Overview
overview
3Static
static
3MantiWPF.zip
windows7-x64
3MantiWPF.zip
windows10-2004-x64
1MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3Analysis
-
max time kernel
102s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
MantiWPF.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MantiWPF.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/body-parser/package.json
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/body-parser/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/bytes/package.json
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/bytes/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/call-bind/package.json
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/call-bind/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-disposition/package.json
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-disposition/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-type/package.json
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-type/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie-signature/package.json
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie-signature/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie/package.json
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/debug/package.json
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/debug/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/define-data-property/package.json
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/define-data-property/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/ee-first/package.json
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/ee-first/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/encodeurl/package.json
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/encodeurl/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-define-property/package.json
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-define-property/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
Resource
win10v2004-20240802-en
General
-
Target
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
-
Size
1KB
-
MD5
7f0a9d228c79f0ee4b89fc6117f1c687
-
SHA1
3c10082c1464a6f589aa10cda88285e780ebf857
-
SHA256
5a3659bcc2e47b25ebf9f23f38eb9452a58920bfe4b59410bfa6fe84639a3b99
-
SHA512
7bdd7259bcb8d79aa41777f03d3a3f8a29b60c2d25104072edba9febeb813e12ef78d31573637702decddbaa97d8fec263bc413bd27dd660ded17d644458cbc2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2860 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2860 AcroRd32.exe 2860 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 640 wrote to memory of 2960 640 cmd.exe rundll32.exe PID 640 wrote to memory of 2960 640 cmd.exe rundll32.exe PID 640 wrote to memory of 2960 640 cmd.exe rundll32.exe PID 2960 wrote to memory of 2860 2960 rundll32.exe AcroRd32.exe PID 2960 wrote to memory of 2860 2960 rundll32.exe AcroRd32.exe PID 2960 wrote to memory of 2860 2960 rundll32.exe AcroRd32.exe PID 2960 wrote to memory of 2860 2960 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\depd\package.json1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\depd\package.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\depd\package.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD58d0a26574f7c9383fe5f0e7894c6005d
SHA164ebb92dcf36802ced29042f53790e69dc5f8107
SHA25671a602238d1e3095dd7d808b85052f3520ab2be9522833961adc358850228c79
SHA51233bcbc0266b5715be92c907a468b420e473c43e16cf34320ed0ad696658e26703c55bc548445dea2b334ed2b7071282bf901f90add520e541bfe1ceadc7a2525