6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed

General

Target

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
Size

188KB
MD5

3ea764ccae3a0b08e82c869b50750c70
SHA1

93a7b22b5940da24cce1e65b91f9028e92c4887d
SHA256

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed
SHA512

af05c71cd046a5eae91285c178fa6ea4450358fcb35e9baf43a1634354e333b110e1c59642891091a5adaf4e65fda9bc612a14e0a10cdad0a3606cf59762e5f9
SSDEEP

3072:zjzhZWxivgmhbI/pqqsFUCN3R9MI+I+6LVQukjV+X8YFwF5nGxEbU5v70tOI1Ojf:zXC4vgmhbIxs3NBBZnlMYA5nGxEQB0e

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	ioc	process
File opened (read-only)	\??\X:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\Y:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\B:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\I:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\K:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\M:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\Q:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\S:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\Z:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\T:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\V:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\A:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\E:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\F:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\G:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\H:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\O:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\L:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\P:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\U:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\J:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\N:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\R:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File opened (read-only)	\??\W:	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Drops file in System32 directory 12 IoCs

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\beastiality [milf] glans (Jade,Gina).avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\IME\SHARED\british fucking girls feet (Liz).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\danish fetish voyeur (Liz,Christine).mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake catfight bondage .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american horse handjob catfight .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american sperm full movie sweet .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\russian cumshot porn lesbian .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\FxsTmp\xxx [milf] .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\cumshot fucking several models balls (Kathrin,Sarah).rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse licking feet .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\System32\DriverStore\Temp\asian trambling several models .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish beastiality blowjob sleeping sm .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Drops file in Program Files directory 17 IoCs

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\hardcore lesbian uncut boots (Sonja,Curtney).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\african bukkake full movie (Sandy,Samantha).mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\swedish trambling handjob several models wifey .zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Microsoft\Temp\animal xxx masturbation high heels .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Common Files\microsoft shared\black horse trambling full movie (Kathrin,Ashley).mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Microsoft Office\root\Templates\gay gang bang several models shower .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fetish several models mistress (Sandy,Karin).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american lingerie hidden penetration .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish trambling big .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\indian fetish [bangbus] (Sonja,Sonja).mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Google\Temp\xxx gay masturbation swallow (Melissa,Kathrin).avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese trambling beastiality [milf] YEâPSè& (Kathrin,Janette).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\cum lesbian girls granny .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\spanish sperm [milf] .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\horse kicking masturbation legs .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\trambling catfight (Sandy).avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\malaysia sperm lesbian .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Drops file in Windows directory 38 IoCs

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\french animal big hole hotel .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\american bukkake voyeur feet .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\malaysia beastiality hidden .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\Downloaded Program Files\gang bang voyeur leather (Liz,Tatjana).avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\handjob [bangbus] .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\cumshot hidden boobs (Melissa,Sonja).rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\russian cum beast uncut castration .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\french horse animal hot (!) .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\chinese lesbian fucking full movie nipples hairy .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\american handjob [milf] cock stockings (Jade,Curtney).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\assembly\tmp\cum beast masturbation femdom (Sarah,Jade).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\chinese lesbian porn [milf] .zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\black lingerie [free] .zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian horse public wifey (Sarah,Karin).mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\InputMethod\SHARED\african lingerie fetish [bangbus] feet blondie .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\beast fetish girls 40+ .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\italian sperm horse several models (Janette).rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\blowjob catfight shower .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\norwegian fetish sleeping legs stockings .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish sperm voyeur nipples sm .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\blowjob [milf] .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\swedish lingerie cum [bangbus] .zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\gay kicking hidden swallow .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\french handjob action several models pregnant (Christine,Sylvia).rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\kicking licking vagina .rar.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\blowjob [free] hairy .zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SoftwareDistribution\Download\brasilian cumshot [milf] granny .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cum licking upskirt .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\CbsTemp\french handjob beastiality public circumcision (Ashley,Britney).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\cumshot girls beautyfull (Sonja,Anniston).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\blowjob animal several models nipples balls (Anniston).avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\mssrv.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\assembly\temp\japanese animal [free] .avi.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish beast lesbian sleeping .mpg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\asian porn kicking uncut .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\african gang bang fucking voyeur wifey (Sonja,Jenna).zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\PLA\Templates\japanese fetish full movie beautyfull .mpeg.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
File created	C:\Windows\security\templates\danish handjob sperm girls legs femdom .zip.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

pid	process
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
1656	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
3372	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

description	pid	process	target process
PID 800 wrote to memory of 2892	800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 800 wrote to memory of 2892	800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 800 wrote to memory of 2892	800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 800 wrote to memory of 3372	800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 800 wrote to memory of 3372	800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 800 wrote to memory of 3372	800	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 2892 wrote to memory of 1656	2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 2892 wrote to memory of 1656	2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
PID 2892 wrote to memory of 1656	2892	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe	6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe

C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
"C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
"C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
"C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe
"C:\Users\Admin\AppData\Local\Temp\6d685fb04f14b43e7c02bd8822bfe563570beb66aaa252c98408dc43d357e6ed.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372