e0d88164676d2e1af51a413285d3fda98feb00436a844e2d2db2a54c678850bf

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe
Size

9.9MB
MD5

bd1f444a44a3e7dc3cca42f4921d4055
SHA1

63a3fbdc6904a3b6df60bcf1c412252c67ae24ec
SHA256

e0d88164676d2e1af51a413285d3fda98feb00436a844e2d2db2a54c678850bf
SHA512

3f05c96b1230e272646c9e6562a132a7e24451d006256b14788619e4d5e807145e7ad898e29d4bf0f0b2b366c6e5f2a8c64f29e6f6e8b9e78dbd8028cbb6bee4
SSDEEP

196608:2WfTKKC4TNjC9haNXkfDrqNpU7YHHXCSyZBMyvsP4:zTKKfNCCNEDrqNpHHTaB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1868	Soda_PDF_7_Installer.exe
4404	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe

Loads dropped DLL 2 IoCs

pid	Process
4448	regsvr32.exe
4404	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DFA580A-3B17-4614-876C-8A425AAF60DD}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\ = "Statistics"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\HELPDIR	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ = "_IInstallEvents"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\ = "IInstaller"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\Version\ = "1.0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\TypeLib	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2007937E-38DE-45E3-BF37-D03862DA4CDB}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\Version	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\ = "IInstaller"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\Elevation	Soda_PDF_7_Installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\Elevation\Enabled = "1"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\0	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\TypeLib\ = "{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ProxyStubClsid32	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\TypeLib\ = "{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ProxyStubClsid32	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\ = "Installer Class"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\TypeLib\Version = "1.0"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DFA580A-3B17-4614-876C-8A425AAF60DD}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DFA580A-3B17-4614-876C-8A425AAF60DD}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\ProxyStubClsid32	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\ = "GlamInstallerComLib"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DFA580A-3B17-4614-876C-8A425AAF60DD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\ = "SaveUserDataStruct Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\TypeLib	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\ = "OfferItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\ = "StartItemModule Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\Elevation\IconReference = "@C:\\ProgramData\\Soda PDF 7\\Installation\\Soda_PDF_7_Installer.exe,-501"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\FLAGS	Soda_PDF_7_Installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4404	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe
4404	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe
4404	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe
4404	1480648a-7932-4c56-a9f3-5284b05e7c9b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4524	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 1868	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	95
PID 3196 wrote to memory of 1868	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	95
PID 3196 wrote to memory of 1868	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	95
PID 3196 wrote to memory of 4448	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	97
PID 3196 wrote to memory of 4448	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	97
PID 3196 wrote to memory of 4448	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	97
PID 3196 wrote to memory of 4404	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	100
PID 3196 wrote to memory of 4404	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	100
PID 3196 wrote to memory of 4404	3196	2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_bd1f444a44a3e7dc3cca42f4921d4055_mafia_magniber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe
  "C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1868
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF 7\Installation\Statistics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\1480648a-7932-4c56-a9f3-5284b05e7c9b.exe
  C:\Users\Admin\AppData\Local\Temp\1480648a-7932-4c56-a9f3-5284b05e7c9b.exe /update
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2284,i,13100272738549420251,6151825632958897606,262144 --variations-seed-version /prefetch:8
1⤵
PID:3268

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe

Filesize
9.9MB

MD5
bd1f444a44a3e7dc3cca42f4921d4055

SHA1
63a3fbdc6904a3b6df60bcf1c412252c67ae24ec

SHA256
e0d88164676d2e1af51a413285d3fda98feb00436a844e2d2db2a54c678850bf

SHA512
3f05c96b1230e272646c9e6562a132a7e24451d006256b14788619e4d5e807145e7ad898e29d4bf0f0b2b366c6e5f2a8c64f29e6f6e8b9e78dbd8028cbb6bee4

Download Submit
C:\ProgramData\Soda PDF 7\Installation\Statistics.dll

Filesize
1.0MB

MD5
6aaddf9a9be2862eb559176428905e8b

SHA1
d98c6a8ec94e6ad22b8d684f40855277d77217c1

SHA256
8ffe7994defb9e65695a29175ac626b2fd80fcfd370071bf7403ff5dfc93c80c

SHA512
97723b7740e713d2d77465bbdb4e5b5852d945162164e1b2ae713abc32c24c573bf0b14c784080d960a2651a60035f0d8c82ab496f2295201242c06ec661f008

Download Submit
memory/4524-14-0x0000020127760000-0x0000020127770000-memory.dmp

Filesize
64KB

Download
memory/4524-30-0x0000020127860000-0x0000020127870000-memory.dmp

Filesize
64KB

Download
memory/4524-46-0x000002012FBD0000-0x000002012FBD1000-memory.dmp

Filesize
4KB

Download
memory/4524-48-0x000002012FC00000-0x000002012FC01000-memory.dmp

Filesize
4KB

Download
memory/4524-49-0x000002012FC00000-0x000002012FC01000-memory.dmp

Filesize
4KB

Download
memory/4524-50-0x000002012FD10000-0x000002012FD11000-memory.dmp

Filesize
4KB

Download