saintbot | a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14761.exe	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14761.exe	14761.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	14761.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	14761.exe
2452	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	14761.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	14761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4576	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2328	PING.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 2736	3704	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe	100
PID 3704 wrote to memory of 2736	3704	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe	100
PID 3704 wrote to memory of 2736	3704	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe	100
PID 3704 wrote to memory of 4276	3704	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe	101
PID 3704 wrote to memory of 4276	3704	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe	101
PID 3704 wrote to memory of 4276	3704	a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe	101
PID 4276 wrote to memory of 2328	4276	cmd.exe	104
PID 4276 wrote to memory of 2328	4276	cmd.exe	104
PID 4276 wrote to memory of 2328	4276	cmd.exe	104
PID 4276 wrote to memory of 3576	4276	cmd.exe	105
PID 4276 wrote to memory of 3576	4276	cmd.exe	105
PID 4276 wrote to memory of 3576	4276	cmd.exe	105
PID 2736 wrote to memory of 2452	2736	14761.exe	109
PID 2736 wrote to memory of 2452	2736	14761.exe	109
PID 2736 wrote to memory of 2452	2736	14761.exe	109
PID 2736 wrote to memory of 2452	2736	14761.exe	109
PID 2452 wrote to memory of 4576	2452	EhStorAuthn.exe	110
PID 2452 wrote to memory of 4576	2452	EhStorAuthn.exe	110
PID 2452 wrote to memory of 4576	2452	EhStorAuthn.exe	110

C:\Users\Admin\AppData\Local\Temp\a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe
"C:\Users\Admin\AppData\Local\Temp\a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14761.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14761.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4176 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

4