hxxps://pl[.]repi-us[.]com/+?y=49ii4eh26oqm4c1gckpj8e1p70pj4ohg60o32e1k6grjce92

Analysis

max time kernel
151s
max time network
146s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/02/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pl.repi-us.com/+?y=49ii4eh26oqm4c1gckpj8e1p70pj4ohg60o32e1k6grjce92

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133512284944542554"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4816	4004	chrome.exe	71
PID 4004 wrote to memory of 4816	4004	chrome.exe	71
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 3484	4004	chrome.exe	73
PID 4004 wrote to memory of 2280	4004	chrome.exe	74
PID 4004 wrote to memory of 2280	4004	chrome.exe	74
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75
PID 4004 wrote to memory of 4128	4004	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pl.repi-us.com/+?y=49ii4eh26oqm4c1gckpj8e1p70pj4ohg60o32e1k6grjce92
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffecde9758,0x7fffecde9768,0x7fffecde9778
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 --field-trial-handle=1768,i,12699234821583778125,16964242738300220911,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
820B

MD5
26b32fcb80a4cbafa5de4c23b2c90307

SHA1
e6fc8ef574028a0f928fb1f4888a3a5b3c4679e6

SHA256
a8db43298e6946cd8b654ea21c9578bbbbcb6e802808872a56b2e3358992169e

SHA512
e3d67ab2d8f3263ccd8f483239546c07d2dc687483a3df21e3d3a79682e62d028793341dd3a4d3e9bd5498e08f2d6a6f450cd0d8f480521ccaf52c79b49e0575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
0b89b317e9009d2edcac06416858013c

SHA1
5e59fc1d96901c95439e17c79ca08e9e2d8ed659

SHA256
150340164ca7818c0f9b24cc2e85143ddbd58474c54e17363ce7359357e80940

SHA512
b4f94394916e3f3e4dd9b1567c8ddb6e4af48b69a975e04677762f6a577e042a27061b1cb4a3f57c2904bd88a81331d12fd46bff8a9e9f219b3ea422c9fb308f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0d3e719632243e468654a2dde650d675

SHA1
13237bbfa5e8283fc3cf328fe0687e1a45323365

SHA256
9f0d2c60ecbcced9ef640ac91fb6b37b9dc9e771e7d271955da65c76b3e1f099

SHA512
04e5008e58fc925a48a308228f3458b35fe2acf1f4f916ac56ad3ad1c10b04043eaaa3d2b521727ef4779deb18e90c78d2f110b0bf2f23e448269012ffeb634c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
85cd86d65e607066159a8a5aa4aec6c5

SHA1
cb6499803bf149f505384871194255a9538b9c84

SHA256
b2c2b509431b557c9706f586a5cbf711556aebf087d13798bc25dc936abc5eaa

SHA512
a9f17faf2c635138fd4d44a7f70ddf1db42286375d5b1230ce3280e21dcea1cde5f484269be69d197c83bba35f0a98008f175672d67368eaad4dffd51ab3a5e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aa992ca0dacf04c6888b6f1296e1e182

SHA1
f4b3f5e1d14d3783bd30a1410e608337ce8f60f8

SHA256
33b425a7d5fe1cf2fd917681ce73c5f317a69cfcc86c2e70d129bf124176d404

SHA512
c7748fc142bf66a0d46da870d04cbafd8b081f8723e6369985f229b73bf5a2b73611318f91fd3cabb4fbe2e15bec2ea2d5ed9c0c0d585f8cc98a5ad03b206fbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
c657215d2595e2897b4bff67e8d1f3ee

SHA1
c1de0cc98ef847ef2b505e441df84b98a89bde9e

SHA256
3e0a2176c40533342c234ea1c86e3783e7dff56308fa203e236cbf47b63b2b9e

SHA512
6081d189b30f5daeda6cfe5f92b5e085726e4f56e308d54941d62a0aabe573a1d3c03408e039df302c83f6d89115078f3024ef1b1465085a3fccc1330faa7f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit