83ecb56baae08812b4a39cdbf4fac7b54db855ed39759bf4b1e8f0030cfc3834

General

Target

ed31bf412c6c2fexe_JC.exe
Size

13.3MB
MD5

ed31bf412c6c2fbdacf77fc1198627e4
SHA1

5804b3606ee0d8f2cbc4e5ec2531ff7d7a49636c
SHA256

83ecb56baae08812b4a39cdbf4fac7b54db855ed39759bf4b1e8f0030cfc3834
SHA512

c3905b1e4bd91c649cca6ffa951d06a3f7f34b02775a5a5e515c8e1546494142fa3d2f3388d8dd96a5ace58450f341eb6a1713fd6b37a0ea5f22873005c86694
SSDEEP

196608:2sIZf69EaKTH8wgWfUQQcP1AojH6pePv6grqN7aUQGXX2RNPMaf:2sIZfGEaK3gWfjQcapeKgrqNe/GX8kaf

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
628	SodaPDFDesktop14.exe

Loads dropped DLL 1 IoCs

pid	Process
1340	ed31bf412c6c2fexe_JC.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	ed31bf412c6c2fexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ed31bf412c6c2fexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
628	SodaPDFDesktop14.exe
628	SodaPDFDesktop14.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
628	SodaPDFDesktop14.exe
628	SodaPDFDesktop14.exe
628	SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28
PID 1340 wrote to memory of 628	1340	ed31bf412c6c2fexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\ed31bf412c6c2fexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ed31bf412c6c2fexe_JC.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.343.2888\F2B9043F-B766-4F51-AAEE-654784C75B9D\SodaPDFDesktop14.exe
  C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.343.2888\F2B9043F-B766-4F51-AAEE-654784C75B9D\SodaPDFDesktop14.exe /update=start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
74e6c385fac143a7e8e79247408c3e1c

SHA1
dffe45aa550f67e1be3c03b966e3904ccf82f090

SHA256
2033728ad9ec0ccb1bd60304d0da9e7fac4a303e8bc814809c226e19ef929184

SHA512
a60770ca4b9b9a4610a451977c5f6a2f2a44e868fd5a884fac5de392c7ff8a88dc7583238be4b284cea4d618974c617c594b90ee50ebd2ad9dde65dac2318d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
f613dec8bd9bcfdfbb0106df3dc13605

SHA1
6184f229e068b75152c78b9bc6cc7da6a0b8bff8

SHA256
3a147d45c40172a10e69ad26b629de72714401f38e0aae1d87097a0c9ab978c0

SHA512
c5350b1bc19379466e66252bb926a390405bccf03551c1e3230617d218dc64d7f52f7d4b458f3bc8b86c68e22e488ebdb87f45979cdc205dc6188cbb364cfb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab94A1.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.343.2888\F2B9043F-B766-4F51-AAEE-654784C75B9D\SodaPDFDesktop14.exe

Filesize
13.3MB

MD5
ed31bf412c6c2fbdacf77fc1198627e4

SHA1
5804b3606ee0d8f2cbc4e5ec2531ff7d7a49636c

SHA256
83ecb56baae08812b4a39cdbf4fac7b54db855ed39759bf4b1e8f0030cfc3834

SHA512
c3905b1e4bd91c649cca6ffa951d06a3f7f34b02775a5a5e515c8e1546494142fa3d2f3388d8dd96a5ace58450f341eb6a1713fd6b37a0ea5f22873005c86694

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.343.2888\F2B9043F-B766-4F51-AAEE-654784C75B9D\SodaPDFDesktop14.exe

Filesize
13.3MB

MD5
ed31bf412c6c2fbdacf77fc1198627e4

SHA1
5804b3606ee0d8f2cbc4e5ec2531ff7d7a49636c

SHA256
83ecb56baae08812b4a39cdbf4fac7b54db855ed39759bf4b1e8f0030cfc3834

SHA512
c3905b1e4bd91c649cca6ffa951d06a3f7f34b02775a5a5e515c8e1546494142fa3d2f3388d8dd96a5ace58450f341eb6a1713fd6b37a0ea5f22873005c86694

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E26.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.343.2888\F2B9043F-B766-4F51-AAEE-654784C75B9D\SodaPDFDesktop14.exe

Filesize
13.3MB

MD5
ed31bf412c6c2fbdacf77fc1198627e4

SHA1
5804b3606ee0d8f2cbc4e5ec2531ff7d7a49636c

SHA256
83ecb56baae08812b4a39cdbf4fac7b54db855ed39759bf4b1e8f0030cfc3834

SHA512
c3905b1e4bd91c649cca6ffa951d06a3f7f34b02775a5a5e515c8e1546494142fa3d2f3388d8dd96a5ace58450f341eb6a1713fd6b37a0ea5f22873005c86694

Download Submit

Analysis

Sharing