Overview

overview

5

Static

static

1

URLScan

urlscan

1

https://ncv.microsof...

windows10-2004-x64

5

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2023 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ncv.microsoft.com/wLXVB3y6Iv

Score
5/10
microsoftphishing

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ncv.microsoft.com/wLXVB3y6Iv
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3328
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.0.596203964\727921564" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1788 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {668d1586-21d3-48d2-8493-5fa91c27dd1c} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 1920 2001e516558 gpu
        3⤵
          PID:4260
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.1.467664838\1594875487" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7776298b-df2f-4082-9ddf-3f73e2011767} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 2316 20010670758 socket
          3⤵
            PID:2352
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.2.1688463096\66294685" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3012 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c51fde74-241a-4c37-b108-b395f1cae7c4} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 2812 200212fa858 tab
            3⤵
              PID:4492
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.3.1825668881\1526181656" -childID 2 -isForBrowser -prefsHandle 1380 -prefMapHandle 2460 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4abbeba-4fbc-4911-9300-3089e9462aca} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 1184 20010663558 tab
              3⤵
                PID:5076
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.4.31738345\1354258142" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4a669a6-1e96-489e-b587-59ba7ad08651} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 4164 20022434f58 tab
                3⤵
                  PID:1292
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.7.1948970383\1568393124" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30e3b5dd-7395-45b6-b0df-fdc567ada010} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5220 20023aa9a58 tab
                  3⤵
                    PID:4848
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.6.673046915\542817571" -childID 5 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcd0d668-eb7b-47d1-9412-7bd8ec289d5c} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5036 200237bb958 tab
                    3⤵
                      PID:1296
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.5.827082807\483068066" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57cd4b08-71f0-4c03-97ec-46549dc24206} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 4904 200237bb058 tab
                      3⤵
                        PID:4644
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.8.1580531138\1186725838" -childID 7 -isForBrowser -prefsHandle 2680 -prefMapHandle 4764 -prefsLen 27116 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65b41595-2503-4d20-9ace-ea4fb45591a9} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 1648 2001ed2f858 tab
                        3⤵
                          PID:5856
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.9.2136127533\2138494186" -childID 8 -isForBrowser -prefsHandle 6212 -prefMapHandle 6180 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e3dd46b-346b-46d4-84a2-32a8f1a44c49} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 6252 2002574de58 tab
                          3⤵
                            PID:5524

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\3Z5P4JGP\customervoice.microsoft[1].xml
                        Filesize

                        120B

                        MD5

                        65beb1b1fa3999d60161ca5c9f6ba795

                        SHA1

                        a8a30f8bbc060842383969c18eeebb5eb4e24054

                        SHA256

                        48d706894fd3e9690c9269a316075ac87001b743739fb8b3fa389177d65161c5

                        SHA512

                        eca96dc229991f5226532444549ca8cedb10740a5ee9c905322d280c0410c9df87c03413214f9000e53b927b64593b584062327a56e53f99b5de297aa9fdb710

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat
                        Filesize

                        4KB

                        MD5

                        114c7d700e28295847a009772f77f499

                        SHA1

                        c469ba656cee38a837db4ffa20484240c00bb383

                        SHA256

                        343e10b531dd7753b1d7968e490086d72f7f64b06be7fb075e7a74973541f3ef

                        SHA512

                        24a003bc89a5174ffeaf74eef15af91bc91a02fefac7a54e4f49ff33b84488356b464c841c290ec399b0b067ccb2620768231c460c62b0adc8c1f24c8c10b329

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\customervoice[1].ico
                        Filesize

                        4KB

                        MD5

                        ee2b357fa5fba69af238168e3a1a27e1

                        SHA1

                        b5dd4606bedbf1d705a01f833802248e03d01518

                        SHA256

                        0fd813bae48835570858a2508d9c29900b8a4cddebff4a250e79ad12f8acbdcb

                        SHA512

                        ec00810f1dad54d6036359386c7a205953cf1e8f81909471376ea7f77786baabcf2ebb37a68ceb63531147a92080195ef64d93fe750380038e0aa00797dfcbda

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        145KB

                        MD5

                        2a3657f512ebc56a4b5de6b8eb3cc3e2

                        SHA1

                        e726a3f3f32bb46b1ad232aadb51a524cd32a5a9

                        SHA256

                        e5d7a401bd9bc5278eb58624a0f6a2464270174222d6b15af1b6eb316ba8431f

                        SHA512

                        dac3ce90391c33172a4ace74405ffeec4877c242177d059c9b23875172824ca0e72c8586a1544ff5f88407b96cec645a4b293e24420f5806b0392f22ef4eff2b

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\23516
                        Filesize

                        7KB

                        MD5

                        a511721ac745e6fe352f24df2b39ef9b

                        SHA1

                        89f4b4cb4a44d324278b080e70fcf2ee067ec127

                        SHA256

                        bee804bc471162b4f65aad80aa46e259ad1b3a48c8b1f22a88e600f48f4ded88

                        SHA512

                        1ffea61aa5ef5396f2db27d038136ed4f1735b5881a4de6417371482c9f9ebb50e76fedd742cf2461b2e7580d3f2d11f5760392680e67fcbc732b9bf031959e8

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\~DF36E9091C22631987.TMP
                        Filesize

                        16KB

                        MD5

                        b76bf47173c7d14ed24d0b84647e88e7

                        SHA1

                        78ffd918e98f03c28b93d8247926c8a17d10a19c

                        SHA256

                        72738009e9fdb7918df57126a46471a5f5f28e5839d8fbf97dbf3e08fdcfbfc6

                        SHA512

                        3292b1d5b7f22ad720db293a1e994828c4e1800af7b097ab0c2e8a2124b8db260dc4b2d5e5182ae0416e9df290c7ca2b40c0cf481c1e114d77f784908ee18673

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        b1bcc40dea53b1b5ba46ebb3ba13c6e2

                        SHA1

                        00f621f0a32d01e4b72512853b950894af23e937

                        SHA256

                        81be9b8a908593fa7ac573449a6eb855deb2a18105d67560ffbd0660e90e5ff1

                        SHA512

                        3002b4c806a5ad9b44f5e74ccda73e4348c4c06819e54ac5b3513754a6b1219e6c2330d98ab6dc8834d2ce0f083b3245e3c1f38b469f6030f5c128ae4998eecf

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        3b24a2842704c30bc8a8cfaff249b16d

                        SHA1

                        2f65923098c57b720af0389f7fde0de115f2c4b9

                        SHA256

                        e29ee80893aad0c596da8c5a7aa3088f01c48d37044c1f412c8ed0fa5639c5bf

                        SHA512

                        6a1ea25d2e3d92f099c0d86a56107ad3c41367304823b6129da8604f52f63e7ab58ff49faf228da2816314e68a8285240d857912a5a0d61905e38b195a7bd7b0

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        10cb1d3d1874883d779b5354eef142f4

                        SHA1

                        30abd57459628567924c95acb72830b32a5b051a

                        SHA256

                        8734b1a54f78f40f02bc6751a1c323453cecdccadc6664a1d5d35c8c177a8900

                        SHA512

                        5ebdf95e280983f57ffed9c0ee5449691ce2fd80e5b21a13fdb3c8d11f622020dd0eb79868b99e7e6380934958ef11d04455ffba1a6599ae3870fa1b26ffe415

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        110250f7c478d4c4004546b0aab4624c

                        SHA1

                        879ef534036af80ef961995f23b0608fdfae1ea1

                        SHA256

                        c6db36d70a72e8754a2412245b34929de1cfa2d9ba5ed3dbc269acef47eb7065

                        SHA512

                        d5c39f4eedfc1a84761002680624bf141f4f9c0bea7f382b8dcfbb83be372d680c20eef3588870f6091b853436116d22cde906c2ce6ac17b2a941b5358d9678b

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        feb8a52858c8167a58f36caa1b37f116

                        SHA1

                        7ae7f9d2721ae3c579f9e18e4fea679e8c848158

                        SHA256

                        adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

                        SHA512

                        109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        84ab33ac1764c253e86a533912a08f19

                        SHA1

                        574df99ae40108b21a896f38eac8251af7256a4b

                        SHA256

                        1d2345d170ff85aee99f109077dbb40d15d151b65d5014dd37d152bc0fa48c89

                        SHA512

                        fdedbea3cca43139e1df8aa73c9871ab7c0af227c0ffa1637067dc0dd2f6729845a0b99aed42b03e878ccd960d7bcd60912cf5aeb38d7ca9edba87eb7d712fca

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        b23f7f379903beb06ba977321b36cbf1

                        SHA1

                        8384bdacba70251354b7bb1c9866ae2ac4cf7829

                        SHA256

                        cedf4b73dcab1a41a3543a492d14d4d92bdf1c052af1f2b976228183d16fa080

                        SHA512

                        843a2a20fc503507a64a25496c2f7b9cb64f0dc775e5810db928b17f347effe0f0da6caa527fb2a0561bc8bf5db60d15f3458fcc3c82635bfe2b81f064b840cd

                        Download Submit