Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c33a905e51...4a.exe

windows7-x64

10

c33a905e51...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe

  • Size

    224KB

  • MD5

    9ae3d8ba1311af690523aeb2e69bb469

  • SHA1

    1357dbf294817122b1e193762fb3d66a5d73e651

  • SHA256

    c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a

  • SHA512

    039c76556071c1d1e86fd344f671a6ff76eea067a18b8b90d9cb1c6334bd63e64a9bf19846daf2f1e5006b331f641d65162d946c85ee0e37c510ac52c5973f61

  • SSDEEP

    3072:swA6vA1Cs1gm6LL0hX+t4cD1/JiwiX9nyntWyj5KLHXd6Buo3:i1Csam6LohX+t1yX9nMm3dpo

Score
10/10
saintbotdropper

Malware Config

Signatures

  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot payload 2 IoCs
  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe
    "C:\Users\Admin\AppData\Local\Temp\c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\del.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost -n 3
        3⤵
        • Runs ping.exe
        PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
        3⤵
          PID:2116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\del.bat
      Filesize

      170B

      MD5

      0ebcfb3a61bb857a39f579a83208200b

      SHA1

      f6382065a69a8a53e0c27ed640707ebdf1bc93b4

      SHA256

      571e6efcdbc6bd8a64945982408a38d17c55ac780b58620487b919615edc3a09

      SHA512

      fc5eebcbe88c90d34eb4f124b33351a6d172d62a30ee692447f6d0b8ec9d0a62cca03db6c748bf8e95a5e05c8ec478127d1ac6423df807cb0a2183351912243b

      Download Submit

    • memory/2516-10-0x0000000000220000-0x0000000000229000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2516-8-0x0000000002C80000-0x0000000002D80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2516-9-0x0000000000400000-0x0000000002BA9000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/2516-12-0x0000000000400000-0x0000000002BA9000-memory.dmp

      Filesize

      39.7MB

      Download