saintbot | e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c

System Information Discovery

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe

Drops startup file 2 IoCs

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe51011.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51011.exe	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51011.exe	51011.exe

Executes dropped EXE 1 IoCs

Processes:

51011.exe

pid process

2256 51011.exe
Loads dropped DLL 2 IoCs

Processes:

51011.exedfrgui.exe

pid process

2256 51011.exe
3984 dfrgui.exe

pid	process
2256	51011.exe

pid	process
2256	51011.exe
3984	dfrgui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dfrgui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\zzAdmin\\Admin.vbs"	dfrgui.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe51011.exedfrgui.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	51011.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	51011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	dfrgui.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b	dfrgui.exe

Drops file in System32 directory 1 IoCs

Processes:

dfrgui.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\dfrgui.exe dfrgui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	dfrgui.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dfrgui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dfrgui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dfrgui.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

232 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1072 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

51011.exe

pid process

2256 51011.exe
2256 51011.exe

pid	process
232	schtasks.exe

pid	process
1072	PING.EXE

pid	process
2256	51011.exe
2256	51011.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe51011.execmd.exedfrgui.exe

description	pid	process	target process
PID 3960 wrote to memory of 2256	3960	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	51011.exe
PID 3960 wrote to memory of 2256	3960	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	51011.exe
PID 3960 wrote to memory of 2256	3960	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	51011.exe
PID 3960 wrote to memory of 4052	3960	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 3960 wrote to memory of 4052	3960	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 3960 wrote to memory of 4052	3960	e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe	cmd.exe
PID 2256 wrote to memory of 3984	2256	51011.exe	dfrgui.exe
PID 2256 wrote to memory of 3984	2256	51011.exe	dfrgui.exe
PID 2256 wrote to memory of 3984	2256	51011.exe	dfrgui.exe
PID 4052 wrote to memory of 1072	4052	cmd.exe	PING.EXE
PID 4052 wrote to memory of 1072	4052	cmd.exe	PING.EXE
PID 4052 wrote to memory of 1072	4052	cmd.exe	PING.EXE
PID 2256 wrote to memory of 3984	2256	51011.exe	dfrgui.exe
PID 4052 wrote to memory of 5100	4052	cmd.exe	cmd.exe
PID 4052 wrote to memory of 5100	4052	cmd.exe	cmd.exe
PID 4052 wrote to memory of 5100	4052	cmd.exe	cmd.exe
PID 3984 wrote to memory of 232	3984	dfrgui.exe	schtasks.exe
PID 3984 wrote to memory of 232	3984	dfrgui.exe	schtasks.exe
PID 3984 wrote to memory of 232	3984	dfrgui.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe
"C:\Users\Admin\AppData\Local\Temp\e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51011.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51011.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\dfrgui.exe
"C:\Windows\system32\dfrgui.exe"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
4⤵
- Creates scheduled task(s)
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
3⤵
- Runs ping.exe
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
3⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

4

System Information Discovery

4

Peripheral Device Discovery

T1120

Remote System Discovery