000007A0000-0x00000000008A0000-memory.dmp	family_saintbot
behavioral2/memory/4512-23-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral2/memory/2764-24-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral2/memory/4512-27-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral2/memory/3168-28-0x0000000000940000-0x000000000094B000-memory.dmp	family_saintbot
behavioral2/memory/4512-29-0x0000000000400000-0x000000000046A000-memory.dmp	family_saintbot
behavioral2/memory/3168-31-0x0000000000940000-0x000000000094B000-memory.dmp	family_saintbot
behavioral2/memory/3168-32-0x0000000000940000-0x000000000094B000-memory.dmp	family_saintbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe

Drops startup file 2 IoCs

Processes:

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe47676.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47676.exe	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47676.exe	47676.exe

Executes dropped EXE 1 IoCs

Processes:

47676.exe

pid process

4512 47676.exe
Loads dropped DLL 2 IoCs

Processes:

47676.exeEhStorAuthn.exe

pid process

4512 47676.exe
3168 EhStorAuthn.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4512	47676.exe

pid	process
4512	47676.exe
3168	EhStorAuthn.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe47676.exeEhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	47676.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	47676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	EhStorAuthn.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4248	2764	WerFault.exe	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
840	4512	WerFault.exe	47676.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5104 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1636 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

47676.exe

pid process

4512 47676.exe
4512 47676.exe

pid	process
5104	schtasks.exe

pid	process
1636	PING.EXE

pid	process
4512	47676.exe
4512	47676.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.execmd.exe47676.exeEhStorAuthn.exe

description	pid	process	target process
PID 2764 wrote to memory of 4512	2764	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	47676.exe
PID 2764 wrote to memory of 4512	2764	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	47676.exe
PID 2764 wrote to memory of 4512	2764	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	47676.exe
PID 2764 wrote to memory of 4908	2764	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	cmd.exe
PID 2764 wrote to memory of 4908	2764	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	cmd.exe
PID 2764 wrote to memory of 4908	2764	7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe	cmd.exe
PID 4908 wrote to memory of 1636	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 1636	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 1636	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 2824	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 2824	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 2824	4908	cmd.exe	cmd.exe
PID 4512 wrote to memory of 3168	4512	47676.exe	EhStorAuthn.exe
PID 4512 wrote to memory of 3168	4512	47676.exe	EhStorAuthn.exe
PID 4512 wrote to memory of 3168	4512	47676.exe	EhStorAuthn.exe
PID 4512 wrote to memory of 3168	4512	47676.exe	EhStorAuthn.exe
PID 3168 wrote to memory of 5104	3168	EhStorAuthn.exe	schtasks.exe
PID 3168 wrote to memory of 5104	3168	EhStorAuthn.exe	schtasks.exe
PID 3168 wrote to memory of 5104	3168	EhStorAuthn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe
"C:\Users\Admin\AppData\Local\Temp\7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47676.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47676.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:5104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 648
    3⤵
    - Program crash
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1144
  2⤵
  - Program crash
  PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2764 -ip 2764
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4512 -ip 4512
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47676.exe

Filesize
242KB

MD5
67b8f4bb9c81aca61abf8d49640a85b9

SHA1
fbf00a827bf1a44340a1e4bb1698285b27dab56c

SHA256
7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4

SHA512
81cf99cc0561cff8efa04cb583e437d9c1d9d6f6ba50845fb404a6d120bb87302093a9b464662f1201341914421ea887f5d78d20a5c480491b82999d12608d98

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
915a149f5827c50f1666efd45f5234b5

SHA1
3ed496d993a6c8afd9c7615217e12e273d8350b9

SHA256
9b2c620279eba7513185b7dd0c52b8ec5d95c082aff5e6654085b3474187ce9c

SHA512
863680a00cbafd831ca4c5509cb6ad54fd5156704b02d2319034b7ba74e974031a31b040a35a17cc156ec78ab21d0c2e62ec56b83de40ead0862054f074e79d0

Download Submit
memory/2764-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2764-3-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/2764-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/2764-24-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3168-28-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/3168-32-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/3168-31-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/4512-23-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4512-29-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4512-27-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4512-22-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads