hxxps://vscode-update[.]azurewebsites[.]net

General

Target

https://vscode-update.azurewebsites.net

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244142644179161"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3808 chrome.exe
3808 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3808 chrome.exe
3808 chrome.exe
3808 chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe
Token: SeShutdownPrivilege	3808	chrome.exe
Token: SeCreatePagefilePrivilege	3808	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe
3808	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3808 wrote to memory of 3896	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3896	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4516	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4880	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 4880	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe
PID 3808 wrote to memory of 3944	3808	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://vscode-update.azurewebsites.net
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb429758,0x7ffbbb429768,0x7ffbbb429778
2⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:2
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:1
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:8
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:8
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5164 --field-trial-handle=1812,i,2987844485724660412,8345430972598128590,131072 /prefetch:1
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d8ba7cb49078786cb4d5b83d08ac0972

SHA1
0efe97f8fef8ac51b42555e1e134212fcfe66b0b

SHA256
5c7b9e0bca0bdb50cdac10014e8e8eb8177d1976455403c263824b054ecd2a6f

SHA512
fea78c897cc5c52e443acb7e28f50840533aa212dbffc993b373a378a0df1834486759cc9df548baba5b13dea43403acdb8ad98730d7e309b5521c539afa90d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9233bdd5afc8c550cff97e707650a67f

SHA1
40a3db5037c7c986cde566feff10628ddd1f66d0

SHA256
335601087f8d3ead059214590665f15bf3b275d71d966e10f373b68b1820f9c1

SHA512
cf842700a4b312bfba8b29deee634464cd0d8c4c25ef95f53a63ead581289c598df21855481648d7d58d50cc342f6576c71049b93142299252b246719466a492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2aca32a2add212ba1eab43613e92be27

SHA1
f0e74a1457ab011ae36968acf5be56cd3cc003ad

SHA256
779990dabd0107a63ceb3e51410dd69df38b7f02e089fbd29eb68135281f5b86

SHA512
75c2e0a4b77d82f3fc0b5fdd033898ac9515ad26065650f2d64fed3e679b8c7defc0745aa8d8bdeba9fe2e34aa67c15913f10283b875efd24a94c2e14ee34b68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
41f75b4295bcd05556e1914003f33de8

SHA1
2002870bec5c87c99378ded884bbc7755840147b

SHA256
9725d0fc46af280a2c6ec62282e606b61d9e37419194764d3e063b525e1fe6f3

SHA512
f0f35b8abd8c0bf74ad45178a9c7375aa162c3546704efb382fb524a8c7003fdb76e3f8f888f5e9bb00876afad7bd628987ea41da295b4745360995ad3f90882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
6c03993dc21f37876313fcbebfa70c0d

SHA1
7d0a0f327f7f90a775cecaa014d333af214221d4

SHA256
efc352111cd90226cfb4ab6c5eaf7376cca81e2be45affea27198a85fdf743d7

SHA512
185a7ac918074919bf21822c5a3b89b0c27d2c8f8ca45da96e8d502f7fd315e838420b1c03ea508f6477fed88e4cd71164f93c0055af2b52772e10d1ec1159bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
c94dcafddb4bea6ddc90290f30e70a08

SHA1
176bd39069b6a82a6ddfe6e28cc99f7d7e1708c8

SHA256
afffdedeec76d9ca21bb6207dab32ce908b0bdc2fcd9d4b0506527f663f977ff

SHA512
6e25c82d0acfe80b57036cfadcaed3265d2174e09add5eb9b1ec5505e0af65c3aa2535b762a92f7224da997a7dc638bb07606bb1e14c06ffe853cc56ee970bae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3808_WXHIRGZAVCTJDPRY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads