Overview
overview
3Static
static
3MantiWPF.zip
windows7-x64
3MantiWPF.zip
windows10-2004-x64
1MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
MantiWPF.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MantiWPF.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/body-parser/package.json
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/body-parser/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/bytes/package.json
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/bytes/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/call-bind/package.json
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/call-bind/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-disposition/package.json
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-disposition/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-type/package.json
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-type/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie-signature/package.json
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie-signature/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie/package.json
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/debug/package.json
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/debug/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/define-data-property/package.json
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/define-data-property/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/ee-first/package.json
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/ee-first/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/encodeurl/package.json
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/encodeurl/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-define-property/package.json
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-define-property/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
Resource
win10v2004-20240802-en
General
-
Target
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
-
Size
1KB
-
MD5
6015f23c6e2fd79f4a6e29453ce4dc1d
-
SHA1
e12115ed9a1e2c56eb35ecfc14ff83b8c02935d5
-
SHA256
f865b50652dc062f43142e01f55db2760cc10d255bd05afd232e738999c58188
-
SHA512
1a09253a53e4067abb67e51d3efc6483da2984581bb1583805da63a602b525e9b5055b78eedd42e823bda8fcbcd92a69b1d89f72de5e3d867524476c05552ea2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2756 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2756 AcroRd32.exe 2756 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3000 wrote to memory of 2728 3000 cmd.exe rundll32.exe PID 3000 wrote to memory of 2728 3000 cmd.exe rundll32.exe PID 3000 wrote to memory of 2728 3000 cmd.exe rundll32.exe PID 2728 wrote to memory of 2756 2728 rundll32.exe AcroRd32.exe PID 2728 wrote to memory of 2756 2728 rundll32.exe AcroRd32.exe PID 2728 wrote to memory of 2756 2728 rundll32.exe AcroRd32.exe PID 2728 wrote to memory of 2756 2728 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\destroy\package.json1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\destroy\package.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\destroy\package.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD52e67418cc3d484211d2d940065242821
SHA108b753bd718dc2be9501919c50b6b37f1236d74d
SHA2562890c20b48b3b7e4d3fcd613c787235487a9a4ae1a6e7711261416f612886b62
SHA51266a61679581199f128844d848a136dec5b87d81414c3125b3e8d853103ca86d1f9972b49cda5d517ab949a2e4a2de62854731f350e3625b5095b58bef7b03b54