saintbot | a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a

General

Target

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
Size

225KB
MD5

3b6f68801cade1cd388138500fd8e986
SHA1

9bc818e0e6ef9aaafb02065800a97d8bd98ee76d
SHA256

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a
SHA512

f2931a7871491f580b94ee7dc1f0d24b50cce1464b92100b21ff3adadf15e64864b34da00bbe0709e7f0f50316fd79ef2edacd5842b16e20407634c6c514fcbe
SSDEEP

3072:5wA6vA3hLwgXQKXStY70rmSFFXJicCdmWSMXg+j5HlZhUW+gDAR:z3hLRXQKitY7GFFxCdm+9DUWF

Score

10^/10

saintbot discovery dropper

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3560-2-0x0000000002D10000-0x0000000002D19000-memory.dmp	family_saintbot
behavioral2/memory/3560-3-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral2/memory/3560-8-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral2/memory/2592-21-0x00000000047B0000-0x00000000047B9000-memory.dmp	family_saintbot
behavioral2/memory/2592-20-0x0000000002D00000-0x0000000002E00000-memory.dmp	family_saintbot
behavioral2/memory/2592-22-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral2/memory/3560-23-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral2/memory/2592-27-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral2/memory/4708-29-0x00000000007E0000-0x00000000007EB000-memory.dmp	family_saintbot
behavioral2/memory/2592-30-0x0000000000400000-0x0000000002BA9000-memory.dmp	family_saintbot
behavioral2/memory/4708-32-0x00000000007E0000-0x00000000007EB000-memory.dmp	family_saintbot
behavioral2/memory/4708-33-0x00000000007E0000-0x00000000007EB000-memory.dmp	family_saintbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

Drops startup file 1 IoCs

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41832.exe	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

Executes dropped EXE 1 IoCs

Processes:

41832.exe

pid process

2592 41832.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2592	41832.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4896	3560	WerFault.exe	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
2088	2592	WerFault.exe	41832.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4084 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4172 PING.EXE

pid	process
4084	schtasks.exe

pid	process
4172	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.execmd.exe

description	pid	process	target process
PID 3560 wrote to memory of 2592	3560	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	41832.exe
PID 3560 wrote to memory of 2592	3560	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	41832.exe
PID 3560 wrote to memory of 2592	3560	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	41832.exe
PID 3560 wrote to memory of 3372	3560	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	cmd.exe
PID 3560 wrote to memory of 3372	3560	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	cmd.exe
PID 3560 wrote to memory of 3372	3560	a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe	cmd.exe
PID 3372 wrote to memory of 4172	3372	cmd.exe	PING.EXE
PID 3372 wrote to memory of 4172	3372	cmd.exe	PING.EXE
PID 3372 wrote to memory of 4172	3372	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe
"C:\Users\Admin\AppData\Local\Temp\a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41832.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41832.exe"
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
3⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
4⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 648
3⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
3⤵
- Runs ping.exe
PID:4172

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
3⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1268
2⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3560 -ip 3560
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2592 -ip 2592
1⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41832.exe
Filesize
225KB

MD5
3b6f68801cade1cd388138500fd8e986

SHA1
9bc818e0e6ef9aaafb02065800a97d8bd98ee76d

SHA256
a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a

SHA512
f2931a7871491f580b94ee7dc1f0d24b50cce1464b92100b21ff3adadf15e64864b34da00bbe0709e7f0f50316fd79ef2edacd5842b16e20407634c6c514fcbe

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat
Filesize
170B

MD5
a4b2b3de643c80d1f5f5f517184ae0a6

SHA1
3dc62981bc2aae2915e405c4b3f4074038527ae8

SHA256
8be293c85ed279cc1b9410409450cb36321b5d43a9652314c14024a4585111f6

SHA512
e8c374fd7730988a7cc7bc9a524e5414e9872897fce4b8d49863d5f9505e114bab6999d2014da7eaa7cb01d564e87f68e428fe52f2315b20da014463eb498c35

Download Submit
memory/2592-22-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2592-27-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2592-30-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/2592-21-0x00000000047B0000-0x00000000047B9000-memory.dmp

Filesize
36KB

Download
memory/2592-20-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download
memory/3560-23-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/3560-24-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/3560-8-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/3560-2-0x0000000002D10000-0x0000000002D19000-memory.dmp

Filesize
36KB

Download
memory/3560-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/3560-3-0x0000000000400000-0x0000000002BA9000-memory.dmp

Filesize
39.7MB

Download
memory/4708-29-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/4708-32-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/4708-33-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads