Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 14:00
Static task
static1
Behavioral task
behavioral1
Sample
c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe
Resource
win10v2004-20240226-en
General
-
Target
c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe
-
Size
234KB
-
MD5
ec0883bd8594cc34092a5e9a70a1b249
-
SHA1
4ba9c7d411006de1bf589eac2fa179d1d7120468
-
SHA256
c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574
-
SHA512
2cd9f53f426d1d083df8b81001c67d211546c79d6c4b66947d37cd603b5d65e38a137822b0b1e8b1149f55f1df1433f61aa64ca5ed4f6502353f0b5b879ce379
-
SSDEEP
3072:ikQyq9LPYIV2c4cWS3/gzrJibspWivFYMmgESdWylzs0i2EbrXlY5ql5Gw:ikI9LP5VGaIzkAvFYZgdWis0iVfpl
Malware Config
Signatures
-
SaintBot payload 8 IoCs
resource yara_rule behavioral1/memory/3000-2-0x0000000000220000-0x0000000000229000-memory.dmp family_saintbot behavioral1/memory/3000-3-0x0000000000400000-0x0000000000A14000-memory.dmp family_saintbot behavioral1/memory/3000-23-0x0000000000400000-0x0000000000A14000-memory.dmp family_saintbot behavioral1/memory/2944-27-0x0000000000400000-0x0000000000A14000-memory.dmp family_saintbot behavioral1/memory/2944-31-0x0000000000400000-0x0000000000A14000-memory.dmp family_saintbot behavioral1/memory/2908-33-0x0000000000080000-0x000000000008B000-memory.dmp family_saintbot behavioral1/memory/2908-35-0x0000000000080000-0x000000000008B000-memory.dmp family_saintbot behavioral1/memory/2908-36-0x0000000000080000-0x000000000008B000-memory.dmp family_saintbot -
Deletes itself 1 IoCs
pid Process 2612 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25591.exe c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25591.exe 25591.exe -
Executes dropped EXE 1 IoCs
pid Process 2944 25591.exe -
Loads dropped DLL 4 IoCs
pid Process 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 2944 25591.exe 2908 EhStorAuthn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 25591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 25591.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 EhStorAuthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EhStorAuthn.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2684 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2632 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2944 25591.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2944 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 28 PID 3000 wrote to memory of 2944 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 28 PID 3000 wrote to memory of 2944 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 28 PID 3000 wrote to memory of 2944 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 28 PID 3000 wrote to memory of 2612 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 29 PID 3000 wrote to memory of 2612 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 29 PID 3000 wrote to memory of 2612 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 29 PID 3000 wrote to memory of 2612 3000 c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe 29 PID 2612 wrote to memory of 2632 2612 cmd.exe 31 PID 2612 wrote to memory of 2632 2612 cmd.exe 31 PID 2612 wrote to memory of 2632 2612 cmd.exe 31 PID 2612 wrote to memory of 2632 2612 cmd.exe 31 PID 2612 wrote to memory of 2580 2612 cmd.exe 32 PID 2612 wrote to memory of 2580 2612 cmd.exe 32 PID 2612 wrote to memory of 2580 2612 cmd.exe 32 PID 2612 wrote to memory of 2580 2612 cmd.exe 32 PID 2944 wrote to memory of 2908 2944 25591.exe 33 PID 2944 wrote to memory of 2908 2944 25591.exe 33 PID 2944 wrote to memory of 2908 2944 25591.exe 33 PID 2944 wrote to memory of 2908 2944 25591.exe 33 PID 2944 wrote to memory of 2908 2944 25591.exe 33 PID 2908 wrote to memory of 2684 2908 EhStorAuthn.exe 34 PID 2908 wrote to memory of 2684 2908 EhStorAuthn.exe 34 PID 2908 wrote to memory of 2684 2908 EhStorAuthn.exe 34 PID 2908 wrote to memory of 2684 2908 EhStorAuthn.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe"C:\Users\Admin\AppData\Local\Temp\c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25591.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25591.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\EhStorAuthn.exe"C:\Windows\System32\EhStorAuthn.exe"3⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F4⤵
- Creates scheduled task(s)
PID:2684
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\del.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:2632
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"3⤵PID:2580
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
170B
MD531152ff9908e95a6436102811cc99874
SHA12c9919654a653fe21b55c0d61a8eb98a7d25ef87
SHA256f7f58acd6a97ab44d170a7229b9dbb26f53be8b2115a55ee09ad507425c47625
SHA51260e1791c7bb1cceb937c9238ddecd1121095ae9f882651274f01258999808ffe2e867038273b2d6c7522924fa74bc34d21d571181eede82a9f2030a8649041cd
-
Filesize
234KB
MD5ec0883bd8594cc34092a5e9a70a1b249
SHA14ba9c7d411006de1bf589eac2fa179d1d7120468
SHA256c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574
SHA5122cd9f53f426d1d083df8b81001c67d211546c79d6c4b66947d37cd603b5d65e38a137822b0b1e8b1149f55f1df1433f61aa64ca5ed4f6502353f0b5b879ce379