sign in sign up
<<
Home , Xbox Game Studios

ID: 323663 Cookbook: browseurl.jbs Time: 10:26:27 Date: 27/11/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report https://aka.ms/vmsettings 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 11 Public 12 General Information 12 Simulations 14 Behavior and APIs 14 Joe Sandbox View / Context 15 IPs 15 Domains 15 ASN 15 JA3 Fingerprints 15 Dropped Files 15 Created / dropped Files 15 Static File Info 36 No static file info 36 Network Behavior 36 Network Port Distribution 36 TCP Packets 36 UDP Packets 38 DNS Queries 39 DNS Answers 39 HTTPS Packets 40 Code Manipulations 42 Statistics 42 Behavior 42 System Behavior 42 Analysis Process: iexplore.exe PID: 4896 Parent PID: 792 42 General 42 File Activities 43 Registry Activities 43

Copyright null 2020 Page 2 of 44 Analysis Process: iexplore.exe PID: 1992 Parent PID: 4896 43 General 43 File Activities 43 Registry Activities 43 Analysis Process: TokenBrokerCookies.exe PID: 5844 Parent PID: 4896 44 General 44 File Activities 44 Disassembly 44 Code Analysis 44

Copyright null 2020 Page 3 of 44 Analysis Report https://aka.ms/vmsettings

Overview

General Information Detection Signatures Classification

Sample URL: https://aka.ms/vmset tings HHTTMLL bbooddyy ccoonntttaaiiinnss lllooww nnuumbbeerrr oofff …

Analysis ID: 323663 HHTTMLL ttbtiiittotllleed ydd ocoeoesns t nanoionttt s m loaawtttcc hhn uUUmRRbLLer of Most interesting Screenshot: PHPoTotttMeennLttt iiitaaitlll ebb rrrdooowwessee nrrr oeetxx mppllloaoitiittct dhde eUttteeRccLttteedd (((pp…

Ransomware SPSuoubtbemniitittit a bblu ubttttrttoonwn scceoornn tettaaxiiinpnslso jijjata vdvaeastsecccrrritiipepttdt c c(aapllllll Miner Spreading

VSVeuerbryym lloiotn nbggu ctctmondd lcliinnoeen tooappinttisioo njna fvfooauusnncddri,,p tthh ciissall VVeerrryy llloonngg ccmddllliiinnee oopptttiiioonn fffoouunndd,,, ttthhiiiss… mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss Very long cmdline option found, this suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 2 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 iexplore.exe (PID: 4896 cmdline: 'C:\\\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 1992 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4896 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) TokenBrokerCookies.exe (PID: 5844 cmdline: C:\Windows\system32\TokenBrokerCookies.exe https://login.microsoftonline.com/ 0 tbauth://login.windows.net/? context=https%3A%2F%2Flogin.microsoftonline.com&request_nonce=AQABAAAAAAB2UyzwtQEKR7-rWbgdcBZIIl7bgDY_GC9ioLlP7UyZwNcF0Gx1yd97u01lz4PRAzWbTvDq- 5V1R6mzT4oAXB4gHhEI-2DF7F2ki_TfqenTgyAA&rid=3ba2171a-9af8-4eab-a790-ef9ae97a4c01 ESTSUSERLIST %7b%22users%22%3a%5b%5d%7d login.microsoftonline.com / 0 1208832155 30855147 1 MD5: 17F27A76AC8E9869C8F1BE286D88570A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 4 of 44 • Phishing • Software Vulnerabilities • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Command Path Process Masquerading 1 OS Security Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts and Scripting Interception Injection 1 Credential Software Services Local Over Other Channel 2 Insecure Track Device System Interpreter 1 Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scripting 1 Boot or Boot or Process LSASS File and Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Logon Logon Injection 1 Memory Directory Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain Exploitation Logon Script Logon Scripting 1 Security System SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts for Client (Windows) Script Account Information Admin Shares Network Exfiltration Layer Track Device Device Device Execution 1 (Windows) Manager Discovery 1 Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 44 Hide Legend Behavior Graph Legend: ID: 323663 Process URL: https://aka.ms/vmsettings Signature Startdate: 27/11/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 2 Is Dropped

Is Windows Process

Number of created Registry Values

aadcdn.msauth.net started Number of created Files

Visual Basic

Delphi

iexplore.exe Java .Net C# or VB.NET

C, C++ or other language 5 52 Is malicious

Internet started started

iexplore.exe TokenBrokerCookies.exe

2 96 6

admin0a.online.lync.com sni1gl.wpc.alphacdn.net

52.112.108.12, 443, 49713, 49714 152.199.21.175, 443, 49728, 49729 17 other IPs or domains -CORP-MSN-AS-BLOCKUS EDGECASTUS United States United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 44 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link https://aka.ms/vmsettings 0% Virustotal Browse https://aka.ms/vmsettings 0% Avira URL Cloud safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link sni1gl.wpc.alphacdn.net 0% Virustotal Browse aadcdn.msauth.net 2% Virustotal Browse assets.onestore.ms 0% Virustotal Browse acctcdn.msauth.net 0% Virustotal Browse

URLs

Copyright null 2020 Page 7 of 44 Source Detection Scanner Label Link https://acctcdn.msauth.net 0% URL Reputation safe https://acctcdn.msauth.net 0% URL Reputation safe https://acctcdn.msauth.net 0% URL Reputation safe https://www.youradchoices.ca/fr 0% URL Reputation safe https://www.youradchoices.ca/fr 0% URL Reputation safe https://www.youradchoices.ca/fr 0% URL Reputation safe https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en- 0% URL Reputation safe us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en- 0% URL Reputation safe us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en- 0% URL Reputation safe us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 https://aadcdn.msauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~ 0% Avira URL Cloud safe https://privacy.micros 0% URL Reputation safe https://privacy.micros 0% URL Reputation safe https://privacy.micros 0% URL Reputation safe https://acctcdn.msauth.net/knockout_3.3.0_X1BYS2jZMbi7hfUj8VuqFA2.js?v=1 0% Avira URL Cloud safe https://www.youradchoices.ca 0% URL Reputation safe https://www.youradchoices.ca 0% URL Reputation safe https://www.youradchoices.ca 0% URL Reputation safe https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_kitf4x- 0% Avira URL Cloud safe q_4sb https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg 0% URL Reputation safe https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg 0% URL Reputation safe https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg 0% URL Reputation safe 0% Avira URL Cloud safe https://aadcdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_7FOrbkodEq5Y0IAj8ZfQtw2.js https://acctcdn.msauth.net/images/favicon.ico?v=2~ 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~ 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~ 0% URL Reputation safe www.mpegla.com). 0% Avira URL Cloud safe https://signup.live.co 0% URL Reputation safe https://signup.live.co 0% URL Reputation safe https://signup.live.co 0% URL Reputation safe https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2.js?v=1 0% URL Reputation safe https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2.js?v=1 0% URL Reputation safe https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2.js?v=1 0% URL Reputation safe https://www.skype.com). 0% Avira URL Cloud safe https://acctcdn.msauth.net/lightweightsignuppackage_oZIcfFtGMdm_yHyDEji_8w2.js?v=1 0% Avira URL Cloud safe https://acctcdn.msauth.net/images/favicon.ico?v=2~( 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~( 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2~( 0% URL Reputation safe https://acctcdn.msauth.net/converged_ux_v2_RfnRCrmapm3W_OFn994CMA2.css?v=1 0% Avira URL Cloud safe fontello.comiconsRegulariconsiconsVersion 0% URL Reputation safe fontello.comiconsRegulariconsiconsVersion 0% URL Reputation safe fontello.comiconsRegulariconsiconsVersion 0% URL Reputation safe https://aadcdn.msauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico 0% Avira URL Cloud safe https://aadcdn.msauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~( 0% Avira URL Cloud safe https://acctcdn.msauth.net/images/2_vD0yppaJX3jBnfbHF1hqXQ2.svg) 0% URL Reputation safe https://acctcdn.msauth.net/images/2_vD0yppaJX3jBnfbHF1hqXQ2.svg) 0% URL Reputation safe https://acctcdn.msauth.net/images/2_vD0yppaJX3jBnfbHF1hqXQ2.svg) 0% URL Reputation safe https://www.microsoft. 0% URL Reputation safe https://www.microsoft. 0% URL Reputation safe https://www.microsoft. 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2 0% URL Reputation safe https://acctcdn.msauth.net/images/favicon.ico?v=2 0% URL Reputation safe 0% Avira URL Cloud safe https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_59_uuouser7hrkmvbaz1j w2 https://aadcdn.msauth.net 0% URL Reputation safe https://aadcdn.msauth.net 0% URL Reputation safe https://aadcdn.msauth.net 0% URL Reputation safe https://signup.live.cotonline.com/login.srf? 0% Avira URL Cloud safe wa=wsignin1.0&rpsnv=4&ct=1606469244&rver=6.1.6206.0&wp=M

Copyright null 2020 Page 8 of 44 Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation sni1gl.wpc.alphacdn.net 152.199.21.175 true false 0%, Virustotal, Browse unknown aka.ms 23.211.149.25 true false high admin0a.online.lync.com 52.112.108.12 true false high mysettings.lync.com unknown unknown false high signup.live.com unknown unknown false high login.microsoftonline.com unknown unknown false high aadcdn.msauth.net unknown unknown false 2%, Virustotal, Browse unknown assets.onestore.ms unknown unknown false 0%, Virustotal, Browse unknown acctcdn.msauth.net unknown unknown false 0%, Virustotal, Browse unknown ajax.aspnetcdn.com unknown unknown false high aadcdn.msftauthimages.net unknown unknown false unknown client.hip.live.com unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation https://login.microsoftonline.com/login.srf? false high wa=wsignin1.0&rpsnv=4&ct=1606469244&rver=6.1.6206.0&wp=MCMBI&wreply=https:%2F% 2Fmysettings.lync.com%2FLSCP%2Flanding.aspx%3Ftarget%3D%252flscp%252fusp%252fv oicemail&lc=1033&id=266537

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://aka.ms/useterms servicesagreement[1].htm.2.dr false high https://aka.ms/redeemrewards servicesagreement[1].htm.2.dr false high https://login.microsoftonline.com/ TokenBrokerCookies.exe, 000000 false high 06.00000002.352030645.0000025F A1D70000.00000004.00000020.sdmp, ~DF107FCF0CCD6288B3.TMP.1.dr https://signin.kissmetrics.com/privacy/#controls privacystatement[1].htm.2.dr false high https://login.skype.com/login privacystatement[1].htm.2.dr false high https://www.acuityads.com/opt-out/ privacystatement[1].htm.2.dr false high https://www.skype.com/go/ustax servicesagreement[1].htm.2.dr false high jquery.org/license jquerypackage_1.10_5V7LAuc3bNA false high Qx2QQfr1RPw2[1].js.2.dr https://login.microsoftonline.com/login.srf? ~DF107FCF0CCD6288B3.TMP.1.dr, false high wa=wsignin1.0&rpsnv=4&ct=1606469244&rver=6.1.6206.0&w {2FC1DE9F-30DE-11EB-90E5-ECF4B p=M B2D2496}.dat.1.dr https://acctcdn.msauth.net signup[1].htm.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe https://www.optimizely.com/legal/opt-out/ privacystatement[1].htm.2.dr false high sizzlejs.com/ jquerypackage_1.10_5V7LAuc3bNA false high Qx2QQfr1RPw2[1].js.2.dr https://www.youradchoices.ca/fr privacystatement[1].htm.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe signup[1].htm.2.dr false URL Reputation: safe unknown https://acctcdn.msauth.net/lwsignupstringscountrybirthdate_en URL Reputation: safe -us_pVtahKS9WUIZdNqg1DDhHg2.js?v=1 URL Reputation: safe https://www.adr.org servicesagreement[1].htm.2.dr false high https://www.xbox.com/en-US/Legal/CodeOfConduct) servicesagreement[1].htm.2.dr false high www.asp.net/ajaxlibrary/CDN.ashx. privacystatement[1].htm.2.dr false high https://signup.live.com/error.aspx? signup[1].htm.2.dr false high errcode=1045&mkt=en-US https://login.windows-ppe.net Me[1].htm.2.dr false high https://www.xbox.com/en-US/Legal/CodeOfConduct servicesagreement[1].htm.2.dr false high opensource.org/licenses/mit-license.php) knockout_3.3.0_X1BYS2jZMbi7hfU false high j8VuqFA2[1].js.2.dr www.json.org/json2.js knockout_3.3.0_X1BYS2jZMbi7hfU false high j8VuqFA2[1].js.2.dr

Copyright null 2020 Page 9 of 44 Name Source Malicious Antivirus Detection Reputation imagestore.dat.2.dr false Avira URL Cloud: safe unknown https://aadcdn.msauth.net/shared/1.0/content/images/favicon_ a_eupayfgghqiai7k9sol6lg2.ico~ https://aka.ms/taxservice servicesagreement[1].htm.2.dr false high https://www.privacyshield.gov/welcome privacystatement[1].htm.2.dr false high https://login.microsoftonline.com Me[1].htm.2.dr false high https://ondemand.webtrends.com/support/optout.asp privacystatement[1].htm.2.dr false high https://www.skype.com/go/legal.broadcast servicesagreement[1].htm.2.dr false high https://skype.com/go/myaccount servicesagreement[1].htm.2.dr false high https://www.skype.com servicesagreement[1].htm.2.dr false high https://www.appsflyer.com/optout privacystatement[1].htm.2.dr false high https://privacy.micros {2FC1DE9F-30DE-11EB-90E5-ECF4B false URL Reputation: safe unknown B2D2496}.dat.1.dr URL Reputation: safe URL Reputation: safe https://www.appnexus.com/ privacystatement[1].htm.2.dr false high signup[1].htm.2.dr false Avira URL Cloud: safe unknown https://acctcdn.msauth.net/knockout_3.3.0_X1BYS2jZMbi7hfU j8VuqFA2.js?v=1 https://aka.ms/redeemrewards). servicesagreement[1].htm.2.dr false high https://login.microsoftonline.com/jsdisabled login[1].htm.2.dr false high www.mpegla.com servicesagreement[1].htm.2.dr false high https://www.youradchoices.ca privacystatement[1].htm.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe login[1].htm.2.dr false Avira URL Cloud: safe unknown https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/ux.con verged.login.strings-en.min_kitf4x-q_4sb https://priv- privacystatement[1].htm.2.dr false high policy.imrworldwide.com/priv/browser/us/en/optout.html .com/requirejs/almond/LICENSE 50-f1e180[1].js.2.dr false high https://www.youronlinechoices.com/ privacystatement[1].htm.2.dr false high https://mixer.com/contact servicesagreement[1].htm.2.dr false high https://www.here.com/) privacystatement[1].htm.2.dr false high https://www.skype.com/go/store.reactivate.credit servicesagreement[1].htm.2.dr false high https://www.aboutads.info/ privacystatement[1].htm.2.dr false high https://www.adjust.com/opt-out/ privacystatement[1].htm.2.dr false high https://www.xbox.com/managedatacollection privacystatement[1].htm.2.dr false high https://signup.live.com/ ~DF107FCF0CCD6288B3.TMP.1.dr false high https://www.xbox.com/xbox-game-studios) servicesagreement[1].htm.2.dr false high signup[1].htm.2.dr false URL Reputation: safe unknown https://acctcdn.msauth.net/images/microsoft_logo_7lyNn7YkjJ URL Reputation: safe OP0NwZNw6QvQ2.svg URL Reputation: safe login[1].htm.2.dr false Avira URL Cloud: safe unknown https://aadcdn.msauth.net/shared/1.0/content/js/ConvergedLo gin_PCore_7FOrbkodEq5Y0IAj8ZfQtw2.js https://acctcdn.msauth.net/images/favicon.ico?v=2~ imagestore.dat.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe https://developer.yahoo.com/flurry/end-user-opt-out/ privacystatement[1].htm.2.dr false high fontello.com icons[1].eot.2.dr false high www.mpegla.com). servicesagreement[1].htm.2.dr false Avira URL Cloud: safe low https://signup.live.co {2FC1DE9F-30DE-11EB-90E5-ECF4B false URL Reputation: safe unknown B2D2496}.dat.1.dr URL Reputation: safe URL Reputation: safe signup[1].htm.2.dr false URL Reputation: safe unknown https://acctcdn.msauth.net/jquerypackage_1.10_5V7LAuc3bN URL Reputation: safe AQx2QQfr1RPw2.js?v=1 URL Reputation: safe https://www.skype.com). servicesagreement[1].htm.2.dr false Avira URL Cloud: safe low https://www.xbox.com privacystatement[1].htm.2.dr false high knockoutjs.com/ knockout_3.3.0_X1BYS2jZMbi7hfU false high j8VuqFA2[1].js.2.dr, Converged Login_PCore_7FOrbkodEq5Y0IAj8Z fQtw2[1].js.2.dr signup[1].htm.2.dr false Avira URL Cloud: safe unknown https://acctcdn.msauth.net/lightweightsignuppackage_oZIcfFt GMdm_yHyDEji_8w2.js?v=1 https://ec.europa.eu/info/law/law-topic/data- privacystatement[1].htm.2.dr false high protection/data-transfers-outside-eu/adequacy-protectio https://github.com/douglascrockford/JSON-js ConvergedLogin_PCore_7FOrbkodE false high q5Y0IAj8ZfQtw2[1].js.2.dr, signup[1].htm .2.dr https://www.clicktale.net/disable.html privacystatement[1].htm.2.dr false high

Copyright null 2020 Page 10 of 44 Name Source Malicious Antivirus Detection Reputation https://acctcdn.msauth.net/images/favicon.ico?v=2~( imagestore.dat.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe https://www.skype.com/go/allrates servicesagreement[1].htm.2.dr false high signup[1].htm.2.dr false Avira URL Cloud: safe unknown https://acctcdn.msauth.net/converged_ux_v2_RfnRCrmapm3 W_OFn994CMA2.css?v=1 www.opensource.org/licenses/mit-license.php) knockout_3.3.0_X1BYS2jZMbi7hfU false high j8VuqFA2[1].js.2.dr https://www.xbox.com/xbox-game-studios servicesagreement[1].htm.2.dr false high fontello.comiconsRegulariconsiconsVersion icons[1].eot.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe imagestore.dat.2.dr false Avira URL Cloud: safe unknown https://aadcdn.msauth.net/shared/1.0/content/images/favicon_ a_eupayfgghqiai7k9sol6lg2.ico imagestore.dat.2.dr false Avira URL Cloud: safe unknown https://aadcdn.msauth.net/shared/1.0/content/images/favicon_ a_eupayfgghqiai7k9sol6lg2.ico~( signup[1].htm.2.dr false URL Reputation: safe unknown https://acctcdn.msauth.net/images/2_vD0yppaJX3jBnfbHF1hq URL Reputation: safe XQ2.svg) URL Reputation: safe privacystatement[1].htm.2.dr false high https://www.macromedia.com/support/documentation/en/flash player/help/settings_manager.html https://www.skype.com/go/legal servicesagreement[1].htm.2.dr false high https://mixer.com/about/tos servicesagreement[1].htm.2.dr false high https://www.microsoft. {2FC1DE9F-30DE-11EB-90E5-ECF4B false URL Reputation: safe unknown B2D2496}.dat.1.dr URL Reputation: safe URL Reputation: safe https://acctcdn.msauth.net/images/favicon.ico?v=2 imagestore.dat.2.dr, signup[1].htm.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe

https://www.xbox.com/ privacystatement[1].htm.2.dr false high https://github.com/h5bp/html5- app[1].css.2.dr false high boilerplate/blob/master/src/css/main.css https://www.linkedin.com/legal/privacy-policy privacystatement[1].htm.2.dr false high login[1].htm.2.dr false Avira URL Cloud: safe unknown https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/conver ged.v2.login.min_59_uuouser7hrkmvbaz1jw2 https://aadcdn.msauth.net login[1].htm.2.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe TokenBrokerCookies.exe, 000000 false high https://login.microsoftonline.com/0tbauth://login.windows.net/? 06.00000002.352036088.0000025F context=https%3A%2F%2Flogin.microsoft A1D78000.00000004.00000020.sdmp jquery.com/ jquerypackage_1.10_5V7LAuc3bNA false high Qx2QQfr1RPw2[1].js.2.dr https://signup.live.cotonline.com/login.srf? {2FC1DE9F-30DE-11EB-90E5-ECF4B false Avira URL Cloud: safe unknown wa=wsignin1.0&rpsnv=4&ct=1606469244&rver=6.1.6206.0&w B2D2496}.dat.1.dr p=M https://support.xbox.com/help/friends-social- privacystatement[1].htm.2.dr false high activity/community/use-safety-settings https://www.xbox.com/Legal/ThirdPartyDataSharing privacystatement[1].htm.2.dr false high

Contacted IPs

Copyright null 2020 Page 11 of 44 No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 52.112.108.12 unknown United States 8075 MICROSOFT-CORP-MSN- false AS-BLOCKUS 23.211.149.25 unknown United States 16625 AKAMAI-ASUS false 152.199.21.175 unknown United States 15133 EDGECASTUS false

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 323663 Start date: 27.11.2020 Start time: 10:26:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 36s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://aka.ms/vmsettings Analysis system description: 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 11 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN

Copyright null 2020 Page 12 of 44 Classification: clean2.win@5/61@11/3 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://login.l ive.com/oauth20_authorize.srf? response_type=code&client_id=51483342- 085c-4d86-bf88-cf5 0c7252078&scope=openid+pro file+email+offline_access& response_mode=form_post&re direct_uri=https%3a%2f%2flogin .microsoftonline.com%2fcommon% 2ffederation%2foauth2&stat e=rQIIAeNisFLNKCkpKLbS18-tLE4t KcnMSy_Wy6nMS9ZLzs_Vyy9Kz0wBsY qEuAQuXvu_mif7peMOxUkex7aE9c1i 5IzPySxLBcmvYtTFY46-T7BzgH5OYl 4KUFgvsbig4gIj4wtGxi4mFkMDY-NNTKy- zr5OnieYVi4SuMUk6F-U7pkSXu yWmpJalFiSmZ93gGVDyAUWgVcsPAbM VhwcXAIMEgwKDD9YGBexAt0lJb7I-s es1X7LJ7yf9bLKh_EUq36WhWuJQXaS s76xm1GBv2-ZsWeJU26VQWhRUqpZqW tQVliisbFTjn6uiXO6rYGV4QQ2oQls TKfYGD6wMXawM-zi9CPJM_YliUXpqS W2qkZpOcXJBUCqtBhEluVnJqfmJmbm 3OISMTIwMtA1NNQ1MlcwsLQyMrcyMo k6wMsAAA2&estsfed=1&ua id=abffd6d16b0c41e9b8219248c6b 4568e&signup=1&lw=1&am p;fl=easi2&fci=https%3a%2f %2fmysettings.lync.com.orgid.com&lc=1033 Browsing link: https://www.microsoft.com/en- US/servicesagreement/ Browsing link: https://privacy.microsoft.com/en- US/privacystatement

Copyright null 2020 Page 13 of 44 Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 184.24.15.126, 40.126.1.166, 40.126.1.130, 20.190.129.17, 40.126.1.142, 20.190.129.133, 20.190.129.2, 40.126.1.145, 20.190.129.19, 13.107.246.13, 40.88.32.150, 20.190.129.160, 20.190.129.24, 40.126.1.128, 13.107.42.22, 20.190.137.1, 20.190.137.78, 40.126.9.98, 20.190.137.64, 138.91.136.108, 51.104.139.180, 92.122.145.53, 92.122.213.200, 92.122.213.219, 152.199.19.160, 23.210.249.93, 92.122.213.194, 92.122.213.247, 152.199.19.161, 92.122.213.240, 104.83.98.153, 52.155.217.156 Excluded domains from analysis (whitelisted): arc..com.nsatc.net, assets.onestore.ms.edgekey.net, www.tm.lg.prod.aadmsa.akadns.net, browser.events.data.trafficmanager.net, i.s- microsoft.com.edgekey.net, a1945.g2.akamai.net, e11290.dspg.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www.microsoft.com-c-3.edgekey.net, login.live.com, star-azurefd- prod.trafficmanager.net, statics-marketingsites-eus- ms-com.akamaized.net, watson.telemetry.microsoft.com, acctcdnvzeuno.azureedge.net, a1778.g2.akamai.net, acctcdnvzeuno.ec.azureedge.net, e10583.dspg.akamaiedge.net, aadcdnoriginwus2.azureedge.net, aadcdn- msft.azureedge.net, www.tm.f.prd.aadg.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, aadcdn-msft.afd.azureedge.net, www.tm.a.prd.aadg.akadns.net, statics- marketingsites-wcus-ms-com.akamaized.net, assets.onestore.ms.akadns.net, c- s.cms.ms.akadns.net, t-0003.t-msedge.net, blobcollector.events.data.trafficmanager.net, account.msa.akadns6.net, aadcdnoriginwus2.afd.azureedge.net, c.s- microsoft.com-c.edgekey.net, privacy.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net, i.s-microsoft.com, a1449.dscg2.akamai.net, acctcdn.trafficmanager.net, arc.msn.com, www.microsoft.com-c- 3.edgekey.net.globalredir.akadns.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, go.microsoft.com, mscomajax.vo.msecnd.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, cs22.wpc.v0cdn.net, ie9comview.vo.msecnd.net, skypedataprdcolwus12.cloudapp.net, star- azureedge-prod.trafficmanager.net, login.msa.msidentity.com, browser.events.data.microsoft.com, c.s- microsoft.com, privacy.microsoft.com, go.microsoft.com.edgekey.net, l-0013.l- msedge.net, e13678.dscg.akamaiedge.net, www.microsoft.com, e13678.dspb.akamaiedge.net, wcpstatic.microsoft.com Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Copyright null 2020 Page 14 of 44 Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2FC1DE9D-30DE-11EB-90E5-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.8544140328565974 Encrypted: false SSDEEP: 96:r9ZmZL2B9W3tKAfSBV1MoG9TL3Ra+fhBklX:r9ZmZL2B9W3t9fStM7N/fhcX MD5: AAB8DF9E0C4F7A2136469037968510AC SHA1: 5A97530BC8FBDFBDE6150883BF6C69D9F13001F2 SHA-256: AFEE09B32FFF80B1A77BA9B0D1185AFF478F317A95C13A5C30F15FABA287F631 SHA-512: F6DE2BC5BEBA3E540919DA4316C1BF7BD19EAB22D317C8A1125E34255FF81F2793FDFBF891ABFE87A8CF0FA4F3FF3A46D96987A06A085382B718A5F489C40D2 3 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2FC1DE9F-30DE-11EB-90E5-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 102984 Entropy (8bit): 3.1785830430756232 Encrypted: false SSDEEP: 3072:scfqJjPzqfNqpqJSqJrqJ9qJeNqnNqFqJJqJlNqo:MjstheEeC9olR MD5: 335274826E653EE9A275D7AC107AC24D SHA1: F157ED429EF4E61C115685EB11E84686F690A50D SHA-256: B3509823BDEEF3D8739637E36717445F2BCF153CC6ACB0890E958B1EF30720BE SHA-512: 0913813CB93663B2CFC7829B11804177EE0EDF6BDB2D8ACE24D8323CB026EC193AAA021613C38F254DE13299ED39120459ACBD7DFBEF2688C0626E05FB146155 Malicious: false Reputation: low

Copyright null 2020 Page 15 of 44 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2FC1DE9F-30DE-11EB-90E5-ECF4BB2D2496}.dat Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{365449F4-30DE-11EB-90E5-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 16984 Entropy (8bit): 1.566711479236389 Encrypted: false SSDEEP: 48:Iw80GcprSfGwpak0G4pQOGrapbSSrGQpKxG7HpRKsTGIpG:rDZ8Qn6ABSSFAgTK4A MD5: 069EF0339FCE7B7BF7D088D894A2A41C SHA1: 71806105EBDC5CD4BF7A933B9C0D764331049CFB SHA-256: D517AA3EE5FA96FEB28DC523CF2807D94033481ED3A04A0CE6EB2789C25FD4E3 SHA-512: FAAF0605D903288878A563F971A2FE7ACF01105C37ABEA56B517539BC07BBE6EDC39AEB740D8F147E2B3B3AECB6E2267A661047ADBA4FEA0FEFC73D4456D0A 7C Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 72308 Entropy (8bit): 3.0779080818385123 Encrypted: false SSDEEP: 96:dMzMaMaMLMSM9QQQQQEQQQQQ8QQQQQAQQQQQp:dO3XSPx MD5: 26619C719EADF43BB5F8DA79E9CA34E9 SHA1: 82E8C08D29F11A597530575D6F173BC3EAA79E81 SHA-256: 4620828A682C4C5E271A6BD5A704C80B2312E296BBD625DF369954EFB248DF7B SHA-512: 70FDE7922EDBBA89745C02A495DC226C8F66CB7C2B1A66B6744468A722CED21C4C5BBF052830FB4479A24826201CC06C19C09EDBA7658B4A0721A18E8C453FD 0 Malicious: false Reputation: low Preview: Y.h.t.t.p.s.:././.a.a.d.c.d.n...m.s.a.u.t.h...n.e.t./.s.h.a.r.e.d./.1...0./.c.o.n.t.e.n.t./.i.m.a.g.e.s./.f.a.v.i.c.o.n._.a._.e.u.p.a.y.f.g.g.h.q.i.a.i.7.k.9.s.o.l.6.l.g.2...i.c.o.~(...... h(...... (...... (...... "P...... """""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333 333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""" """"""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...3333333333333 33333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""" """"" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...3333333333333333

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\Me[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with very long lines, with CRLF line terminators Category: downloaded Size (bytes): 2347 Entropy (8bit): 5.290031538794594 Encrypted: false SSDEEP: 48:gCgF0+kNL5iQ6+GhB+SYWzGuesAFcsGJOzgO6FIEv+sj+M++sx+suse+swsosmC0:gC3Na5+GX+Ti2XsYE2sqAsosushswsoB MD5: E86EF8B6111E5FB1D1665BCDC90888C9 SHA1: 994BF7651CB967CD9053056AF2D69ACB74DB7F29 SHA-256: 3410242720DE50B090D07A23AEE2DAD879B31D36F2615732962EC4CFA8A9D458 SHA-512: 2486B491681EE91A9CD1ECC9AA011A3FB34B48358C5D7A4D503A5357BC5CE4CA22999F918D40AC60A3063940D5F326FC7E4E5713D89D5C102DE68824E371B3A B Malicious: false Reputation: low IE Cache URL: https://login.live.com/Me.htm?v=3

Copyright null 2020 Page 16 of 44 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\Me[1].htm Preview:

Web Analytics