Overview

overview

5

Static

static

URLScan

urlscan

1

https://microsoftedg...

windows7_x64

1

https://microsoftedg...

windows10-2004_x64

5

Resubmissions

19-05-2022 07:24

220519-h8elnafcgj 1

19-05-2022 07:14

220519-h26rkaccc8 5

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19-05-2022 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak?hl=de-DE

Score
5/10
microsoftphishing

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak?hl=de-DE
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4372
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=211592
      2⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x80,0x104,0x7ff97d2246f8,0x7ff97d224708,0x7ff97d224718
        3⤵
          PID:924
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
          3⤵
            PID:1296
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:660
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
            3⤵
              PID:1532
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
              3⤵
                PID:5096
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
                3⤵
                  PID:3188
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5236 /prefetch:8
                  3⤵
                    PID:3144
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                    3⤵
                      PID:2280
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,7806481947353909050,9690390441572877124,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5888 /prefetch:8
                      3⤵
                        PID:528
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                    1⤵
                      PID:2456
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:224

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Query Registry

                      1
                      T1012

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
                        Filesize

                        1KB

                        MD5

                        60b3ecc11d722d74de4c9a3df9d556b4

                        SHA1

                        7c06f819e90a777bd7969c534ff2e796b07f1bfd

                        SHA256

                        30f4bee4ab4756c731ea2df39a68452ae05b280c16e2bf8d4dba5b575a223003

                        SHA512

                        783868202eca1d3d69ddf2bff5ee8fd1118d9ef3bc2b99d83bc567f2051c5a47e8f19e31f2ef81fa6f691bfdffde6d0ae98d67d97d22c97295f1e302005fdb3c

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                        Filesize

                        471B

                        MD5

                        0139ae54ab5bd17af42facbbdf2b01d0

                        SHA1

                        aa0b305fad4211f81edfa2521bece92e758b4376

                        SHA256

                        93c8a57c9a7a70617fd4e7f17442b9fa24e31104000de22637123111dcb5c305

                        SHA512

                        f34ab12338eb3fd16bc26f24b20b349a14f6fa29f4dfdb91d026347222a66abc538e6753961fbc0484efeefc56abdf6edd00ec7a80b0b8a9270d747988e5741c

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
                        Filesize

                        471B

                        MD5

                        ea6765acc46420ba4dbe60013afb7f2b

                        SHA1

                        cfea4494991f729ecbd10cddbb4ec3796fd31c0c

                        SHA256

                        c6e1a89a9a379b1ba9850fb1c32d702531e3a9dea6f0fb34cca7fded9f991fe7

                        SHA512

                        6b736759fc94e81010d85784309996f290a5d4565029c3c855d2c74da266b98a4ce5f36826e6c6b7270578967a79e4fe131249d3f05aa883b442f25b81bff8ba

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
                        Filesize

                        471B

                        MD5

                        c5cbae7ff3c87c7f1faf7f7f52dc20b0

                        SHA1

                        d86b047cb903d7f13a411ac76a9d982aa4777db0

                        SHA256

                        07393f440ef69782adb4bf97f1f2546ed16b227aefe338b11f79b2aa91f42967

                        SHA512

                        46ab522b6d639eb1cca0dca5a5f9bc88cd86ee60a9e68206fc15577eae7dd1fd2b56b6497805da59bd0d7af86e2fa7d62c141712ee5b4b4864a07d6a13196658

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
                        Filesize

                        471B

                        MD5

                        81cd3fd39122700c1177eeddf5ab254b

                        SHA1

                        f52b2235c48f8242374446c9bf1946b8557cd43e

                        SHA256

                        9ac3e6847665c1d7e2d701c00c55a3eca3a674ad06a27558a83edcffc95ff1a9

                        SHA512

                        435fb204d865f48b373ad68caabd6e0baf7f0859b2676e69cf10ff449a724f3ba52702107dcdfbfc83d7c43e49e64ff752a30ab65a6112073efa54c94078e47f

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
                        Filesize

                        404B

                        MD5

                        1487640bd290542fefbd47c4e1de4ecd

                        SHA1

                        ef95a8bfb67a9f6863b8ae83abedadcbc13eb214

                        SHA256

                        b61750ccfe56e4e869c346a364f96364b7a99f159dbcc6699fb1f4a8a1e6d4d8

                        SHA512

                        e03cdfc5169851e37699a33f85d622bd58ae14cd134c079e7c7d3f1bf0e7e610a6e7c8fc78ba8a73f4d3cb5b09f8e802215688af96c8f145fcf8e3bf7610ea48

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                        Filesize

                        434B

                        MD5

                        eded43fddecf0432fb44aebe24493c50

                        SHA1

                        3988937ab87f81b6d60d96c044e8a72153a117cf

                        SHA256

                        da2c700565565d72f03cf19532f829b36b6e18bf45dae1992fda7bf46064c872

                        SHA512

                        e2c0b34c1f7b0a54211e87281696cf6f9e8d97d17fbc695a430b7e2b13a740983609ea474d483a867c342bec361cc8a06a9a16b25864fd1f2140176e1a7fe4ed

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
                        Filesize

                        434B

                        MD5

                        c24a124d2db7a399501283926c19d58c

                        SHA1

                        c9d10bb22cf6c5a81b012beb384210b4d13d0969

                        SHA256

                        1421cf0a7081510c2d108c9d8b6994619e3b210c7cbb212dbb0156a7ff6195a6

                        SHA512

                        d80b160cb2ae55baeb1a993320512c82842ef1f5a19b65a11c7a3fda9c6cbf109c881c3517167744c9d70c7de0d10daa42c2f574beeaf443fdb94b5088a7b764

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
                        Filesize

                        442B

                        MD5

                        fb86539ddba217b4be613ed7aceeffab

                        SHA1

                        96a7f0fd690a0cd4a43e9a44782619653b84e486

                        SHA256

                        48d8a7ac68c8dac1ff7d71893a6287bb1c4b413b06623b1d4eb71d1aa929bb7a

                        SHA512

                        4483148d01451191969da9fa347e182d2460cfa975189f0b6f71c08c80d17ab9fe846153884a58e0737070d6e72e0d1e867f012d8f1f8b61ca7dc02638c18fb0

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
                        Filesize

                        442B

                        MD5

                        6717f7ce916d51463031f0cd9a312c53

                        SHA1

                        2fb5516a322dc41a8860f25610d9abefb08051a4

                        SHA256

                        f9fba1a65c73707f2bdc401981f71071db83d90e6a4789af2715e1b5da00e521

                        SHA512

                        5a6c2249ab6f1e3faefe6fc7eb6aa6fe84f9893278676d01ef8574e6ba598e4872e69d239e4052822ad4105c862b76e070388e08e2afbd5ffb6b42a9286425cb

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
                        Filesize

                        1KB

                        MD5

                        40c9924ca55b1062fabf4e6d53aca1e0

                        SHA1

                        2c0411d2100360ed47500b048a02e2739dc50045

                        SHA256

                        63cf5b6426318a8e7270bb10ffba75d287b5094cf43d55c688cb5e3562ed2362

                        SHA512

                        e736058a5cb844f0f47803893cd1167eafe87d6b444cce366487262c0ee5ec8adb3a92699312c56e976ab559e06f3d32f3d65ee63b1ef976e973308525da1622

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\favicon[1].ico
                        Filesize

                        1KB

                        MD5

                        c31f21550fe41b47cc0775fefd023205

                        SHA1

                        239a8cef4a782fa47f4b733f715747a7a0174327

                        SHA256

                        54d502bf879cb1e12d4a7122d2dc71633ac2afd930a9f3748135a88b4641cc9e

                        SHA512

                        69d10d7515c399814c734bd3cc51a717e3f9d458a64b3ed6c807c8baa37920d37a1c9704f58bf759bb50e145bcc82614c1b46c3c2aad3ad270784f3b44643d30

                        Download Submit
                      • \??\pipe\LOCAL\crashpad_1416_EGRWVHBSZAZVOUYJ
                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        Download Submit
                      • memory/528-159-0x0000000000000000-mapping.dmp
                        Download
                      • memory/660-140-0x0000000000000000-mapping.dmp
                        Download
                      • memory/924-137-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1296-139-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1416-136-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1532-143-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2280-157-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3144-151-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3188-149-0x0000000000000000-mapping.dmp
                        Download
                      • memory/5096-147-0x0000000000000000-mapping.dmp
                        Download