hxxps://www[.]uptodate[.]com/external-redirect?target_url=http%3A%2F%2Fapc[.]foundation%2Flaura-d58Kvlarkl-QnP1-g8Kvo-d58Kvo-y5&token=o1j24x8yqbCigYycIC6ni4B7VDe7Hz17hJNfy5f8gT3%2F1GKAFN45f%2BlZyQqB2Xd7&TOPIC_ID=119517

Analysis

max time kernel
120s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.uptodate.com/external-redirect?target_url=http%3A%2F%2Fapc.foundation%2Flaura-d58Kvlarkl-QnP1-g8Kvo-d58Kvo-y5&token=o1j24x8yqbCigYycIC6ni4B7VDe7Hz17hJNfy5f8gT3%2F1GKAFN45f%2BlZyQqB2Xd7&TOPIC_ID=119517

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133486821160533601"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2324	chrome.exe
2324	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1528	2008	chrome.exe	16
PID 2008 wrote to memory of 1528	2008	chrome.exe	16
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 2752	2008	chrome.exe	30
PID 2008 wrote to memory of 676	2008	chrome.exe	28
PID 2008 wrote to memory of 676	2008	chrome.exe	28
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23
PID 2008 wrote to memory of 3040	2008	chrome.exe	23

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87d369758,0x7ff87d369768,0x7ff87d369778
1⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.uptodate.com/external-redirect?target_url=http%3A%2F%2Fapc.foundation%2Flaura-d58Kvlarkl-QnP1-g8Kvo-d58Kvo-y5&token=o1j24x8yqbCigYycIC6ni4B7VDe7Hz17hJNfy5f8gT3%2F1GKAFN45f%2BlZyQqB2Xd7&TOPIC_ID=119517
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:2
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3660 --field-trial-handle=1916,i,17282212006079278531,3801623550281552113,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c57562566ae851baf0d2e1551ba30c3c

SHA1
f06df836ff4a31d19419e1652105b076abbd1a67

SHA256
1f8b0b4b412ad73aacd4b5e4faa97dbf3868664bc68d2415acdba1aa960c53ae

SHA512
3009c086a5652d29747e9decce8f93294053221e9e7fd064bad6302eb2a05afd25f825f9fea90472970122d03b3c0c03aba6416fa9e6cc3322f73a38235287d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
fe68ab76e7254e9b7c7178f780cb4e58

SHA1
b24553f5c5a6ec99fbb07808a9cd28b7314af31f

SHA256
96f03570b5d8cf59d60cc0f9e6a6f428435c1595981f07d9f74bc47a34d3895d

SHA512
aa9475bacd3a0f880492c396cad4b6c61140984b8958e7e4146fbc3eefe5a1e943e30ff62efa9a595706c5b80e89210cb6bb2faedc91d6d51ba67b30ecc60cce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a223b7c03b180722192ee255566756ca

SHA1
5e0c9083daee4fd999743b7f675e60309a4c5840

SHA256
6177656075e1b530d1893956e665ee0d9116504495be3c43a4bdeb2fbd8992e6

SHA512
c19a17e06e1ff75d6672f224f509068f76718dd19adbf630ad0560bffbf2bee51b14b98b2e982289dd2270bc6ca435dceb0821314ad4210204389094eed0da6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
87724f815058a6247e7f26126fdeccc2

SHA1
059427175a0e29fc03c5d99cc0b561e74680dc4f

SHA256
69e08c762b6d2e82086bf0869ee2071b0a1b2efe2021bd08e51e9fa212458296

SHA512
f90b86ac03cd39ca7f3aeccf460b2115cf9a66386ce14321998bc27c79220f05f009039500eecba28c461e2209f441fc0fd967f5334c51161f69491b8780399e

Download Submit