hxxps://pl[.]repi-us[.]com/+?y=49ii4eh26oqjip9ncli3gd9jc8pmap9g60o32d346lgmcph2

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/02/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://pl.repi-us.com/+?y=49ii4eh26oqjip9ncli3gd9jc8pmap9g60o32d346lgmcph2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133512265385117146"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3824	chrome.exe
3824	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4304	3824	chrome.exe	73
PID 3824 wrote to memory of 4304	3824	chrome.exe	73
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 5068	3824	chrome.exe	76
PID 3824 wrote to memory of 4556	3824	chrome.exe	75
PID 3824 wrote to memory of 4556	3824	chrome.exe	75
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78
PID 3824 wrote to memory of 4508	3824	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pl.repi-us.com/+?y=49ii4eh26oqjip9ncli3gd9jc8pmap9g60o32d346lgmcph2
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcfdaa9758,0x7ffcfdaa9768,0x7ffcfdaa9778
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4468 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 --field-trial-handle=1764,i,1220408221216153004,4891167788504189607,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
892B

MD5
79bf59fb535cfbef62c5e53d0770b016

SHA1
a6ba3c91f1c37ec553bd98530ea275052b50a48c

SHA256
0ebe0f3b083dc22362a2bf07617bf39d7da95e4b155490f13ecf2fe47c894c0c

SHA512
00e2b1ecf560e56482ad8af14a264103f8bc091f3ed18a9bdcd75c96bda573ed0a9079dd3b071cc94cd4a0989581d04537d3e349624f2b7de6ea4af4fd5823e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
01afcf76199cdf96fba61132132cac95

SHA1
96b1d5c4931d8443c4c8ddfdef61e59dddf7c933

SHA256
2fe121cf419e9ad860fe720b5862a4c8bd3ce4f413951e3c59f6b92580872d26

SHA512
fcf9f90e97cbbbb66956131ebe2f7b1a3c8e38c694446b22aa00ca463daefc4f4670ca2e8924787e2ba22921c475f896f1f6d2122c1023887e38981b7a09e638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ed3d8a49b313c8e85e28f2acea899de

SHA1
8bb51c6e409c871ea46986702d6de4adb49e79d6

SHA256
a2b4f4e672ca7516997d987724bcd4e5694a07a7e61c92869af19d895d65833d

SHA512
61859085e83c62b565037b03f6151e893a1ddd1e2142cae919cab6718d60b063456a65fc17dfd414d7132228c31013c88ec75256497bf504cac102d5beb632a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f48f0aeb8740b4b772f7d8b518443e8a

SHA1
572c58679e1282f503a597824bf2cc1496955b4b

SHA256
8f0177c4185b2d9fef1ea61278cef2c6f5610f3b76ba17d6a0968a8f7eb95de6

SHA512
024a00cebcbd249b59f02a77040abb2aa89c8c67549f70a6641de485a591092b179855b82dcafbce2ad112c2b8446992214fab71714d17b784bb76c375113734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13b18008ba931ca023e3fc7a3a2b5d06

SHA1
97e749c3fdbab115f0c97a57c2bb28d5859ff068

SHA256
919c8f05268c8550a2e562fff7934255b1cbf28758b5ebe8ec5f67d1b6f74e02

SHA512
ca2ae1513d5f15f87d7a6536f50c33ce052d674f70a2bf8510ec50c0076c4134def6377a0a84b6e0b7b3cae312a9fab66113649a29f6a659778fe97bc7189ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
528ab82ae7c276eb9f5cc89ffd8e015b

SHA1
415134e63441164ee17d8ec8f62584bb5a1150d0

SHA256
6cd03a684f1492d62ab23a3be2573278a4f99feaf03fd86984502f12d2749d24

SHA512
667e5483c2b1096eff8b68bd58edb57a261dc30e6941456b25bc9f20806d24ba153b105b6af16ad9a7d84b859f7393859757dd9bb59ed7f64332ea2216bf853b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit