hxxp://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion[.]ly

Analysis

max time kernel
2103s
max time network
2070s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion.ly

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133354680001375313"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4612	1952	chrome.exe	85
PID 1952 wrote to memory of 4612	1952	chrome.exe	85
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 4664	1952	chrome.exe	88
PID 1952 wrote to memory of 1692	1952	chrome.exe	89
PID 1952 wrote to memory of 1692	1952	chrome.exe	89
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90
PID 1952 wrote to memory of 1376	1952	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion.ly
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeeb1d9758,0x7ffeeb1d9768,0x7ffeeb1d9778
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4124 --field-trial-handle=1864,i,10032991883850611428,6504931194035946170,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c82a89af6d008ae07ad16a64210b1cd2

SHA1
59af95463572b12cd10d0d51106ce9efbe2906eb

SHA256
a27d3102a8de4766820657e253b047f77b5d21ce931d83ae0747cd91e2e1c8f9

SHA512
7c696c4e1d2dc578953cc55bbad454bfeeb6bc998a26fe8e35c5c0546a93bd101651c6649117587721d17bd761e1eb385b706911c56e939cf04de8891db32c9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f186ad6611fa6bd99968182d3d962599

SHA1
2c26f63c46e7fce2d4dd4f8bf5252e8eb0b8b850

SHA256
78bee1bcec1ae1208cbc565db663fbf8699e347182b949a1180fc3c628f40dfe

SHA512
aa095f3dcb305e7b21a9c9b4e8f279f82a2a3ba3fabf36be657ff0472cc1cc464b1753e9188ea24548e7c2cee27b2cd8db7d8d9de920491a05bdf70da61b3fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0ccf9fd966f4240752550a3b2cb840b3

SHA1
6e1cc2565f884f17fd16e116437d44f0773d95ec

SHA256
6b734dc19f3d01eb111edf6feba83ad367e776702a27a2ed271d4abc10386ebd

SHA512
302778ec4a2c788c62ca1a7c1477e5a385e45fca8d0bc1137f8ff6c758eebdf0527fec999aa32a1c20616b7497a81df9a5e3d616cf500c6fcee1c96ac2221e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
2fc0709c95e82408fa5896dabc5676b9

SHA1
63264272d79f83552ae3954ed8f57f94cb03a12c

SHA256
c82257c1a6f9672982541bf95e2de788ec1b5507c0ae549fbc04ba05d5646ea7

SHA512
da1717e0bedda9b63b254baf76286903b877fe7bef63411d706910946b0c59472498e28557c4baeeacedce73b7abef8cc1ad84a4dc8abe38b2dd75aced74ce66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit