a219f0f8dec02670e2e6243856a6563cb754dc03ecd8585c35c80e323a859dbf

Analysis

max time kernel
124s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
Size

13.6MB
MD5

8a5cceb9945ba7a8472b28f990f772a4
SHA1

d62decf0753522af205441315b4dfcbb88765a98
SHA256

a219f0f8dec02670e2e6243856a6563cb754dc03ecd8585c35c80e323a859dbf
SHA512

223369f1d1bb11b6e458194b9584c3c7affe9f03323bee5a4eea09bda7d6b9acaa30e096d947f0bb33c72e992b649c5452cb1ee2b05974c9fea05317366e4654
SSDEEP

393216:DeVUFOCkqrqNuPfdHccBoMIB+WJrJQcBoMIB+PJU9/:yWFOqPVHccBoMIB+WgcBoMIB+PM/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4336	Soda_PDF_Desktop_11_Installer.exe

Loads dropped DLL 3 IoCs

pid	Process
2332	regsvr32.exe
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
2628	DllHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C255D30A-CEDC-4EA0-A82A-93BE46AC4EB5}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC31CD3-7FE2-4BBC-B62E-C74662BE496D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DF7D1EB-1AF7-4454-8A33-B2C7C9A497C0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55822341-7F3E-46AE-9CF3-763AE96C2F74}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4917E3C0-8161-4CD2-BFF4-2764A4E8021D}\ = "IOptionItemInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2096C7B-4CD1-4A59-B555-94CD41D52764}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9AE3114-9335-4D0E-8A53-6D3624571343}\TypeLib\ = "{DD136A0B-F50C-4BB6-AC16-BBE425C7B72B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F49AC5B-8B1F-4404-B68E-3990F2C3B4C3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03AB6594-C405-4486-BD9C-120C0690BC0E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39711466-4AB3-4F40-870E-D8777DC898EA}\TypeLib\ = "{DD136A0B-F50C-4BB6-AC16-BBE425C7B72B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06DA7C37-2C7A-44DF-BC78-AE5D77AB5AAB}\TypeLib\ = "{DD136A0B-F50C-4BB6-AC16-BBE425C7B72B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B424281C-9156-4A2C-9262-45D513AC9BAF}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 11\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B424281C-9156-4A2C-9262-45D513AC9BAF}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE68DA37-4290-40FB-BDEB-E98A51853B99}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F859FDA6-7EFF-4452-9DA5-D4D4A6C62DCA}\TypeLib\ = "{969DE2F9-AF2F-4F0C-A050-2C5938C28AD3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9AE3114-9335-4D0E-8A53-6D3624571343}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9AE3114-9335-4D0E-8A53-6D3624571343}\ = "ISaveUserDataStructLong"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6981F001-A7F7-4444-9B0C-EE8B8D44C6A6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6981F001-A7F7-4444-9B0C-EE8B8D44C6A6}\TypeLib\ = "{DD136A0B-F50C-4BB6-AC16-BBE425C7B72B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02FEE9C9-5D22-4D32-8529-2921C7CCC385}\ = "IInstaller"	Soda_PDF_Desktop_11_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06DA7C37-2C7A-44DF-BC78-AE5D77AB5AAB}\ = "IStatist"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6981F001-A7F7-4444-9B0C-EE8B8D44C6A6}\ = "IDownloadItemExternalApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3615C89-B242-4002-BAF2-E5441EF4B62F}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71550962-34BF-4724-BEC7-8BE269187602}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2096C7B-4CD1-4A59-B555-94CD41D52764}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B721818A-6577-47C4-A128-4218797801EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{570EEAE9-654E-4392-9781-7FBB8B54C2FD}\DllSurrogate	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03AB6594-C405-4486-BD9C-120C0690BC0E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B424281C-9156-4A2C-9262-45D513AC9BAF}\TypeLib\ = "{969DE2F9-AF2F-4F0C-A050-2C5938C28AD3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A015E73-65B0-4F17-BABD-0818B134E3D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F4DC035-BEA7-4D57-92B6-BF17F09E7D3E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DABE907-DB29-49CC-A614-67C0B35288D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBCFF0EC-064C-4C21-B488-823B838CEDE5}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 11\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD136A0B-F50C-4BB6-AC16-BBE425C7B72B}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF Desktop 11\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F760F90-72E0-4410-A71E-21266952AC79}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F760F90-72E0-4410-A71E-21266952AC79}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6981F001-A7F7-4444-9B0C-EE8B8D44C6A6}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97CD84AD-0133-4D99-A832-73C3205D51ED}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 11\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBCFF0EC-064C-4C21-B488-823B838CEDE5}\ = "InstallItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBCFF0EC-064C-4C21-B488-823B838CEDE5}\AppID = "{570EEAE9-654E-4392-9781-7FBB8B54C2FD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{06DA7C37-2C7A-44DF-BC78-AE5D77AB5AAB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{594E3602-3101-44F5-9CFF-11C8093E8ABE}\TypeLib	Soda_PDF_Desktop_11_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DF48DD-0CE7-4ECE-B556-007DF36E0769}\AppID = "{570EEAE9-654E-4392-9781-7FBB8B54C2FD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBCFF0EC-064C-4C21-B488-823B838CEDE5}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DF48DD-0CE7-4ECE-B556-007DF36E0769}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4CBF477E-EC72-452D-A8CC-41A1F7F49E25}\ = "InstallItemMonetization Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C3DBA6C-D633-4609-A323-60B3391104DA}\ = "Installer Class"	Soda_PDF_Desktop_11_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C3DBA6C-D633-4609-A323-60B3391104DA}\LocalServer32	Soda_PDF_Desktop_11_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29BC361B-3854-4CF4-87A8-2674BA7EE1F9}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 11\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92824FB4-C6BE-48C2-B742-8B920B25949B}\TypeLib\ = "{969DE2F9-AF2F-4F0C-A050-2C5938C28AD3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A015E73-65B0-4F17-BABD-0818B134E3D5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F4DC035-BEA7-4D57-92B6-BF17F09E7D3E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9454E2F1-DCB4-4B23-B7EF-296235F96747}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Soda_PDF_Desktop_11_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC1E983A-E832-47CA-83C0-D525B926D485}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC31CD3-7FE2-4BBC-B62E-C74662BE496D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4917E3C0-8161-4CD2-BFF4-2764A4E8021D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31740623-C5A4-4962-9809-F7A3079CB5EF}\AppID = "{570EEAE9-654E-4392-9781-7FBB8B54C2FD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8140A8AC-0CCC-43A2-8C48-E28A03BD20F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DABE907-DB29-49CC-A614-67C0B35288D5}\TypeLib\ = "{DD136A0B-F50C-4BB6-AC16-BBE425C7B72B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6CD485F-8774-448D-B667-E494649BBBD7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21718F2D-26E1-4B34-972B-61C13369EE51}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 11\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E688212-E740-4CE4-BE7E-DB3F2A3FB5AB}\ = "IStartDataStruct"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6981F001-A7F7-4444-9B0C-EE8B8D44C6A6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F4DC035-BEA7-4D57-92B6-BF17F09E7D3E}	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2332	1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe	81
PID 1860 wrote to memory of 2332	1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe	81
PID 1860 wrote to memory of 2332	1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe	81
PID 1860 wrote to memory of 4336	1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe	82
PID 1860 wrote to memory of 4336	1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe	82
PID 1860 wrote to memory of 4336	1860	8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe	82

C:\Users\Admin\AppData\Local\Temp\8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8a5cceb9945ba7a8472b28f990f772a4_magniber_JC.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF Desktop 11\Installation\Statistics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2332
- C:\ProgramData\Soda PDF Desktop 11\Installation\Soda_PDF_Desktop_11_Installer.exe
  "C:\ProgramData\Soda PDF Desktop 11\Installation\Soda_PDF_Desktop_11_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4336

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{570EEAE9-654E-4392-9781-7FBB8B54C2FD}
1⤵
- Loads dropped DLL
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 11\Installation\Soda_PDF_Desktop_11_Installer.exe

Filesize
13.6MB

MD5
8a5cceb9945ba7a8472b28f990f772a4

SHA1
d62decf0753522af205441315b4dfcbb88765a98

SHA256
a219f0f8dec02670e2e6243856a6563cb754dc03ecd8585c35c80e323a859dbf

SHA512
223369f1d1bb11b6e458194b9584c3c7affe9f03323bee5a4eea09bda7d6b9acaa30e096d947f0bb33c72e992b649c5452cb1ee2b05974c9fea05317366e4654

Download Submit
C:\ProgramData\Soda PDF Desktop 11\Installation\Soda_PDF_Desktop_11_Installer.exe

Filesize
13.6MB

MD5
8a5cceb9945ba7a8472b28f990f772a4

SHA1
d62decf0753522af205441315b4dfcbb88765a98

SHA256
a219f0f8dec02670e2e6243856a6563cb754dc03ecd8585c35c80e323a859dbf

SHA512
223369f1d1bb11b6e458194b9584c3c7affe9f03323bee5a4eea09bda7d6b9acaa30e096d947f0bb33c72e992b649c5452cb1ee2b05974c9fea05317366e4654

Download Submit
C:\ProgramData\Soda PDF Desktop 11\Installation\Statistics.dll

Filesize
1.9MB

MD5
83e84c60b09a5b48158d479f3cfcadba

SHA1
fa91e3b7561f45f814d2f4ef2063801e6bd307f0

SHA256
54144964544b2006958e9de23517d2eccb75d56ffa3d8810700d50113c685854

SHA512
f1bdfd33d4a198894ef6a7ccbaeb7d76ba1e0ffddf437454e2ae00d024f3a4e634e51bc0c7ef513ffab5774f78404a2f721e5aa5b19b04cf4848c070b018f47d

Download Submit
C:\ProgramData\Soda PDF Desktop 11\Installation\Statistics.dll

Filesize
1.9MB

MD5
83e84c60b09a5b48158d479f3cfcadba

SHA1
fa91e3b7561f45f814d2f4ef2063801e6bd307f0

SHA256
54144964544b2006958e9de23517d2eccb75d56ffa3d8810700d50113c685854

SHA512
f1bdfd33d4a198894ef6a7ccbaeb7d76ba1e0ffddf437454e2ae00d024f3a4e634e51bc0c7ef513ffab5774f78404a2f721e5aa5b19b04cf4848c070b018f47d

Download Submit
C:\ProgramData\Soda PDF Desktop 11\Installation\Statistics.dll

Filesize
1.9MB

MD5
83e84c60b09a5b48158d479f3cfcadba

SHA1
fa91e3b7561f45f814d2f4ef2063801e6bd307f0

SHA256
54144964544b2006958e9de23517d2eccb75d56ffa3d8810700d50113c685854

SHA512
f1bdfd33d4a198894ef6a7ccbaeb7d76ba1e0ffddf437454e2ae00d024f3a4e634e51bc0c7ef513ffab5774f78404a2f721e5aa5b19b04cf4848c070b018f47d

Download Submit
C:\ProgramData\Soda PDF Desktop 11\Installation\Statistics.dll

Filesize
1.9MB

MD5
83e84c60b09a5b48158d479f3cfcadba

SHA1
fa91e3b7561f45f814d2f4ef2063801e6bd307f0

SHA256
54144964544b2006958e9de23517d2eccb75d56ffa3d8810700d50113c685854

SHA512
f1bdfd33d4a198894ef6a7ccbaeb7d76ba1e0ffddf437454e2ae00d024f3a4e634e51bc0c7ef513ffab5774f78404a2f721e5aa5b19b04cf4848c070b018f47d

Download Submit