Overview

overview

10

Static

static

3

ec3c0afccf...03.exe

windows7-x64

10

ec3c0afccf...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe

  • Size

    235KB

  • MD5

    247951ff7b519fa8d39ef07d33e0ba5b

  • SHA1

    cf4587b6015d2a00c26a369339504595a266401f

  • SHA256

    ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03

  • SHA512

    6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7

  • SSDEEP

    3072:ZIWl+L9yTYPc4cW/QgB3JibTVLHvFKF4uzYiP0c21srymY5rc:ZI/L9GYp/xB49vFKGuzYiP0c8q0

Score
10/10
saintbotdiscoverydropperpersistence

Malware Config

Signatures

  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot payload 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe
    "C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Maps connected drives based on registry
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53747.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53747.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\EhStorAuthn.exe
        "C:\Windows\System32\EhStorAuthn.exe"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
          4⤵
          • Creates scheduled task(s)
          PID:3360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 616
        3⤵
        • Program crash
        PID:2528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost -n 3
        3⤵
        • Runs ping.exe
        PID:232
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
        3⤵
          PID:5060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 792
        2⤵
        • Program crash
        PID:4344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2732 -ip 2732
      1⤵
        PID:3648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2244 -ip 2244
        1⤵
          PID:404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
          Filesize

          1.6MB

          MD5

          4f3387277ccbd6d1f21ac5c07fe4ca68

          SHA1

          e16506f662dc92023bf82def1d621497c8ab5890

          SHA256

          767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

          SHA512

          9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53747.exe
          Filesize

          235KB

          MD5

          247951ff7b519fa8d39ef07d33e0ba5b

          SHA1

          cf4587b6015d2a00c26a369339504595a266401f

          SHA256

          ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03

          SHA512

          6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\del.bat
          Filesize

          170B

          MD5

          9b1143ff58ed5cb62d5217076eaf0964

          SHA1

          f67b957fbfd107aeaed1f48733e13c3dc7d6b1af

          SHA256

          5e2151e781bf9cf36e4fc6a6d13d4686fa6375edfbe7143b1a3a40e0a4415556

          SHA512

          7f63336f33ea624a04984855b8d9e541a75c18dea067b92d153a79750c23716743e112f198dc65ba2ca1ddc5a7ad7bb5eb0076de54fbdba27862592b16cbc095

          Download Submit

        • memory/2244-23-0x0000000000400000-0x0000000000A14000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2244-22-0x0000000000B60000-0x0000000000C60000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2244-27-0x0000000000400000-0x0000000000A14000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2732-3-0x0000000000400000-0x0000000000A14000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2732-1-0x0000000000C00000-0x0000000000D00000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2732-24-0x0000000000400000-0x0000000000A14000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2732-2-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3280-28-0x00000000008B0000-0x00000000008BB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3280-31-0x00000000008B0000-0x00000000008BB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3280-32-0x00000000008B0000-0x00000000008BB000-memory.dmp

          Filesize

          44KB

          Download