risepro | 4d9f2e9d386176333d4e46ea979367cf3362f63d00905c19932a9d75f77379c0

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe
Size

13.1MB
MD5

c9147af9fe0c0f9b3c412b917cc84bcf
SHA1

29d1bcb8af1370e1056221a6934879484d583cdf
SHA256

4d9f2e9d386176333d4e46ea979367cf3362f63d00905c19932a9d75f77379c0
SHA512

855618151344c4175a14d98f27f07c6ae01acfef08bb58c16e406262834f3198a2bd13543bdf67a1b7e1a5bd97e32080525d655939f9452256aae5b28aefddb4
SSDEEP

393216:Y1DwLi7fL4O4OoVkkb8/++otXOCcd1rqNa/GX7dR:Y1DwGDL4O7oVkkb8G+oo/GXBR

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Executes dropped EXE 1 IoCs

Processes:

SodaPDFDesktop14.exe

pid process

2524 SodaPDFDesktop14.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe

pid process

2004 2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe

pid	process
2524	SodaPDFDesktop14.exe

pid	process
2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe

Modifies registry class 3 IoCs

Processes:

SodaPDFDesktop14.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SodaPDFDesktop14.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SodaPDFDesktop14.exe

pid process

2524 SodaPDFDesktop14.exe
2524 SodaPDFDesktop14.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SodaPDFDesktop14.exe

pid process

2524 SodaPDFDesktop14.exe
2524 SodaPDFDesktop14.exe
2524 SodaPDFDesktop14.exe

pid	process
2524	SodaPDFDesktop14.exe
2524	SodaPDFDesktop14.exe

pid	process
2524	SodaPDFDesktop14.exe
2524	SodaPDFDesktop14.exe
2524	SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe

description	pid	process	target process
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 2004 wrote to memory of 2524	2004	2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_c9147af9fe0c0f9b3c412b917cc84bcf_avoslocker_magniber_metamorfo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.355.3101\9A19EE06-07EE-49E5-91C5-1BEC8B678BE6\SodaPDFDesktop14.exe
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.355.3101\9A19EE06-07EE-49E5-91C5-1BEC8B678BE6\SodaPDFDesktop14.exe /update=start
2⤵
- Executes dropped EXE
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3bfb237d95f9c34465d50360f39b3ceb

SHA1
2cdee845ea6ebbd3cd0466b0eae4752842de86cc

SHA256
2ceaddb29268e6112e7aa95722894fb061238ad4e2b247ce23595609daa5eb8d

SHA512
da55bf0fd898acda5dfd2366a96d439807e502c763dca35c3a119c3ab45f6e3d821a1e3fd29858e333606ef0e822f3373b9cb8c41d95736131bb001ad5b6a16f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
3c650860b16a149163a915d036823270

SHA1
779910311d2de4cb214a433d196c112063445efe

SHA256
50f7ea6aefb832bfeb9975177c931fb756f588885a90b17963919044a88d006d

SHA512
53d4d847204ba4dc543c19079ba243bfbc0c2e18548e9c6f1bfaf20741c600fd77b7ebe66db8ee84283319ce67b8d3e342e10fc5fd7901527155d6f2179ed202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8e6cea7378919fa5d895cdd12428cda6

SHA1
1bfbd226d5788e8d108d0617d65a0a8273cf02d3

SHA256
bf6c1a30806ffebca26312680324ffa161b6210a4d9d2d0bc0b1b35e95a1c538

SHA512
a8d356e6933a8c5b4b990cf3ad2751facceeda24ec101b4adc4d61990101b2d35d62158601ca73998bc4dd690b7825d80f367bb2faf137d3bed0be953b0e11d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
b9a8847e5d1690d3ad85ab47a3af362f

SHA1
7865ef72b088b2455c047d1c7bdcba618dd304b6

SHA256
4fbe2a9b440c3da703870c423e54d4246d0e6829aff64673ba319ea933280f57

SHA512
35bf24eaddead3b1a41199aa1cbc0bd7c8101f1abb78192dbc2a9df55bbf5597960b60945736feda51da9785dda6d76e6581afb8c11e42b9cc3bbb9d0112c6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24A0.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28F7.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A5A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.355.3101\9A19EE06-07EE-49E5-91C5-1BEC8B678BE6\SodaPDFDesktop14.exe
Filesize
13.1MB

MD5
c9147af9fe0c0f9b3c412b917cc84bcf

SHA1
29d1bcb8af1370e1056221a6934879484d583cdf

SHA256
4d9f2e9d386176333d4e46ea979367cf3362f63d00905c19932a9d75f77379c0

SHA512
855618151344c4175a14d98f27f07c6ae01acfef08bb58c16e406262834f3198a2bd13543bdf67a1b7e1a5bd97e32080525d655939f9452256aae5b28aefddb4

Download Submit