61672f0bd566b1eabd015c3157aaeaeff541ade2d74e3c8c854ccd3ced505ac0

Analysis

max time kernel
136s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sai-1.2.5-ful-en.exe
Size

2.4MB
MD5

bf54fc5a30a96c58c583f4a5038b5e4b
SHA1

2faab49cf00efd63d129b5dd8130e480bcff7be1
SHA256

61672f0bd566b1eabd015c3157aaeaeff541ade2d74e3c8c854ccd3ced505ac0
SHA512

50170bf086e4e2eb8aec8b6f6492c01ccf392a9e1f2ccd44f38ae91be8be343dcbc4830e7e0a7c4c57f4aca9b1e616e9e46143a8d6f28fe48b909cbde575fedc
SSDEEP

49152:ojjTsTbJk6iU2Q6+eqB8YSgmyjvOS4SDewj9vSbHH37cSbHH3ZjCCNcp9fzhEVE:ojjTikpU2Q6Q8YTmyz74SDlFq3gq3Kp1

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sai.exe

pid process

1252 sai.exe
Loads dropped DLL 2 IoCs

Processes:

sai-1.2.5-ful-en.exe

pid process

1752 sai-1.2.5-ful-en.exe
1752 sai-1.2.5-ful-en.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

sai.exe

description ioc process

File opened (read-only) \??\f: sai.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

sai.exe

description ioc process

File opened for modification \??\PhysicalDrive0 sai.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1252	sai.exe

pid	process
1752	sai-1.2.5-ful-en.exe
1752	sai-1.2.5-ful-en.exe

description	ioc	process
File opened (read-only)	\??\f:	sai.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	sai.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sai.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2	sai.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sai.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sai.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1	sai.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	sai.exe

Modifies registry class 7 IoCs

Processes:

sai-1.2.5-ful-en.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai	sai-1.2.5-ful-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai\DefaultIcon\ = "C:\\PaintToolSAI\\sai.exe,1"	sai-1.2.5-ful-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai\Shell\open\command	sai-1.2.5-ful-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai\Shell	sai-1.2.5-ful-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai\Shell\open	sai-1.2.5-ful-en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai\Shell\open\command\ = "C:\\PaintToolSAI\\sai.exe %1"	sai-1.2.5-ful-en.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sai\DefaultIcon	sai-1.2.5-ful-en.exe

C:\Users\Admin\AppData\Local\Temp\sai-1.2.5-ful-en.exe
"C:\Users\Admin\AppData\Local\Temp\sai-1.2.5-ful-en.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
PID:1752

C:\PaintToolSAI\sai.exe
"C:\PaintToolSAI\sai.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
PID:1252

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:2060

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2584

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PaintToolSAI\brushform.conf
Filesize
99B

MD5
a54d58d5ecaf135210cbc0dc0722db8c

SHA1
8d5d53f12143ad5f3013dbe35bb032d0f4866ff0

SHA256
825d95462051f66c80074a9aa6cce3575167e917f81e793a3a3428dd66df7138

SHA512
b783cf00e97716f913d3c7c847e48a6eb12e386598c2756a7ac428da07806487f141c21e3c5c4dabee6684534d820d622e8d8fee3ff33805db01dde1c2a29662

Download Submit
C:\PaintToolSAI\brushtex.conf
Filesize
45B

MD5
3581dfe37330e7399ce4e7616640d591

SHA1
06a633a215ea1fa85ec30bcc91f34bd3c10e53e9

SHA256
2dd3bb0ed53ec1d3db814c34f9a22eb56e1488e5b7a618f387652e5281ee7a35

SHA512
22475f2362460cda77e6f7d43fa20ae8be1e0996483d2e0725c7d3d000664974a51360efc0c1770448670af64a139e01259fd0fea238e46cabfbb40603321a41

Download Submit
C:\PaintToolSAI\language.conf
Filesize
115KB

MD5
3d2b466fad0dece08147b9b8a006739c

SHA1
2fc1a42d5260dba98e5cff9eef8bfc5414a875fa

SHA256
8f76e1ce74e33dae5bfdc7ad697139a6f334f2123f9cb726ab630bbd1b84da68

SHA512
6b28b1404dd6744b55bd5bdb74277d23900c89fc4ec7a14f9418e48e59b2b7aed4fcaa611c61b514791ce8f8b0dff9f317771024d561118cdd59779e500ff6fa

Download Submit
C:\PaintToolSAI\misc.ini
Filesize
6KB

MD5
84582a8bdb7d2059826eaa9cf9c3143e

SHA1
25cca650c27a81425e874d5546f09b7489091205

SHA256
127d0959e4ec51456554a642bb3080e0331f58a7e8635e6f5d9280b1921b7076

SHA512
03a01d5c808bb14290122bb2f5214575fb149100dc7707f8e88a0ae8891941a23c3e3fd548b09aa857a1d19554acbda9eccca8144b0253c4f58069fd0c922e1a

Download Submit
C:\PaintToolSAI\papertex.conf
Filesize
103B

MD5
38d40f9c4e6b0810a5e1b6709d277fc2

SHA1
e23f5d930a15bc20cb03f1b1fdedcac4dc0b9e04

SHA256
ad422261151f403038aba095e0c90fa434c97cd9860ab689812277a0a98e9943

SHA512
8458745f1314220f94d605e4ac45d000a7ba296a69773bcc124bf4003340a38df38f238a66a0bba57e6df3c9c60312a6073461dabf5f853cb47f560dabce9791

Download Submit
C:\PaintToolSAI\presetcvsize.conf
Filesize
1KB

MD5
1cf572c0011d492d1ce0d82722c58bc2

SHA1
db32407054030d017874092cb6b52742ed372972

SHA256
b14b2ea65f246e94bc5a77c9c4c80b2bf82c11a4fba90df7c623564de0e7506b

SHA512
2aa45f0be60faa75ea50de97f3d207029bccdde5c9e51b6b22090a4d06adf077d049c73e41a9c66ea71583da03c0d2bcbe766f4a86e8aa0bcb5269237aa1d489

Download Submit
C:\PaintToolSAI\toolink\00.ini
Filesize
348B

MD5
4025dc43111a07c8d1819fcba6b9ab28

SHA1
69de7e6aec04da6b9d3788e4eb2b2d8f1b484cf0

SHA256
484d550d389e3e883ddcbf5237db417dd1473754845b2a4ce3a6aab80891cc6c

SHA512
d346759a0ff20deb45c52a141f520cf32faa6d6028fedb9c1bbb8cab56b8df65d64f23047fab2fbac76ef1c21d6ea2c09d891b532505563ef76cff8c42a224ea

Download Submit
C:\PaintToolSAI\toolink\01.ini
Filesize
355B

MD5
3b509df959a9771a6dfe0765f5f319cb

SHA1
1f6871cec92596a1a60f8ade1845e9c184b58a09

SHA256
4f38166fedb8e5892900c629d1ff7c06bfb26d7c83ded97dea1d81c74896ab08

SHA512
39cfef5d910d593bb5528307722bb09a0b4e2d38726d4e018ab6781c922380089eb3cad5dac707c03a07648e456b0958f115316bac845895872fc8a0286f4b75

Download Submit
C:\PaintToolSAI\toolink\02.ini
Filesize
344B

MD5
70545879a8784c88fa1a504aa7f203ab

SHA1
ec1eb39255b8105f4fc43b4e45fd7b885c9b4757

SHA256
25cfa9d933de810cde042cfcfc97a315701eebf1bff2f0d7d65f588a6035778e

SHA512
76b4f1a3b923c02b7a94b31e0b37aeb5bceff854e37531042264b63dc17d665ea15fa8f20b3c8b22eaf1bdf4bec07d971cc997608463b4d0c85b93d9d88d77fb

Download Submit
C:\PaintToolSAI\toolink\03.ini
Filesize
45B

MD5
9f3178552a2ead373a35aa57948e09cf

SHA1
11bf0b9e3481b26fff15c3a9bc58f6ce57a9acb9

SHA256
d84a9995c07de6fda8fce6db10d8983ffd3110e274ca12f8d163d948ba4dfaf3

SHA512
ad1363fac386a952da4091677b05a9f5ea686d2e1d5eb2c26ada3b562fc54b56d8b0ba91cba7ccc16074fd14f920478b291f96571d79802d2725011ce5d40f3f

Download Submit
C:\PaintToolSAI\toolink\04.ini
Filesize
52B

MD5
7b3a324b1ac005423dfe2a615bb2067d

SHA1
fa9c419334c6c1d9c1f0e89820c901342b2d3c96

SHA256
d6fa250f5ff8dc192d8fb02d92dd3deab68d7e59ea703361cba479c7a800631f

SHA512
2aa3b3710912787ff51765231128bbcb47d47b3cdb318c1acc61a4dd5b12d3ef2f9a43b39340d091a4c14813bd48598ada7c06bf81ea82af66e0243d53c0aa8e

Download Submit
C:\PaintToolSAI\toolink\05.ini
Filesize
48B

MD5
8d9109be027c25796c30c58cb573dcc8

SHA1
20e6437a21adc321fda97206e8d8477d6ec01db0

SHA256
4e5b0ea5f683edfa928b676e69a92ec6f6a97990b1a3e19077b4d1fa611137c0

SHA512
3a8533aab211dac2c6e26e70b99fe1fecfdba4ca816bf046b95f07424a54cad174f03db622da2deb17f4e95b99ba037a8e1a78c2023de01a4f8968a7940ea54d

Download Submit
C:\PaintToolSAI\toolink\06.ini
Filesize
350B

MD5
17e352e45a31b4e3cf1dd1a41f4265ee

SHA1
8edbd332dfd62e88c457b639717d646796ac1f15

SHA256
7af491821a7ad3b3ec89902d746170743f4dd80f974dc38150bb95dce44b0995

SHA512
f3e1ec877e0ce7eaaa5c4bb9e5eebbc61bbcfc94818c9349be54bd7d8adee6077051466291e85105162999e12f6c0079e7f7f0007cf9975ad6da618e6e6d6cc0

Download Submit
C:\PaintToolSAI\toolink\07.ini
Filesize
351B

MD5
420ddd5d03319ce2c96aff5d491a7a1f

SHA1
506fc58788ce3c0d9c8212af1ec8a82180cbd266

SHA256
b98502c1ac3f870957ae543729fb0db39458b56232249e96562128ef8c1c15f7

SHA512
ef120d7a0d00eebe5d14c5fecaf13d577f273396ad7fdb8c97f8009e563cd59bb10d953f55cb1ca087424a21c81575c29e1b76ad057680387c8dc40222a327e7

Download Submit
C:\PaintToolSAI\toolink\08.ini
Filesize
343B

MD5
1e826b9f924fa1100c2b0b1861c3f33d

SHA1
dd208498ff0a166dbad5e32e59a4a37aac1e32c0

SHA256
48626fba0bb2e319b622397c301240f8e5e3abd61ebc9e9e9240d9ac17b5d3e5

SHA512
49b58f25f9b9c75dbccefd5c49311644b4c6005e010ff89cae4e180f647f9c0b39c7ddf1f4f0f5aba8a5a19885fd53ad62f0dbdc8463f5e49b6a9e89e2a95595

Download Submit
C:\PaintToolSAI\toolink\09.ini
Filesize
342B

MD5
92faea1b8d82ec6aee561e129914f0d1

SHA1
2bf3d991a0925babca785ea29af692ead6213b09

SHA256
4732e58003250a3da4bff607c93e514ff76d65cd28727acae2cdca6746e96998

SHA512
0bb48945f78c78ffcebf8fab8a944a24e6d7c5f28ba0bfab2c1673cbe318ad3ace9fc971bc20b3cba808d6c74ec44f506e3ecee49a1e0fc8bc83bb15644d37c0

Download Submit
C:\PaintToolSAI\toolnrm\00.ini
Filesize
356B

MD5
30f6569afc4a009cfee4be4db172cf61

SHA1
608544efd289d925156a1d6e5461f4a22498c0cc

SHA256
b5931ec94f2491fe107446a04c7c65356eab98ad4ad049918e9b85df3c2d93c1

SHA512
fd50f72a1fae74c829a4e52785388a8538afced06849cbe3a8a5a41360be0f4fcd26ecc5b1c6eb0f4f6652f7f556df846af6c9f1411be96eb051e6d5a425ead4

Download Submit
C:\PaintToolSAI\toolnrm\01.ini
Filesize
372B

MD5
6fedc0b858d49480b57e346cde0a1eac

SHA1
7e1d473977fb336b40a5a24aff51d70d72893047

SHA256
1dde66a643bd1a3e228a818924d94bdc49ee3893de5cd7f06c1fddf5ef4126a3

SHA512
181da9843b5ef023400f408761e01384890be15e43de2673f23f574911f45d52e12a4305a9c84d8f8e88ecda21748d2613f900f02d9b164ed256b77a4fd0cc1b

Download Submit
C:\PaintToolSAI\toolnrm\02.ini
Filesize
382B

MD5
e572f56fcb48891ff286738cc635edea

SHA1
6390f85e274c3a74979c8288c31659dc65bdfbf3

SHA256
c3928e123d513e08a3175ef188d6ca37370497dd3f096bad70b977c9d34dc5e5

SHA512
6a29929fe4e4c73c89be107771b0037af26d1eaac94edaa6c29891592294a3317d0dcedfb3660e9f486fbac7985b58981cdd893d21db47b0c9a01b3b6d9958af

Download Submit
C:\PaintToolSAI\toolnrm\03.ini
Filesize
365B

MD5
6b3e0cf7bc86f20948010c969c2bee3f

SHA1
7aafb9cad09dfe8b1e5c26b0d2a408905d5ac685

SHA256
f4f6bd841bb2d912404592ff8e2749e416c3ef507ccfc8720d32b20935a4a8d8

SHA512
69ee9cb0ec155911d7058cf04b840063488d9bb9aa8ce83ad3da2f946060dd2f9f0cd1ec0981f0810d2ea934174806a0449fed7a9a0002aea5902a83698bea67

Download Submit
C:\PaintToolSAI\toolnrm\04.ini
Filesize
360B

MD5
318bd05bd0ed5a8bdc5019c63886ac62

SHA1
10cedbe88c0b15b0e1b056f6b516e427a797a4d4

SHA256
a02300d6287eed6ac1053e234360f5a6340ae2ebed9a06130125d5043c82fe75

SHA512
7d44ce1159a4fe0b13ebbf9087e12a6bda732cdbb36014ca9517dc05a1cddf15fe573beb6a082a42664105bc1f48233845d9a7a77532b04fbfb189e16f572ccd

Download Submit
C:\PaintToolSAI\toolnrm\05.ini
Filesize
361B

MD5
59404a672521b12fd79ec610bf8f3e36

SHA1
c704069690c1395b087700996cdcbc2ab389d8d9

SHA256
3ead6d8b5a44aa014da39a49eb9e1bf2b662996a979a9dbc3e7dfa24448ad84a

SHA512
b6b8c8aed35ff95bcc07f0bf30694592601ebb142f3643366eaa402c00a4fd5cd9b2fb6f084202fde78412c2b38a084fd2f88615e521751767feaec430bed601

Download Submit
C:\PaintToolSAI\toolnrm\06.ini
Filesize
361B

MD5
1e7c30e82acd128c8ec11ea9b27f27b7

SHA1
a56f115fa2ef1b3dea7fc10b1d9dc2e76b3b76bd

SHA256
a10869d9bd7d1d8ba414ed79722ef198b0392580164c502630c8f89201a45b83

SHA512
882912c2c4722632e05ca7eae14c1b3cef76d0bd54ccdb80fe274484951639a8a01f03b3f7f8123c1e9eec9241318380eb2482e57081fa04436aa8ec23c67b10

Download Submit
C:\PaintToolSAI\toolnrm\07.ini
Filesize
362B

MD5
6f88ba70c856e3eaa64278f389fd8a63

SHA1
7470d59f08b6d8dcacc0cc26a216ff3f699c6c6e

SHA256
adf1a53740d702c4a63f3d83c6d9a88487f7d151af2d94ba3ad715833ce65009

SHA512
31d88cabd18304ca5f7729ed7e298e7ac37e44995554acda7c5f33f8850842f1f9d8455ec9c2c4be4f40b5dbd737342763f1b226abf04d4e4ffd529f65be5929

Download Submit
C:\PaintToolSAI\toolnrm\08.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\PaintToolSAI\toolnrm\08.ini
Filesize
98B

MD5
282e118d915746b4b6b53c69e0934304

SHA1
7b677bfa515c029b1e60314a883ddf1ed8cc9778

SHA256
66fa3170625c937beacf77f3ee53b6cc50bcca52790234cf88f6a87b00966708

SHA512
f879069393755d292cef49e93f26449c45c3516cb59c977e95d659d83df5851bd6c15f96594f90d3e24b2d90a684240c3d69c05560b5c3b8cf058f5b73a1affe

Download Submit
C:\PaintToolSAI\toolnrm\09.ini
Filesize
196B

MD5
9d0e263b00e2d1613d48b2e0cab48e56

SHA1
e89a0e4cd9e6a30a79fede15e1a06e3ad374018a

SHA256
da4d5c4d137fc7ca92a7544af59331ed308b73d3f36ce89eec57a9b905faf48e

SHA512
dfddbd16438d79e5afe187636b27651ae27e95c69d1c97bc0857a754da52ecc124550126564f15667c825fce170f50731a2706706dc526364894746600a56469

Download Submit
C:\PaintToolSAI\toolnrm\16.ini
Filesize
376B

MD5
29845977e4e7cfb3786d47979089eff8

SHA1
23be899577e32aad57ea1d3e9f38f21f5a3c0e6c

SHA256
5e1d9dffe2e3347edfd4e64732129d55aa8e018bd7bfb914445e2519dfa4c351

SHA512
ed37ed4dd68a3e82b27084043e1be4cde5bfe76d5b52a15b7cf3f2a7c1559164a8beda9eaea03165fde8f9202ea055c98c55f098b7ffc119c9bb238642ec5d3b

Download Submit
C:\PaintToolSAI\toolnrm\17.ini
Filesize
371B

MD5
076589a092247f5e46b78a2c2fd16d63

SHA1
1c92aca243af4e93fdd4925795d2195de874107a

SHA256
02d7acdd2cdbee5288e1773400a28e302069aa9b0f797d562dc42d9e94e219e3

SHA512
dfefbd4a86b227fd8b416184b9e22d873280a04064f1bff26fbc3be27fc8173427179a8424d4c67081c8a58e6a0d96de4ea9112c5e2fedd3a5461b2dc9c4d0ff

Download Submit
C:\PaintToolSAI\toolnrm\18.ini
Filesize
376B

MD5
f3eefb8543ede02499aa3887a75208e1

SHA1
4c42e905544b805a72582b4512ca18b62b1e7074

SHA256
b1b210d0c8ca96607abcc06934ff65fa324874c9563f7fb50e342ac944e94196

SHA512
aa4bff3146a33eecc070b9b45e20d41a292d73f96ff91dee16acaa68024b48a12fbd9b457cad948064fbc890a4c4077e5f594ac5ec374dda19ee682fceaa4d83

Download Submit
C:\PaintToolSAI\toolnrm\19.ini
Filesize
353B

MD5
58389a59486b4223acb48fb93b0ae6b0

SHA1
a354548d0a5e5aa20f88a5ec82505345abde604b

SHA256
1c79e9a42b7014cc1627260ee50a77d556d2968d3214d8df387a408158c54a73

SHA512
d43b82b519818cf51f9aa96e3d1f2aac4765e5f6519af6c030932f4d51b0bd8ce16a1e925f14d149ac3b45a8ea2d37de66f75bcc8eb553934ff51064b552974e

Download Submit
C:\Users\Public\Desktop\PaintTool SAI Ver.1.lnk
Filesize
578B

MD5
9727a853db7e8e201ce5aa5812751e56

SHA1
ca9f245103a0949e906592a06ca64813eb0f831c

SHA256
c340b3b9fed5d4078251551161dda774a4222b8e790eb137beb432136d084d81

SHA512
f619fd1cca7ac0c9f609e6fdb705456fe481f15620847ee55e03ba3dbf3fabd909946422a84e571a6379943660e338381c8f9fef9d0d11765876ffd778803efd

Download Submit
\PaintToolSAI\sai.exe
Filesize
2.1MB

MD5
f4e7e00aa4c222d6253aa1f0a5f302c2

SHA1
ea5b1621634f0c8d20110ce06346dace8c61f427

SHA256
2b640b1362cba36953b1f82f0fd31235b0776c19aef61c1699ba39f43221159f

SHA512
328a290779aaba32820a44edd7efb4d47de51c276eb04bb2c5feab4f72638091d90ca81ad3f52388c94427a63e32d61beb19bf5e202d6fbf80094905a2651a59

Download Submit