hxxps://go[.]oncehub[.]com/infobenefitsonuscom

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 01:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://go.oncehub.com/infobenefitsonuscom

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133367097650706387"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3812	3364	chrome.exe	80
PID 3364 wrote to memory of 3812	3364	chrome.exe	80
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 4412	3364	chrome.exe	82
PID 3364 wrote to memory of 5068	3364	chrome.exe	83
PID 3364 wrote to memory of 5068	3364	chrome.exe	83
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84
PID 3364 wrote to memory of 1612	3364	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://go.oncehub.com/infobenefitsonuscom
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9044e9758,0x7ff9044e9768,0x7ff9044e9778
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:2
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4648 --field-trial-handle=1872,i,5202860404068530783,2049149396496473642,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
3876aa7c1cb9115a7dce2098128fa6bd

SHA1
881df8a7f58914765ce075ee0deb3a38ec1b261d

SHA256
4482d5f5c5876cfa5bae9addc9a643635b01df754127be9c9f2f441b01c55aa8

SHA512
87db682d2a72ee42e4c49dcf0c1dd4beaccdd4ee656f0ed9fd478f19609951249b18d4d04958a433d425f1b98f683d59b042ee316fa53dd10a327b9b1ae24047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
927B

MD5
fe9ca7bf90be1277d370dc2646ae9427

SHA1
80a801a060bef50d43648f9fe2d75df51142b9eb

SHA256
5ca94e1ad68d20b8fe099638089c8742fa433cba1cd80560e8e6ef14f4026576

SHA512
7e3f32131c65c724b7c5843b6e45a397ebd0df34ddaa5860a729e9a81899c27e30e636fb11d6e7f0e7ba4facfb4e64b8c01b712c9a06a602c6469617a0948379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
e9b9844d6d9e5d81879e608b217be2d2

SHA1
26abc63efa81fad62627988d6557317027bd9a6e

SHA256
2aece8222c20b0903f6518fb05b95daf46cc5388b2d56449c901d5d5b743dbaa

SHA512
350165b31d244cd78848f7e71c95524d4909fa4edf00708d634e8d8310f2488508be037ad743b7bd1f3fbaf6bf9048459cfb46dedb01ff2103415a0244b4ab3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
689b8ccb91b34f61b2256783d347454b

SHA1
efb11c850d42adb4b5208f297ea859c78f79ba6b

SHA256
6fa990b7dce6b2dc5f70e2f3357999b1dfdaad22f6e30141733e74629afec853

SHA512
3901fc192b9215b1bea28c42ab1f3c162c5b9adcee124cf5fe49e7c399df36a05a0525c7caf398bacd9cde475308145d2ad34aa5a139cea94fb06f297c02a8b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5bffebfc2ae9852ba3ead31a20591293

SHA1
9dc83f03d8b988f5203455b3956b0e306437c851

SHA256
b84508ea8d4090e388bc9af339b37ef0be80aea716a2470423a6e2f655c0f37e

SHA512
4afa076e146aed241babc542197ac0bc4b2cfe62f37e27406126837db359cc38ce1778a75e57d2fda0a11ea1430a06ec5347f382f901ec581f4b39d6d0c64aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b0d5652460825ae8f154318f5fff9ce9

SHA1
7b1f34bfb1fb5581e551a662fd9b759d59c97568

SHA256
fb40de7649b8ed755943a1e6cd4bc61bf909649824be798499356abf52843672

SHA512
9f3202eff946671f5b64b1b6c914d012c3de13893199890b38b4a95d8a620d4aee260e5ad8f8930222cb1ae2b43aa7bf53ca6e5bee5da8e096b64d0b957ae4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f95bac054071566f68915aef55076e12

SHA1
5f7eb8d6dae9423e5cd4b4f933704db9e4eb89c4

SHA256
7bf6eeaa15f24d82c0acbd6795950e30ea50e4603061375cb314bd68b0a1883b

SHA512
43a0d591620ff43b968556aa3813d3f601330052fe0edbe9859b86927d0b0e834237b18740ea1319a2354bd6b69159290888450a63e87d6a663498e622e1f980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
0d277341d461a97f5ad22bf7e6acafb4

SHA1
806a08db7a5d2df0273e56db8a725804f25c6aeb

SHA256
f06f8d1cabf8d8b20ce2ca81d21e510a4b8a38e9964da10bb494ff923d58fe9b

SHA512
0891b284b309a30ab0d27c91317f6f55c9a520573b912d12e331ba636411b3aaac4f019978b9daa0c67c79ea24d814a5916b2b65e435e64c4d6ae3d345a24ebc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit