b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

Analysis

max time kernel
132s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
Size

12.4MB
MD5

fd8a8a5667f914cc3badcb5223346d42
SHA1

8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9
SHA256

b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192
SHA512

74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a
SSDEEP

393216:Ou5VYuB2r85rrqNDNsd05mSr4cBoMIB+XJiMIpcBoMIB+OJDRa:NVn2rBNsd0ESscBoMIB+XWcBoMIB+OC

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4520	Soda_PDF_Desktop_Installer.exe

Loads dropped DLL 3 IoCs

pid	Process
2064	regsvr32.exe
1460	DllHost.exe
4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07468548-A725-4B11-AAB7-17A971566138}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3693AF66-4273-4D8D-8309-89DA275E23D8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFAAE9E3-93B2-4679-BA2F-155666F43F58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BB0C053-7C7A-4F45-BF24-DCF74E77D464}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{376E602E-721B-4646-B82E-D2E60B1CE3B8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE71C8D0-16D6-4CC6-9D98-56B6F4BCBFB6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C66CD1AA-80C5-45D9-8941-2F4507B0412C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4B3AAE8-EF4C-4617-ADD7-95232E012228}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15FAF0A5-619D-4B72-B363-31C105000DBB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{543BE2A6-BA44-4E62-839C-1BA644D6FD21}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Soda_PDF_Desktop_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8D28CD5-A6B1-41CC-B453-9D2C054A25D9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE71C8D0-16D6-4CC6-9D98-56B6F4BCBFB6}\ = "IGeoIP"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3693AF66-4273-4D8D-8309-89DA275E23D8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4BDC973-C031-4334-BF79-25D7E15D1E19}\1.0\ = "Statistics"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6093EE65-BC31-4577-83D9-9A86F41F708F}\ = "IStartDataStruct"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{972B8698-468C-4617-AB7C-06564D85171B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BB0C053-7C7A-4F45-BF24-DCF74E77D464}\ = "IXMLSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFAAE9E3-93B2-4679-BA2F-155666F43F58}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15FAF0A5-619D-4B72-B363-31C105000DBB}\ = "InstallItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0755B59E-68CA-403D-BE36-CF57A906597B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{972B8698-468C-4617-AB7C-06564D85171B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C66CD1AA-80C5-45D9-8941-2F4507B0412C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF53E1B5-B742-4766-9B35-49F365EA5DFA}\ = "DownloadItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCECF739-A8C7-418C-9892-E0743C7074C8}\ = "DownloadItemModule3_1 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE83BEDA-940B-4720-A196-4CC973B6BB3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE71C8D0-16D6-4CC6-9D98-56B6F4BCBFB6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23D0E331-81CA-417E-8B95-0DA4BF0F6A28}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF Desktop 10\\Installation"	Soda_PDF_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18288FC0-52F2-4F26-AAAC-345987D6840D}\ProxyStubClsid32	Soda_PDF_Desktop_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AC1A4D1-294B-4BDC-B8C6-25FFD0E743CC}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18288FC0-52F2-4F26-AAAC-345987D6840D}\TypeLib\Version = "1.0"	Soda_PDF_Desktop_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3693AF66-4273-4D8D-8309-89DA275E23D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCECF739-A8C7-418C-9892-E0743C7074C8}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCECF739-A8C7-418C-9892-E0743C7074C8}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE83BEDA-940B-4720-A196-4CC973B6BB3F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4BDC973-C031-4334-BF79-25D7E15D1E19}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23D0E331-81CA-417E-8B95-0DA4BF0F6A28}\1.0\ = "GlamInstallerComLib"	Soda_PDF_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{543BE2A6-BA44-4E62-839C-1BA644D6FD21}	Soda_PDF_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18288FC0-52F2-4F26-AAAC-345987D6840D}	Soda_PDF_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51EAF17A-F522-4B09-9088-838B91B94C74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2464B39B-8DF4-4297-A189-3A4D74B30C9E}\TypeLib\ = "{685C9BA7-4C0E-4181-81F9-23EC875E4881}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCBCC9E3-164B-438F-B99C-BFEEF41C9500}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82FF6EE2-4CD2-41CC-B1E6-534C0E18AB4F}\ = "IInstallItemExternalApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B13C2DC4-4DFA-4B78-A673-F3D2B31F78C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4B3AAE8-EF4C-4617-ADD7-95232E012228}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF53E1B5-B742-4766-9B35-49F365EA5DFA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6093EE65-BC31-4577-83D9-9A86F41F708F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F7D87B1-0026-45F0-AC05-320C0407FD3B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E380A4DB-BC1D-4EE4-B6EF-19DA2839CFD5}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0755B59E-68CA-403D-BE36-CF57A906597B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6279E8E-DC5A-48B2-BC63-8AE075067CB5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AC1A4D1-294B-4BDC-B8C6-25FFD0E743CC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82FF6EE2-4CD2-41CC-B1E6-534C0E18AB4F}\ = "IInstallItemExternalApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B39BBB3C-7952-4CF6-A451-0CCF19EAA8A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4B3AAE8-EF4C-4617-ADD7-95232E012228}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 10\\Installation\\Statistics.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63319DF9-1A53-460D-A7A0-12264DE6D964}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4BDC973-C031-4334-BF79-25D7E15D1E19}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF Desktop 10\\Installation"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE71C8D0-16D6-4CC6-9D98-56B6F4BCBFB6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F7D87B1-0026-45F0-AC05-320C0407FD3B}\TypeLib\ = "{F4BDC973-C031-4334-BF79-25D7E15D1E19}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{07468548-A725-4B11-AAB7-17A971566138}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4B3AAE8-EF4C-4617-ADD7-95232E012228}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC692EEF-621C-4D31-95B7-10A863517C28}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82FF6EE2-4CD2-41CC-B1E6-534C0E18AB4F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42FFD432-5763-44AD-9902-6C45F3452BAE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6145C3ED-6D28-4839-B3B2-FA75311B0D61}	Soda_PDF_Desktop_Installer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2064	4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	82
PID 4020 wrote to memory of 2064	4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	82
PID 4020 wrote to memory of 2064	4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	82
PID 4020 wrote to memory of 4520	4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	85
PID 4020 wrote to memory of 4520	4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	85
PID 4020 wrote to memory of 4520	4020	fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fd8a8a5667f914cc3badcb5223346d42_magniber_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2064
- C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe
  "C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4520

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{51EAF17A-F522-4B09-9088-838B91B94C74}
1⤵
- Loads dropped DLL
PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe

Filesize
12.4MB

MD5
fd8a8a5667f914cc3badcb5223346d42

SHA1
8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9

SHA256
b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

SHA512
74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Soda_PDF_Desktop_Installer.exe

Filesize
12.4MB

MD5
fd8a8a5667f914cc3badcb5223346d42

SHA1
8c50c6ccd5babf7404f0ae9acffc2a82bddebfa9

SHA256
b19439a7daf50aebb1014bf51a6540d12cd7cffa49c3e1aa58f210a2070a0192

SHA512
74c57828748cb72298562424efdc8ce02666d929017d6e5025f88109be4bc1cfceb278ab4686958b70f95414e3cd89d012d2e7a72b7d462b360f55b428c4228a

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit
C:\ProgramData\Soda PDF Desktop 10\Installation\Statistics.dll

Filesize
1.8MB

MD5
d015a82879285186d645ac494d85117d

SHA1
0a64adda745e744191e0fe9355da0eecaddce63c

SHA256
8ee30d7c4d46d473c82518d8f8ef349ff23f8999092c9236f400e6a05d6230c9

SHA512
7ef48a8561465b8f5be6d826fb9abfae2dbb40ef40eb528e3fa1ddd481bf1419e3a5d097a00046436c5bcf4a4b89fce51c8cf97cf43c0eb481cfe49e3c0ca0f7

Download Submit