hxxps://z6a[.]info/milf_popup-spam~ssn[.]mpg+gaysex+cheap-guns-ammo~AICa793N[.]msi

Analysis

max time kernel
52s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://z6a.info/milf_popup-spam~ssn.mpg+gaysex+cheap-guns-ammo~AICa793N.msi

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
3964	msedge.exe
3964	msedge.exe
4528	identity_helper.exe
4528	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe
3964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2416	3964	msedge.exe	84
PID 3964 wrote to memory of 2416	3964	msedge.exe	84
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 4436	3964	msedge.exe	86
PID 3964 wrote to memory of 2012	3964	msedge.exe	87
PID 3964 wrote to memory of 2012	3964	msedge.exe	87
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88
PID 3964 wrote to memory of 3676	3964	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://z6a.info/milf_popup-spam~ssn.mpg+gaysex+cheap-guns-ammo~AICa793N.msi
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9303046f8,0x7ff930304708,0x7ff930304718
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,6536605539467942420,15358319793973017308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
f702415b630122c1f157e77c468548ee

SHA1
12241d3a7d88aecb6be7acce5b354cdeea19bf76

SHA256
861c3418b679c9dd4e6f15f5ed1f540d45a7b4e3db5dd936b9d48e56489df38a

SHA512
020704f82b8a937b38c61c443eb1086515e9562845ca278e83dd8f017dac32767b242faff13b387a1f51d1bf70b9045c67ed9ed71d598e4d2e7018fe1fe8712d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
05af1095b998e9d3d5614b1725ab1c8c

SHA1
ff2750d5a375ffcabce0e00d53dc99acf6df618b

SHA256
977a3a10d05f6e8f1c65216e1e2d34d1c96abd86d83dcfefe989299345e8fe43

SHA512
74e341e829ef8de2a47de1d07010d0f1144cbb1eb024fe73a23d4a8c3de1510f98670056da632204f33f2afd7bc7ac5691f6bcf445598787e5d4090b17c02705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e356383ca249b818d46282a170ab2f1

SHA1
10b0d1f3b30012c54c9e6391d38c5364af4af623

SHA256
9fe214e02a32688b5d6054dce1524b1e434c7c62239693eed6565ed418a3b6da

SHA512
1b388d272c0b9a60cada6547288831fd0dc45b4b8d2d3ef7e6c5acd94c3beaadfc9ff7e98896cbc6d905c20d3ac1294e7784b37d105be7a6db2acfd6b5914716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
560088203aff97583fca925049ed5996

SHA1
359c8685d5ecdbe5e7b36dedb6850f0b595591de

SHA256
4c594eabb3631a49b6ea6895d0c87e4e99c573e7cfd62f04b066e96328d5ec83

SHA512
b16a9e63f84eb9b04c1096c9ecd71a5f40e0fd1348eafe43cbb3fe82320c5d419c68eaccd55d400a7cdaca2ed05cc5d6b4640c632acfcbe514c16637c970692c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c1d4a8d5074c094b6e3fac30221b8c1

SHA1
6d769403667b05ea691315fe32eace4310f0e11a

SHA256
4ccc1f054ee3bbfe7e5511e0f985bee8d998883af0b3dc75b0e858063d35e352

SHA512
58b573fee8749f9bdb27b65c2de3424f0c545148ec9c5191f7b3a0cf84a93405f65d8aa9f87583138403f41334ff69e3516ad66bb82628ea6e3d5e2ecc10775c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
e0292562ad0f6ea6ed87afaf3f03d307

SHA1
207957a4fdff57c1ea6ac4b8fbcb78698544163e

SHA256
f23a42c1fa02003741734fabafb377c7ca096a385e201ee1626e7acd52d12a4e

SHA512
373c81c4eced95ae70c9be0d6ce2ca1c41c63da571c4d082ca48ec03bd87fd44c8581b27fbf99253ef1c8a7563005bd793c984be30f533ddb0bee60349f4ae7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58120c.TMP

Filesize
871B

MD5
27c6a83a78e3e0b321ad17e55a57a7a5

SHA1
83152707754eaacd83a06fdf42a0c383d09f183f

SHA256
52375fd2306319d4f39fedd1eb23797b62ab919450f13579aab456cc9cc7e743

SHA512
a6b500fe15d3a1b79e159ca697bfaa3a7e7c4aaa588f4b07a16e91fbcaa7a43b4ba93da88b91249ac4fd4c555df3c35ff91bf0bc6c40fbf76967e51f6ad3ea9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f5bef10996a38cd8c8f925249b4730de

SHA1
73c129cbc78b0481c5f352825748de480f0baa63

SHA256
427f6f039b84e7138404504e1b53302ca38f4b6515afa18ce9be7b364413c1f1

SHA512
a81ee3313b08182f18717343376c2e598f02808145c72bdbecd8dc93828f4d7faae7a938a32987958f196046073bdc2cc2f7f07413edf53f9d6dd6cc0dd32c37

Download Submit