saintbot | a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a

General

Target

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
Size

225KB
MD5

3b6f68801cade1cd388138500fd8e986
SHA1

9bc818e0e6ef9aaafb02065800a97d8bd98ee76d
SHA256

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a
SHA512

f2931a7871491f580b94ee7dc1f0d24b50cce1464b92100b21ff3adadf15e64864b34da00bbe0709e7f0f50316fd79ef2edacd5842b16e20407634c6c514fcbe
SSDEEP

3072:5wA6vA3hLwgXQKXStY70rmSFFXJicCdmWSMXg+j5HlZhUW+gDAR:z3hLRXQKitY7GFFxCdm+9DUWF

Score

10^/10

saintbot discovery dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2524-2-0x0000000000220000-0x0000000000229000-memory.dmp	family_saintbot
behavioral1/memory/2524-3-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2524-23-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2748-27-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2748-31-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral1/memory/2608-33-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot
behavioral1/memory/2608-35-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot
behavioral1/memory/2608-36-0x0000000000080000-0x000000000008B000-memory.dmp	family_saintbot

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2592	cmd.exe

Drops startup file 2 IoCs

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe20460.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20460.exe	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20460.exe	20460.exe

Executes dropped EXE 1 IoCs

Processes:

20460.exe

pid	Process
2748	20460.exe

Loads dropped DLL 4 IoCs

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe20460.exeEhStorAuthn.exe

pid	Process
2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
2748	20460.exe
2608	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe20460.exeEhStorAuthn.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	20460.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	20460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2504	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2696	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

20460.exe

pid	Process
2748	20460.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.execmd.exe20460.exeEhStorAuthn.exe

description	pid	Process	procid_target
PID 2524 wrote to memory of 2748	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	28
PID 2524 wrote to memory of 2748	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	28
PID 2524 wrote to memory of 2748	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	28
PID 2524 wrote to memory of 2748	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	28
PID 2524 wrote to memory of 2592	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	29
PID 2524 wrote to memory of 2592	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	29
PID 2524 wrote to memory of 2592	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	29
PID 2524 wrote to memory of 2592	2524	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	29
PID 2592 wrote to memory of 2696	2592	cmd.exe	31
PID 2592 wrote to memory of 2696	2592	cmd.exe	31
PID 2592 wrote to memory of 2696	2592	cmd.exe	31
PID 2592 wrote to memory of 2696	2592	cmd.exe	31
PID 2592 wrote to memory of 2712	2592	cmd.exe	32
PID 2592 wrote to memory of 2712	2592	cmd.exe	32
PID 2592 wrote to memory of 2712	2592	cmd.exe	32
PID 2592 wrote to memory of 2712	2592	cmd.exe	32
PID 2748 wrote to memory of 2608	2748	20460.exe	33
PID 2748 wrote to memory of 2608	2748	20460.exe	33
PID 2748 wrote to memory of 2608	2748	20460.exe	33
PID 2748 wrote to memory of 2608	2748	20460.exe	33
PID 2748 wrote to memory of 2608	2748	20460.exe	33
PID 2608 wrote to memory of 2504	2608	EhStorAuthn.exe	34
PID 2608 wrote to memory of 2504	2608	EhStorAuthn.exe	34
PID 2608 wrote to memory of 2504	2608	EhStorAuthn.exe	34
PID 2608 wrote to memory of 2504	2608	EhStorAuthn.exe	34

C:\Users\Admin\AppData\Local\Temp\a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
"C:\Users\Admin\AppData\Local\Temp\a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20460.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20460.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
      4⤵
      Creates scheduled task(s)
      PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\del.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\del.bat

Filesize
170B

MD5
a4b2b3de643c80d1f5f5f517184ae0a6

SHA1
3dc62981bc2aae2915e405c4b3f4074038527ae8

SHA256
8be293c85ed279cc1b9410409450cb36321b5d43a9652314c14024a4585111f6

SHA512
e8c374fd7730988a7cc7bc9a524e5414e9872897fce4b8d49863d5f9505e114bab6999d2014da7eaa7cb01d564e87f68e428fe52f2315b20da014463eb498c35

Download Submit
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20460.exe

Filesize
225KB

MD5
3b6f68801cade1cd388138500fd8e986

SHA1
9bc818e0e6ef9aaafb02065800a97d8bd98ee76d

SHA256
a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a

SHA512
f2931a7871491f580b94ee7dc1f0d24b50cce1464b92100b21ff3adadf15e64864b34da00bbe0709e7f0f50316fd79ef2edacd5842b16e20407634c6c514fcbe

Download Submit
memory/2524-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2524-3-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2524-23-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2524-1-0x0000000002D10000-0x0000000002E10000-memory.dmp

Filesize
1024KB

Download
memory/2608-33-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2608-36-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2608-35-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2748-26-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/2748-31-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2748-27-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads