hxxp://www[.]netbenefits[.]com/

Analysis

max time kernel
18s
max time network
19s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.netbenefits.com/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133686308444296105"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4772	2812	chrome.exe	73
PID 2812 wrote to memory of 4772	2812	chrome.exe	73
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 2944	2812	chrome.exe	75
PID 2812 wrote to memory of 1372	2812	chrome.exe	76
PID 2812 wrote to memory of 1372	2812	chrome.exe	76
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77
PID 2812 wrote to memory of 3116	2812	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.netbenefits.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa8db89758,0x7ffa8db89768,0x7ffa8db89778
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:2
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1660 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2688 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2696 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3736 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5360 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1868,i,15128844051751488428,2673781242693646453,131072 /prefetch:8
  2⤵
  PID:2208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_h.online-metrix.net_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_nb.fidelity.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b511952bf85105ff17f05cbfb06ec233

SHA1
629fb77a59fcbdbec064881396e235bd23ab0bf7

SHA256
5d870b68fc8a854ca6a165213c2e65ca1ea4d59d5c8f3637077c2934702c9eb0

SHA512
b9419b4b2a1d95d85bd59608b05b2cf89b1593816249f71082d0f47eb5a8ac49abfe5f27f2a0866cfd0526554d8329a7f8c773c538930a47d55195d6b1ac882f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
cdf0fd555f058e3193e3cc416091162d

SHA1
2d9af2669b8fa8c9705ee9779a2ea5b5204a6695

SHA256
44dfbaa7f826d5f6413629c4f9d9e2a0bb7149c8cafd6747e81fee716776b963

SHA512
035198f56ae46a6f9a6664e872fde722af7faa313d5e094b166c9224d5792b853adfff6264d5d3da7976bac2c30fe9ddfc80b0948f5c0773b7e961bb3012f046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit