Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 13:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe
Resource
win10v2004-20240319-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe
-
Size
9.9MB
-
MD5
bd1f444a44a3e7dc3cca42f4921d4055
-
SHA1
63a3fbdc6904a3b6df60bcf1c412252c67ae24ec
-
SHA256
e0d88164676d2e1af51a413285d3fda98feb00436a844e2d2db2a54c678850bf
-
SHA512
3f05c96b1230e272646c9e6562a132a7e24451d006256b14788619e4d5e807145e7ad898e29d4bf0f0b2b366c6e5f2a8c64f29e6f6e8b9e78dbd8028cbb6bee4
-
SSDEEP
196608:2WfTKKC4TNjC9haNXkfDrqNpU7YHHXCSyZBMyvsP4:zTKKfNCCNEDrqNpHHTaB
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1628 Soda_PDF_7_Installer.exe 2540 bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exe -
Loads dropped DLL 4 IoCs
pid Process 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 1964 regsvr32.exe 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 2540 bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786} bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ProxyStubClsid32 Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\ = "InstallItemsList Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\ProgID\ = "Statist_Prog_Id.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\ProxyStubClsid32 Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\ = "DownloadItemModule Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\TypeLib Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\LocalizedString = "@C:\\ProgramData\\Soda PDF 7\\Installation\\Soda_PDF_7_Installer.exe,-201" Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\HELPDIR Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\Elevation\IconReference = "@C:\\ProgramData\\Soda PDF 7\\Installation\\Soda_PDF_7_Installer.exe,-501" Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47BD9D5-25E5-46F9-A3C2-120BE6CA31E4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\HELPDIR regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E} Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ProxyStubClsid32 Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\ = "SaveUserDataStruct Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2007937E-38DE-45E3-BF37-D03862DA4CDB}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\ = "GlamInstallerComLib" Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32 regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\TypeLib\ = "{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}" Soda_PDF_7_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF 7\\Installation" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ = "_IInstallEvents" Soda_PDF_7_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\ = "GeoIpStruct Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\Version regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2540 bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exe 2540 bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2628 msiexec.exe Token: SeTakeOwnershipPrivilege 2628 msiexec.exe Token: SeSecurityPrivilege 2628 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1628 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 28 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 1964 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 29 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30 PID 1912 wrote to memory of 2540 1912 2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe"C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe" /RegServer2⤵
- Executes dropped EXE
- Modifies registry class
PID:1628
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\ProgramData\Soda PDF 7\Installation\Statistics.dll"2⤵
- Loads dropped DLL
- Modifies registry class
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exeC:\Users\Admin\AppData\Local\Temp\bd6f51dd-fbf9-42ea-b2fd-025d10a93ef0.exe /update2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD56aaddf9a9be2862eb559176428905e8b
SHA1d98c6a8ec94e6ad22b8d684f40855277d77217c1
SHA2568ffe7994defb9e65695a29175ac626b2fd80fcfd370071bf7403ff5dfc93c80c
SHA51297723b7740e713d2d77465bbdb4e5b5852d945162164e1b2ae713abc32c24c573bf0b14c784080d960a2651a60035f0d8c82ab496f2295201242c06ec661f008
-
Filesize
9.9MB
MD5bd1f444a44a3e7dc3cca42f4921d4055
SHA163a3fbdc6904a3b6df60bcf1c412252c67ae24ec
SHA256e0d88164676d2e1af51a413285d3fda98feb00436a844e2d2db2a54c678850bf
SHA5123f05c96b1230e272646c9e6562a132a7e24451d006256b14788619e4d5e807145e7ad898e29d4bf0f0b2b366c6e5f2a8c64f29e6f6e8b9e78dbd8028cbb6bee4