e649ea7e2eaef11f9b69804da030d8801e190f38465eaafdbdfaa12e13490348

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Size

17.5MB
MD5

4b55c6b86ea4c0deb3439bf63cf8a229
SHA1

5af32b29996435bf81f3152a04b145f5ab03e4d8
SHA256

e649ea7e2eaef11f9b69804da030d8801e190f38465eaafdbdfaa12e13490348
SHA512

4a68eb845e33ab175d61d1699b807e92c4ff64e5c2db3d8096f0aa08524f5895e1096161e79a362295859a0edf1c99b2843bd0d7a38dec0e302b377bc7b6372b
SSDEEP

196608:AxXEMpZMYZsiUu6Mj7lNdyFq6s1KuaN7gZagD2a+590vITByPrqN2MLG0gylZzpU:AuMrfUq6sYA92a+59eIoPrqNU0gk1ERP

Score

4^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2264	regsvr32.exe
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
2528	DllHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4610C369-DA38-4F0B-B1FB-A0BAF1F60817}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{987CD7D7-09EF-4EFF-9AFD-64AE892E0113}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF0E6C56-94AA-4DE6-A5F4-721A0E2240DA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61A2973C-B4EC-4493-8E05-A60A44ABBC65}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{32E5E5C6-4E9D-4DD6-99D0-CDD46B321421}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61D40A79-EFAE-40A0-88CB-59C15CC521CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02D92802-E58F-4587-8BB6-A7E3C1FCF576}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0442FC3C-1B29-4727-ABAB-87037321DD29}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFD18878-92B5-40A5-B6A7-584E4E258808}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC09008B-15CE-462E-BD15-AB51324729D4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F3053A6-6F18-4546-898F-8C65DDCF833D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75A7903-6951-400D-810F-FE6C8E271380}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A172F54-610F-493E-A119-84CDBCE19932}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2971308-C011-4AF5-86A0-4C374EA9ADBF}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE1DC8C1-1F7E-49E2-B9B6-61F3188BE346}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A49DF67-14D2-4726-86F4-21DF18ED307B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EAE84A1-48D8-45E4-BF9C-446333F4111D}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A172F54-610F-493E-A119-84CDBCE19932}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10335249-1AD1-493B-BC41-B934EC5F7806}\VersionIndependentProgID\ = "Statist_Prog_Id"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10335249-1AD1-493B-BC41-B934EC5F7806}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75A7903-6951-400D-810F-FE6C8E271380}\ = "ICancelDataStruct"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8E1AD8-9F39-4893-8E7D-4711474B309E}\InprocServer32\ = "C:\\ProgramData\\Soda PDF Desktop 12\\Installation\\analytics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19ABDFD5-C458-434A-9729-8DC017E71A9A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A249FCE8-6781-4667-A8C5-DCA879885BFC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D5CB3A4-D4C6-4527-B823-304B72BF902D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFD18878-92B5-40A5-B6A7-584E4E258808}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F3053A6-6F18-4546-898F-8C65DDCF833D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6DBB259-C5CD-414E-89E0-C111FA5A5069}\ = "IXMLSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE15E47-5D96-4C6F-A5E6-6099E9C74E61}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61D40A79-EFAE-40A0-88CB-59C15CC521CF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA254B1E-3176-4816-9B2A-C25EFD3545D7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{987CD7D7-09EF-4EFF-9AFD-64AE892E0113}\ = "IInstallItemMonetization"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAF1B65C-5621-42A4-A5A1-1ECEADB60979}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51591B21-70DB-4833-AC69-ED9718086E4D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6B79EFE-8E9E-49DA-8286-D68D4B830570}\AppID = "{EA99D9A6-92E7-43AD-9616-97BEA0A8CC1B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F0BF36A-9836-48A0-A41F-643D32BE878D}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75A7903-6951-400D-810F-FE6C8E271380}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A623E508-4758-4101-A4E6-8E0D68D68774}\ = "IInstallItemModule"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA254B1E-3176-4816-9B2A-C25EFD3545D7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5187457-47D7-4D5A-A80C-54DF87945359}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61A2973C-B4EC-4493-8E05-A60A44ABBC65}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8E1AD8-9F39-4893-8E7D-4711474B309E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51591B21-70DB-4833-AC69-ED9718086E4D}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F3053A6-6F18-4546-898F-8C65DDCF833D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02D92802-E58F-4587-8BB6-A7E3C1FCF576}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26B6C985-00D8-40B6-BB76-618294F53100}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61A2973C-B4EC-4493-8E05-A60A44ABBC65}\ = "DownloadItemModule3_1 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{047784C5-9559-4D46-B5DC-63C7264602BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFF42A83-1142-4A9F-ABDE-517BBA666E02}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D763BB2-3FFA-43E8-8AE2-408CBAEDD237}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A49DF67-14D2-4726-86F4-21DF18ED307B}\ = "IStartDataStruct"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19ABDFD5-C458-434A-9729-8DC017E71A9A}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7820DB4E-4DA1-4D97-B140-73B6F7801256}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6DBB259-C5CD-414E-89E0-C111FA5A5069}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19ABDFD5-C458-434A-9729-8DC017E71A9A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B23A337-E4CA-4CB2-AB24-4EECDFD85266}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC09008B-15CE-462E-BD15-AB51324729D4}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4610C369-DA38-4F0B-B1FB-A0BAF1F60817}\TypeLib\ = "{462B192A-B4FB-4E40-A255-0905A37CBA61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F0BF36A-9836-48A0-A41F-643D32BE878D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0442FC3C-1B29-4727-ABAB-87037321DD29}\ = "StatVersionDll Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B167550B-09F7-4C59-B17F-25EBEB866B8B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{987CD7D7-09EF-4EFF-9AFD-64AE892E0113}\ProxyStubClsid32	regsvr32.exe

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28
PID 2044 wrote to memory of 2264	2044	2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_4b55c6b86ea4c0deb3439bf63cf8a229_magniber_metamorfo_revil.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF Desktop 12\Installation\analytics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA99D9A6-92E7-43AD-9616-97BEA0A8CC1B}
1⤵
- Loads dropped DLL
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 12\Installation\analytics.dll

Filesize
1.6MB

MD5
e8e69d4164a07d2c4856cf205145fd0f

SHA1
7f61086e144d529e537fc97a3f6e6a6d0fdd5f12

SHA256
74695db80858510b1652d9de7a2bf97cbe79a0fc83fe797f39ab83e6386df28d

SHA512
8e70382fe5da3b9068098f032d2e6fc06644657db4720ad38921a20fc82e3126cd34227942dd1ee14a8dbf1c75f1f19a9a5d636ef87172a80ed30f38cd07c409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99f7410ed937534d6f187d30ad5ba041

SHA1
f34f0c96e19b92843f217a0e902c22813f937979

SHA256
2a09add5adb5c104918b27cc2a8395a55a36d4debbf375e87a744311e630d60b

SHA512
a8f8eb056fb90a5ac362ab4c96367aacebdc475b91dff67b195b235b84ce9edfaf1ca3b2c2159ec402d498899449c2a232f3e5a91184cea83d428be396b03bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f3faa22267c4e2072de379044889bf0b

SHA1
30f1ea9dbb87b8d6c6616383adbaf098e29680d2

SHA256
481fe5f75cec72f2a9df9eb9cf512375b9ab130227f54ac8815b8ee96563d9d0

SHA512
29f4b0cdcd9adbc513dac4cb1bbef5b4f4c4caeef4cb8140b9df1055b482b4c4e21135692bf265917fa4a7ff89c1feaf753134da74322260aaf33793d94fa90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2580.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\analytics.dll

Filesize
716KB

MD5
13b543b730bf16218ea6cc1d097d6504

SHA1
6147832423b02f48058f8156933523bdff8c5502

SHA256
9a5e21efa226a1234a397de4500af534d8cbc3b99c4ffbe9dc8e1a44bcf10eef

SHA512
7fe1e7d70504a37f8ce579b444d35a900b22e4679420f233270f6b54b0c5b0d0206cf4386dc4e9504f9f632a9bd923c0fa14e165b62c1cb270a6b3f480ed7353

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\analytics.dll

Filesize
1.4MB

MD5
8bef23cc1aedb755646c099187e5fe93

SHA1
bba71a8d1918bf123196c136c4b90876f612e5c9

SHA256
14fbcc719ca4ff737de70beb5ea29f5755cf8821bb77d3c0c4356f03af9e979f

SHA512
5a0e82964f562caac6e6cc1667ea1f10ecca58ae1df3677387885bdc10437d69e6ab277ec4654c48aed114977dd6e95f620d371fd98ef629f444139c97204e55

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\analytics.dll

Filesize
1.8MB

MD5
f212eb074861eda7b3014afd8393b0c8

SHA1
530eabd3f0eb1703287927e749380a163b9de694

SHA256
8c6627e6d5939b75767a2136c325bed62e0ea4212eff44bfc428367e35ec2446

SHA512
6dca3e8c98b24a1e010bb5b5ccf2555d8de934b6f8bee30c6422b58b842c67c11ed3ad7512b0a87f60b103c5c7fa264d801d7bb5d318350d6ddccf52acd67c5a

Download Submit
\ProgramData\Soda PDF Desktop 12\Installation\analytics.dll

Filesize
1.7MB

MD5
f53715ef918976c1b236b87667388dd4

SHA1
abe5ffbb756abff1a4ab80e41460fd3c0cabd091

SHA256
32d9e5d31c5bf61d09a6f1715ab3c00a5a31384346b7836f9da3f59dab503169

SHA512
006452f9cc1352f4c2c8cc4c73e9f7f2b86a3540336a7c9507cada24011df22634b1f0dd6e5679f6b666d9eac171eb7e7cc9d8cf92708339cb82afb6cd060f4f

Download Submit