hxxp://sanitaslux[.]eu

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-es
resource tags

arch:x64arch:x86image:win10v2004-20231020-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
13/11/2023, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sanitaslux.eu

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133443372918675857"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	control.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3916	3204	chrome.exe	20
PID 3204 wrote to memory of 3916	3204	chrome.exe	20
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 3336	3204	chrome.exe	32
PID 3204 wrote to memory of 5348	3204	chrome.exe	38
PID 3204 wrote to memory of 5348	3204	chrome.exe	38
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36
PID 3204 wrote to memory of 4596	3204	chrome.exe	36

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://sanitaslux.eu
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb848a9758,0x7ffb848a9768,0x7ffb848a9778
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:2
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4700 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:8
  2⤵
  PID:5492
- C:\Windows\system32\control.exe
  "C:\Windows\system32\control.exe" /name Microsoft.DateAndTime
  2⤵
  - Modifies registry class
  PID:5372
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl
    3⤵
    PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4008 --field-trial-handle=1896,i,16580209539300320776,12324117496035702884,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b9dee2c2b18940a53fb3d349cf58114e

SHA1
70259680665f5b12bd41fdc95cb1ecd3727dc533

SHA256
84628b0437eb9013cb9ca87cb330699e1e71dbfec250490730a13daf5ed3eea4

SHA512
b7d1d17ef5074f620dd3e848e23d8bfd2f8fefb89a2620c118382a63d3098e52c757bd1d2e62f67c4c8cbd61f3c80849ea9fe8cc1396a96cba4340654127978b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cfd9f50e42e1a144c448ef9aef2e945b

SHA1
c4e6e92f29ad73656c3e5104ff1152757e3799bb

SHA256
c6502c6eeec9c7a66d6b5cbceae9db8ed5ddb0bce189d2d877a8f614620e3e1a

SHA512
c95a972e20af7db875a86de500ca1aa96624964a565178f02e32f160f8481d9f5b594dcc0fd9f3c3f8e42cdcc21c404a36c84fe6ff7ac2de483dc205149fca41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2b8e0219c0f795c9ff8ff75a23e6c827

SHA1
4e9957affb93d41608722f49619e905522c79dbf

SHA256
0e0c877d58781181f992bd032b574c65db49cbf31b319af20a6ce1a6de1cdcc6

SHA512
5458542bd426f2eb7dc174c27890428b6a58aaf3280e73b352a6f87e0270b3e55f62934d15cb3e150b7d346dcbd690442dd4195989a7b9e89c94f9a7866c46ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
992bedf35787b17eb8b26d9f0b03e940

SHA1
ab184f0e7817c15edf76a3a555d146a6bc6ae83d

SHA256
634e40974c8d22ff50424d5972dfa7c589b0ae1bb223800b55bc8738c2a9218d

SHA512
0919e9584939d995dc3ba1343bce789245f9286eb31e4b9b73906ee764da619a1160805b144ae2c68f3453e4a16ac7b8a9c136e7994a39f9a65fc5e899a0b7ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
873993e512ed057a6ee49d6cb594e527

SHA1
efafba3957d1fe7381de80d221d2acd0b82219c8

SHA256
faa727ef3523998bc6e144d0108f855d5b37e0b3d3ca28a4aef6d175792834e2

SHA512
7ea1124c48af4790b359cfebf45857fd8124ff8f2754b0401601346003deadb1d641fc1fb6d02c16fcc84ab738dd31768a285392c807abf4fdd683536db64859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit