Analysis Report https://account.microsoft.com/activity

Overview

General Information

Sample URL: https://account.microsoft.com/activity
Analysis ID: 334474

Most interesting Screenshot:

Detection

Score: 0
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

HTML title does not match URL

Classification

Phishing:

barindex
HTML title does not match URL
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wreply=https%3A%2F%2Faccount.live.com%2Factivity%3Fmkt%3Den-US%26refd%3Daccount.microsoft.com%26refp%3Dprivacy%26uaid%3De69db722240f43dcbdaeb682e55c4974&lc=1033&id=38936&mkt=en-US&uaid=e69db722240f43dcbdaeb682e55c4974 HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wreply=https%3A%2F%2Faccount.live.com%2Factivity%3Fmkt%3Den-US%26refd%3Daccount.microsoft.com%26refp%3Dprivacy%26uaid%3De69db722240f43dcbdaeb682e55c4974&lc=1033&id=38936&mkt=en-US&uaid=e69db722240f43dcbdaeb682e55c4974 HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wreply=https%3A%2F%2Faccount.live.com%2Factivity%3Fmkt%3Den-US%26refd%3Daccount.microsoft.com%26refp%3Dprivacy%26uaid%3De69db722240f43dcbdaeb682e55c4974&lc=1033&id=38936&mkt=en-US&uaid=e69db722240f43dcbdaeb682e55c4974 HTTP Parser: No <meta name="author".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wreply=https%3A%2F%2Faccount.live.com%2Factivity%3Fmkt%3Den-US%26refd%3Daccount.microsoft.com%26refp%3Dprivacy%26uaid%3De69db722240f43dcbdaeb682e55c4974&lc=1033&id=38936&mkt=en-US&uaid=e69db722240f43dcbdaeb682e55c4974 HTTP Parser: No <meta name="author".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wreply=https%3A%2F%2Faccount.live.com%2Factivity%3Fmkt%3Den-US%26refd%3Daccount.microsoft.com%26refp%3Dprivacy%26uaid%3De69db722240f43dcbdaeb682e55c4974&lc=1033&id=38936&mkt=en-US&uaid=e69db722240f43dcbdaeb682e55c4974 HTTP Parser: No <meta name="copyright".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wreply=https%3A%2F%2Faccount.live.com%2Factivity%3Fmkt%3Den-US%26refd%3Daccount.microsoft.com%26refp%3Dprivacy%26uaid%3De69db722240f43dcbdaeb682e55c4974&lc=1033&id=38936&mkt=en-US&uaid=e69db722240f43dcbdaeb682e55c4974 HTTP Parser: No <meta name="copyright".. found
Source: unknown DNS traffic detected: queries for: account.live.com
Source: ConvergedLogin_PCore_4TwqOlsXiTRUUeP2AxGlRA2[1].js.2.dr String found in binary or memory: http://knockoutjs.com/
Source: ConvergedLogin_PCore_4TwqOlsXiTRUUeP2AxGlRA2[1].js.2.dr String found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: ConvergedLogin_PCore_4TwqOlsXiTRUUeP2AxGlRA2[1].js.2.dr String found in binary or memory: https://github.com/douglascrockford/JSON-js
Source: login[1].htm.2.dr String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
Source: login[1].htm.2.dr String found in binary or memory: https://lgincdnvzeuno.azureedge.net/
Source: ~DFC41CD3FAE74D49E8.TMP.1.dr, {24CC4809-4978-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1609174195&rver=7.3.6960.0&wp=SA_20MIN&wr
Source: login[1].htm.2.dr String found in binary or memory: https://logincdn.msauth.net/
Source: imagestore.dat.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28852.5/images/favicon.ico
Source: imagestore.dat.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28852.5/images/favicon.ico~
Source: imagestore.dat.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28852.5/images/favicon.ico~(
Source: login[1].htm.2.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_Yb0RVZXWiy3WHonBnOF8
Source: login[1].htm.2.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_4TwqOlsXiTRUUeP2AxGlRA2.js
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: classification engine Classification label: clean0.win@3/14@3/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF92D1ED4286FA3D03.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1708 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1708 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 334474 URL: https://account.microsoft.c... Startdate: 28/12/2020 Architecture: WINDOWS Score: 0 11 logincdn.msauth.net 2->11 13 cs1227.wpc.alphacdn.net 2->13 6 iexplore.exe 2 61 2->6         started        process3 process4 8 iexplore.exe 2 42 6->8         started        dnsIp5 15 cs1227.wpc.alphacdn.net 192.229.221.185, 443, 49732, 49733 EDGECASTUS United States 8->15 17 prda.aadg.msidentity.com 8->17 19 3 other IPs or domains 8->19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.229.221.185
 unknown United States
15133 EDGECASTUS false

Contacted Domains

Name IP Active
cs1227.wpc.alphacdn.net 192.229.221.185 true
logincdn.msauth.net unknown unknown
account.live.com unknown unknown