b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Size

12.4MB
MD5

fd8a8a5667f914cc3badcb5223346d42
SHA1

8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9
SHA256

b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192
SHA512

74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a
SSDEEP

393216:Ou5VYuB2r85rrqNDNsd05mSr4cBoMIB+XJiMIpcBoMIB+OJDRa:NVn2rBNsd0ESscBoMIB+XWcBoMIB+OC

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	Soda_PDF_Desktop_Installer.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	regsvr32.exe
2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
2740	DllHost.exe
2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF850DEC-9938-462A-96DD-B61C1B4FA8A7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{376E602E-721B-4646-B82E-D2E60B1CE3B8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19D1D87B-C163-40AF-8127-028A98ACC76A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8D7024-00EB-41E6-8F82-79ADA74572B8}\ = "IDownloadItemToolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE71C8D0-16D6-4CC6-9D98-56B6F4BCBFB6}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B26C0D-7575-4AD5-A426-1DDCDB36C103}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23D0E331-81CA-417E-8B95-0DA4BF0F6A28}\1.0\ = "GlamInstallerComLib"	Soda_PDF_Desktop_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62BC541E-4619-4172-ACC0-07D530EFB145}\TypeLib\ = "{685C9BA7-4C0E-4181-81F9-23EC875E4881}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FD41C0-2F97-47E1-B49D-44342081C579}\TypeLib\ = "{685C9BA7-4C0E-4181-81F9-23EC875E4881}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F946EA1-47C4-4591-BE11-03C0405DD5B0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A90127C4-FEF2-4F9A-99AF-1C5109B7D1BE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCECF739-A8C7-418C-9892-E0743C7074C8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96F939FD-8B45-4CE0-B913-F28834B5B685}\TypeLib\ = "{685C9BA7-4C0E-4181-81F9-23EC875E4881}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFAAE9E3-93B2-4679-BA2F-155666F43F58}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B39BBB3C-7952-4CF6-A451-0CCF19EAA8A5}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC692EEF-621C-4D31-95B7-10A863517C28}\TypeLib\ = "{685C9BA7-4C0E-4181-81F9-23EC875E4881}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96F939FD-8B45-4CE0-B913-F28834B5B685}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 10\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0755B59E-68CA-403D-BE36-CF57A906597B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B26C0D-7575-4AD5-A426-1DDCDB36C103}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B39BBB3C-7952-4CF6-A451-0CCF19EAA8A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6279E8E-DC5A-48B2-BC63-8AE075067CB5}\ = "ICancelDataStruct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82FF6EE2-4CD2-41CC-B1E6-534C0E18AB4F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8D28CD5-A6B1-41CC-B453-9D2C054A25D9}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF53E1B5-B742-4766-9B35-49F365EA5DFA}\TypeLib\ = "{685C9BA7-4C0E-4181-81F9-23EC875E4881}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16CC520A-7109-447D-82A3-057F5A171F69}\TypeLib\ = "{90989A22-A972-4079-9A00-EC148BF828FE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16B966B5-1049-45D0-BCFF-0698C59F140B}\AppID = "{51EAF17A-F522-4B09-9088-838B91B94C74}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6093EE65-BC31-4577-83D9-9A86F41F708F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8D28CD5-A6B1-41CC-B453-9D2C054A25D9}\ = "IDownloadItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42FFD432-5763-44AD-9902-6C45F3452BAE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96F939FD-8B45-4CE0-B913-F28834B5B685}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF53E1B5-B742-4766-9B35-49F365EA5DFA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96F939FD-8B45-4CE0-B913-F28834B5B685}\AppID = "{51EAF17A-F522-4B09-9088-838B91B94C74}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16B966B5-1049-45D0-BCFF-0698C59F140B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6279E8E-DC5A-48B2-BC63-8AE075067CB5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82FF6EE2-4CD2-41CC-B1E6-534C0E18AB4F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8D7024-00EB-41E6-8F82-79ADA74572B8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8D7024-00EB-41E6-8F82-79ADA74572B8}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C66CD1AA-80C5-45D9-8941-2F4507B0412C}\ = "InstallItemsList Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{986AB0AD-82B2-4015-8589-D0A0D1DEFA30}\Version\ = "1.0"	Soda_PDF_Desktop_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC692EEF-621C-4D31-95B7-10A863517C28}\AppID = "{51EAF17A-F522-4B09-9088-838B91B94C74}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82FF6EE2-4CD2-41CC-B1E6-534C0E18AB4F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B13C2DC4-4DFA-4B78-A673-F3D2B31F78C9}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4B3AAE8-EF4C-4617-ADD7-95232E012228}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFAAE9E3-93B2-4679-BA2F-155666F43F58}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63319DF9-1A53-460D-A7A0-12264DE6D964}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0755B59E-68CA-403D-BE36-CF57A906597B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F946EA1-47C4-4591-BE11-03C0405DD5B0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07468548-A725-4B11-AAB7-17A971566138}\ = "IStartItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3693AF66-4273-4D8D-8309-89DA275E23D8}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6145C3ED-6D28-4839-B3B2-FA75311B0D61}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B39BBB3C-7952-4CF6-A451-0CCF19EAA8A5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75E61F6B-F24C-4B9C-ADFC-028317CF1F1E}\AppID = "{51EAF17A-F522-4B09-9088-838B91B94C74}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0BB0C053-7C7A-4F45-BF24-DCF74E77D464}\ = "IXMLSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCBCC9E3-164B-438F-B99C-BFEEF41C9500}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18288FC0-52F2-4F26-AAAC-345987D6840D}\TypeLib\Version = "1.0"	Soda_PDF_Desktop_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62BC541E-4619-4172-ACC0-07D530EFB145}\AppID = "{51EAF17A-F522-4B09-9088-838B91B94C74}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{972B8698-468C-4617-AB7C-06564D85171B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AC1A4D1-294B-4BDC-B8C6-25FFD0E743CC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF850DEC-9938-462A-96DD-B61C1B4FA8A7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6093EE65-BC31-4577-83D9-9A86F41F708F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE8BB419-8C5C-42A0-AE3C-184695BD5030}\ = "IInstallItemToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE8BB419-8C5C-42A0-AE3C-184695BD5030}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE71C8D0-16D6-4CC6-9D98-56B6F4BCBFB6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42FFD432-5763-44AD-9902-6C45F3452BAE}	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	2084	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2716	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	28
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30
PID 2272 wrote to memory of 2880	2272	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2716
- C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe
  "C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2880

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{51EAF17A-F522-4B09-9088-838B91B94C74}
1⤵
- Loads dropped DLL
PID:2740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe

Filesize
12.4MB

MD5
fd8a8a5667f914cc3badcb5223346d42

SHA1
8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9

SHA256
b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

SHA512
74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe

Filesize
12.4MB

MD5
fd8a8a5667f914cc3badcb5223346d42

SHA1
8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9

SHA256
b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

SHA512
74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
922ddc7a0eecad804b54ec525921dcac

SHA1
3196dda279239a44f3a5978d487bbd06e51137d7

SHA256
b7cdb6e8a28dc3f4f19753955b6c0f16853e1ea6aff8689421ebfb997ce4fc14

SHA512
6ae59207730da2e99a62c3c39792e1ec2d7e6718ad18983de6a1c3eae37b7c851a5069803627c54d42c34542dfcfe25b9d7d6602643b1aaba44d3011793d9730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dafe14d6e3038010bbac6dc7de957e32

SHA1
92c6bd8171469a384a9843f1a61f6ca10fae5f8c

SHA256
77511cffe5866f4120c2c8c184b4b765dd03c87fad2c6babfddbc5ea1494a757

SHA512
6b7184ec0c82024eea91219afd08d23d0f9f7df21f26b913ee2edfdabe40dbce3473d37a4708e66613275343753fb3107adff393a9a716e9409ac71e1dc1630e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F6D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F7F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe

Filesize
12.4MB

MD5
fd8a8a5667f914cc3badcb5223346d42

SHA1
8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9

SHA256
b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

SHA512
74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a

Download Submit
\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit