01c34927c6fcb08d32e5a1213855eb5c5be9c9af5bfecc829a10bee6d55f4965

Resubmissions

30-09-2024 00:50

240930-a61r4stamh 6

30-09-2024 00:45

240930-a37fgsyejn 3

Analysis

max time kernel
102s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Size

1KB
MD5

7f0a9d228c79f0ee4b89fc6117f1c687
SHA1

3c10082c1464a6f589aa10cda88285e780ebf857
SHA256

5a3659bcc2e47b25ebf9f23f38eb9452a58920bfe4b59410bfa6fe84639a3b99
SHA512

7bdd7259bcb8d79aa41777f03d3a3f8a29b60c2d25104072edba9febeb813e12ef78d31573637702decddbaa97d8fec263bc413bd27dd660ded17d644458cbc2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2860 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2860 AcroRd32.exe
2860 AcroRd32.exe

pid	process
2860	AcroRd32.exe

pid	process
2860	AcroRd32.exe
2860	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 640 wrote to memory of 2960	640	cmd.exe	rundll32.exe
PID 640 wrote to memory of 2960	640	cmd.exe	rundll32.exe
PID 640 wrote to memory of 2960	640	cmd.exe	rundll32.exe
PID 2960 wrote to memory of 2860	2960	rundll32.exe	AcroRd32.exe
PID 2960 wrote to memory of 2860	2960	rundll32.exe	AcroRd32.exe
PID 2960 wrote to memory of 2860	2960	rundll32.exe	AcroRd32.exe
PID 2960 wrote to memory of 2860	2960	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\depd\package.json
1⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\depd\package.json
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\depd\package.json"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2860

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
8d0a26574f7c9383fe5f0e7894c6005d

SHA1
64ebb92dcf36802ced29042f53790e69dc5f8107

SHA256
71a602238d1e3095dd7d808b85052f3520ab2be9522833961adc358850228c79

SHA512
33bcbc0266b5715be92c907a468b420e473c43e16cf34320ed0ad696658e26703c55bc548445dea2b334ed2b7071282bf901f90add520e541bfe1ceadc7a2525

Download Submit