ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd

Resubmissions

29/10/2021, 07:54

211029-jrj1gschc3 4

29/10/2021, 07:48

211029-jnellahfbl 4

Analysis

max time kernel
121s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
29/10/2021, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
Size

297KB
MD5

ebc2661a409a3a743bba237ba1bfc4e8
SHA1

1d9052ce97f4f127f2626b2ff2ee106b4f8b9a70
SHA256

ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd
SHA512

c7999fa0449fd98bd4869327189688942d3812d2d127d4e34173194af11dc2436dcd8a3fef025f5c6075372e0bccf45b859a5d2559d71c100f3281046d0ab1a6

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\AppxMetadata\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Badges\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\[email protected]	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover.png.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.fmiint-sqnsxris	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\message_to fmiint.log	ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2936	OpenWith.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
2936	OpenWith.exe
4036	WORDPAD.EXE
4036	WORDPAD.EXE
4036	WORDPAD.EXE
4036	WORDPAD.EXE
4036	WORDPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4036	2936	OpenWith.exe	77
PID 2936 wrote to memory of 4036	2936	OpenWith.exe	77

C:\Users\Admin\AppData\Local\Temp\ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe
"C:\Users\Admin\AppData\Local\Temp\ed1468708546ef5f94f9af204ebd2e0093deb9839704fa17dbf1328f037f86bd.exe"
1⤵
- Drops file in Program Files directory
PID:2704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Documents\HideDeny.rtf.fmiint-sqnsxris"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4036

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads