5916e82e6c2481afbe68eaca27cddae6f8300129ac852ccd11934c48f7544973

General

Target

MantiWPF/MantiWPF.exe
Size

8.2MB
MD5

b95d746231fcec5e02fbbc91df346fb6
SHA1

be142be50f93919b3e1ad0a0019df24514692b84
SHA256

4f01f1b0d5f22d1b555a2890f176b9ff9269481ff8d99610968843e393430337
SHA512

21146da77836345c79269fd56d0eb0ddc97c2bdcf0de5b85c43e63b3cee8de1aa60be6c3a75e8a4c228681e4bcb986fe2d4236d0280ab564958e1458944517fa
SSDEEP

196608:7UwGkc6K6n6EkD+AXRs5oF3qheHA6Ra4yUg:IwGkc3ikDFs5Y3qsJa4yJ

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1644	1824	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MantiWPF.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4856	WINWORD.EXE
4856	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4856	WINWORD.EXE
4856	WINWORD.EXE
4856	WINWORD.EXE
4856	WINWORD.EXE
4856	WINWORD.EXE
4856	WINWORD.EXE
4856	WINWORD.EXE
4856	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\MantiWPF\MantiWPF.exe
"C:\Users\Admin\AppData\Local\Temp\MantiWPF\MantiWPF.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1652
  2⤵
  - Program crash
  PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1824 -ip 1824
1⤵
PID:1988

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RestartClear.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
397B

MD5
4cb56762aa2a9df72a8ef5b2e0fa2dfb

SHA1
cacdb6b1cfb49247f59d5a7ef84399284fe809f5

SHA256
4b2ae46e64e86564ba36114a58157dcade463b71ee9726b4d4eea5828e71980f

SHA512
52233858aae11d72b5a8b1a26fc82b1fe994ebc69f4ade62cc005149498dbc28aa82f74178920231d4515ae796fed132f4e8e19b441e0dedbaa54ab212da38d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1824-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/1824-1-0x0000000000DA0000-0x00000000015D4000-memory.dmp

Filesize
8.2MB

Download
memory/1824-2-0x000000000A460000-0x000000000AE68000-memory.dmp

Filesize
10.0MB

Download
memory/1824-3-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1824-5-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1824-4-0x00000000071D0000-0x00000000071DE000-memory.dmp

Filesize
56KB

Download
memory/1824-6-0x00000000060C0000-0x00000000060D0000-memory.dmp

Filesize
64KB

Download
memory/1824-7-0x00000000082B0000-0x0000000008342000-memory.dmp

Filesize
584KB

Download
memory/1824-8-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4856-15-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-30-0x00007FF8BBA10000-0x00007FF8BBA20000-memory.dmp

Filesize
64KB

Download
memory/4856-12-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-17-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-19-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-20-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-18-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-16-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-14-0x00007FF8FE08D000-0x00007FF8FE08E000-memory.dmp

Filesize
4KB

Download
memory/4856-21-0x00007FF8BBA10000-0x00007FF8BBA20000-memory.dmp

Filesize
64KB

Download
memory/4856-25-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-28-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-29-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-11-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-31-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-27-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-26-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-24-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-23-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-22-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4856-13-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-10-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-9-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-82-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-81-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-84-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-83-0x00007FF8BE070000-0x00007FF8BE080000-memory.dmp

Filesize
64KB

Download
memory/4856-85-0x00007FF8FDFF0000-0x00007FF8FE1E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads