Overview
overview
3Static
static
3MantiWPF.zip
windows7-x64
3MantiWPF.zip
windows10-2004-x64
1MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3MantiWPF/b...e.json
windows7-x64
3MantiWPF/b...e.json
windows10-2004-x64
3Analysis
-
max time kernel
102s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
MantiWPF.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MantiWPF.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/body-parser/package.json
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/body-parser/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/bytes/package.json
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/bytes/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/call-bind/package.json
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/call-bind/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-disposition/package.json
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-disposition/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-type/package.json
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/content-type/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie-signature/package.json
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie-signature/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie/package.json
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/cookie/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/debug/package.json
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/debug/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/define-data-property/package.json
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/define-data-property/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/depd/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/destroy/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/ee-first/package.json
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/ee-first/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/encodeurl/package.json
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/encodeurl/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-define-property/package.json
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-define-property/package.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
Resource
win10v2004-20240802-en
General
-
Target
MantiWPF/bin/Editor/fileaccess/node_modules/es-errors/package.json
-
Size
2KB
-
MD5
7e6b784827a0aff2a05c343f8a53e88d
-
SHA1
d13bcb37ab6ab7f0911ce728148cb1c8485a81d1
-
SHA256
1a0a0bcccc76b915cb64073317312840cf6363e9144b96f406d0059774dd5278
-
SHA512
ba218ca690ca74f2e4feca55f95ae3f1f792b4a067c3133b035265de2e39ca39a8fdfc7fc18a898ff8ca0a5e2a791121d10708ed564496502da824a6167292c7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2816 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2816 AcroRd32.exe 2816 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1656 wrote to memory of 2984 1656 cmd.exe rundll32.exe PID 1656 wrote to memory of 2984 1656 cmd.exe rundll32.exe PID 1656 wrote to memory of 2984 1656 cmd.exe rundll32.exe PID 2984 wrote to memory of 2816 2984 rundll32.exe AcroRd32.exe PID 2984 wrote to memory of 2816 2984 rundll32.exe AcroRd32.exe PID 2984 wrote to memory of 2816 2984 rundll32.exe AcroRd32.exe PID 2984 wrote to memory of 2816 2984 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\es-errors\package.json1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\es-errors\package.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MantiWPF\bin\Editor\fileaccess\node_modules\es-errors\package.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5e06f85a62594eed5a59fb27abd8fb2cc
SHA152d41a9f9eaa943acca77571822158486b7c308c
SHA25649497690f0d2fdfe614d00e076411a9b5163c03c574e0029f056c5bdc90c6ca7
SHA512e73e7a5f3e759ea5a16261d84bc836d0b7b69158c5701d06ad3161b89e20ad39bcf69105b73417be0463f2c00200e47de0252b5d60d1dd0e2c9f4833695b425e