Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
210s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
13/06/2024, 18:01
General
-
Target
a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe
-
Size
29KB
-
MD5
d2efb0b8b82576016416aacbde6c3873
-
SHA1
19cac454edb76d7e879598d8c7e8e032f9d006d2
-
SHA256
a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969
-
SHA512
e05172a8e7b0988ecfd85833177727262448bc9730dd0b33bae2b311d95336a97399824635f2ef4a6374fe04eb46f3739f4a6cce4a46b0c04df88a915d5b2c94
-
SSDEEP
768:HOMiz6RkiNkf8DnpdGMXMmCp3gzr9b3j3zIXwrn:smCiE89dGM6pwzFF
Malware Config
Signatures
-
SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
-
SaintBot payload 4 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe"C:\Users\Admin\AppData\Local\Temp\a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office InfoPath MUI (English) 2010.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office InfoPath MUI (English) 2010.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\EhStorAuthn.exe"C:\Windows\System32\EhStorAuthn.exe"3⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\del.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 33⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"3⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {18229A7F-AC2A-4249-9153-02A9D935AD98} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\z_Admin\Admin.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\z_Admin\Admin.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq EhStorAuthn.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /NH /FI "IMAGENAME eq EhStorAuthn.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318B
MD5c87e8fdc20bf8d140b0e67e1d00aa6d7
SHA1ce80a9aac930a057b26e584c99931288ac82a1be
SHA256a2bb3643dd8e625e4d2cbb56c2c331a8ee0879a3ff432aaa57d9c057b9f7d986
SHA51209f09f2b499046a3dd2434c5193636a978a6ed98b7ca34f27e680cbafa628d2a43050fc7c6d7472d7a6edcb5c6f70b729cbee708175c014a2d086a983b4961c7
-
Filesize
175B
MD527a66c6f5104a0f9e0feee3a3ed57816
SHA18c08034fe0e93748fcd653acda13a5df92263c1d
SHA256fb5da38c62629330924a6e14b8f47159c3b93f18e62688ee56364d45a7f34894
SHA512f259af45c189712dae757fb9eccd828a19a6da3d8011c64a7825093123a74452967f21e5416aee69809c40137e2b31a8bd77125ab0a6d986033df8416d7a3046
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
170B
MD57fe762e20099ac6263f73e9802371684
SHA1caee8a6e500edaa047451fee1a748c0cb02a04da
SHA256eb1049f972679d763edd03252cbad0cc801021ca5eabe897c9cfd0142fee26a4
SHA512eac2d0e01c18e33e6405bd76518ac1357f1040300dd9b575f84193c66aa6f152f97d8adc0598f99e0c15e418007bba4dcc2a4c54ab8b96a7c530670f3e0e6b22
-
Filesize
29KB
MD5d2efb0b8b82576016416aacbde6c3873
SHA119cac454edb76d7e879598d8c7e8e032f9d006d2
SHA256a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969
SHA512e05172a8e7b0988ecfd85833177727262448bc9730dd0b33bae2b311d95336a97399824635f2ef4a6374fe04eb46f3739f4a6cce4a46b0c04df88a915d5b2c94
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB