risepro | 6442f25eb20706d2ca238115f7d23985fc6f5dde33d4489f8c434ad73c79b106

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_767e55cae732d423fe44d31f3cfd8203_avoslocker_magniber_metamorfo.exe
Size

13.1MB
MD5

767e55cae732d423fe44d31f3cfd8203
SHA1

30efbec5ca6063b85c11563f34b489784fea8377
SHA256

6442f25eb20706d2ca238115f7d23985fc6f5dde33d4489f8c434ad73c79b106
SHA512

a4c1aa46e067f5d1fc165db9ce30dc6be3b5973a47e00f013165b6d79c02bf4eb2c9c720270f8b15ea66ce641c23f735c5b856888e3a4dde94ae1863ef0d3b46
SSDEEP

196608:016y1UicZXDmaEKCqtf6PaaLCtx+zFUlBbLrqNkaUQGX62RKk:0rp0hUPaSfUBbLrqNd/GXOk

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 5 IoCs

pid	Process
4908	SodaPDFDesktop14.exe
4200	SodaPDFDesktop14.exe
4752	SodaPDFDesktop14.exe
2056	SodaPDFDesktop14.exe
2064	SodaPDFDesktop14.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS\ = "0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\IconReference = "@C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe,-501"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ServerExecutable = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Programmable	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ = "\"C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe\""	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version\ = "1.0"	SodaPDFDesktop14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\Enabled = "1"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\ = "Installer Class"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\ = "GlamInstallerComLib"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4908	SodaPDFDesktop14.exe
4908	SodaPDFDesktop14.exe
4908	SodaPDFDesktop14.exe
4908	SodaPDFDesktop14.exe
4908	SodaPDFDesktop14.exe
4908	SodaPDFDesktop14.exe
4200	SodaPDFDesktop14.exe
4200	SodaPDFDesktop14.exe
4200	SodaPDFDesktop14.exe
4200	SodaPDFDesktop14.exe
2056	SodaPDFDesktop14.exe
2056	SodaPDFDesktop14.exe
2056	SodaPDFDesktop14.exe
2056	SodaPDFDesktop14.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4908	SodaPDFDesktop14.exe
4908	SodaPDFDesktop14.exe
2056	SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4908	4248	2024-07-04_767e55cae732d423fe44d31f3cfd8203_avoslocker_magniber_metamorfo.exe	82
PID 4248 wrote to memory of 4908	4248	2024-07-04_767e55cae732d423fe44d31f3cfd8203_avoslocker_magniber_metamorfo.exe	82
PID 4248 wrote to memory of 4908	4248	2024-07-04_767e55cae732d423fe44d31f3cfd8203_avoslocker_magniber_metamorfo.exe	82
PID 4908 wrote to memory of 4200	4908	SodaPDFDesktop14.exe	91
PID 4908 wrote to memory of 4200	4908	SodaPDFDesktop14.exe	91
PID 4908 wrote to memory of 4200	4908	SodaPDFDesktop14.exe	91
PID 4200 wrote to memory of 4752	4200	SodaPDFDesktop14.exe	92
PID 4200 wrote to memory of 4752	4200	SodaPDFDesktop14.exe	92
PID 4200 wrote to memory of 4752	4200	SodaPDFDesktop14.exe	92
PID 4200 wrote to memory of 2056	4200	SodaPDFDesktop14.exe	93
PID 4200 wrote to memory of 2056	4200	SodaPDFDesktop14.exe	93
PID 4200 wrote to memory of 2056	4200	SodaPDFDesktop14.exe	93
PID 4200 wrote to memory of 2064	4200	SodaPDFDesktop14.exe	94
PID 4200 wrote to memory of 2064	4200	SodaPDFDesktop14.exe	94
PID 4200 wrote to memory of 2064	4200	SodaPDFDesktop14.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-07-04_767e55cae732d423fe44d31f3cfd8203_avoslocker_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_767e55cae732d423fe44d31f3cfd8203_avoslocker_magniber_metamorfo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\D09BC76E-65C1-4BFF-83AE-AA9798EA976C\SodaPDFDesktop14.exe
  "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\D09BC76E-65C1-4BFF-83AE-AA9798EA976C\SodaPDFDesktop14.exe" /update=start /welcome
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\38105F28-0FF9-414D-BD38-C90D46C4EE73\SodaPDFDesktop14.exe
    "C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\38105F28-0FF9-414D-BD38-C90D46C4EE73\SodaPDFDesktop14.exe" /update=finish /welcome
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4752
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /welcome /no-check-updates
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2056
  - - C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
      "C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /CleanupTempFolder /ParentProcessId=4200
      4⤵
      Executes dropped EXE
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 14\Installation\updates-info.json

Filesize
2KB

MD5
05895386230583ad5a2550f6437f42b2

SHA1
b716bed83bb078aa45cd2145b6589dea6e1f3857

SHA256
a146ff557be6e3e0a17612df9df7ddda50d8ebfab29de7c384b22c4e43453343

SHA512
d1f11713575e7f11c52c362ce5e496fff0f97d7eba09c4cffbc40889f60f192b924a93c20a6aa992ef7fd50406f3b4ae561891f1f0fb2967e33e3fcf30fd3151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
c930736f83fb0cd4c01787bb61d2a04b

SHA1
d27c3ff1a3aa66e33fec1ce6fa4f67f58946637c

SHA256
643eda261db1c399eb61f8b90246037604ab319118ee648d06be862be2677859

SHA512
12c640e68d15bf49924454fa147876d41500aabbbc4ab02f975b8f521c637ad2212c07263d9048f7d38bae3468865a485015f09921293a424aa9902208fa7abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
c4e3cfa5c1425cfbbb298bc381472056

SHA1
d1a9dec8e456fc19781abffedc9ff8dd0d053270

SHA256
e96589fc158131bbe8c9e14640b5f24b8d0eb4a18d2a1a535ab28fbcfe35099a

SHA512
cb2641504caaef72dda73a3acbf26ac2a18d14c78ee5c490a5a913d27a5de5b619d336b2f93e719abd55824e912493167819d80208c7b5c31e533f8f13044fa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
25b47cd140794abed237615d1e189cd6

SHA1
03665aa55fdc8a93a8c69b647f83c11968f48bf9

SHA256
51f4f3c33c90f7a75f0860e017773329a20d57b11ceb182330d6c189e4a30e77

SHA512
98e98a9a37d61b4b52cb4f6b874d8d6a32712c6a6b0cafa419ea410bcb6e7922838c7c625c5412fda4ec9e51bfda55f4ed4aad7c56398f38bcf9b69c778c8c5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0

Filesize
806B

MD5
043c03344950c19eb36ef38da79416af

SHA1
b3dbbf59c63d5396f60313a048efc9c163d2d047

SHA256
a30942371f6238ba947a1096a495f6c841ca4c0ec6eb7306695c8c1952b6869a

SHA512
f41c6e9d58affcb0220882a36d88bfac77684114a6f6a7d01be8cba9cdb3e457856a0276cd291e9863c03c96d4d3848bd6d0c1f1e882e40bf43eafa0d61d9ffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
c30e29bc473440e22bd680648b0c9391

SHA1
6250a14e5b3119a479833dad07ac49d024b6af10

SHA256
953b31d179362c0ea1bf3ac003de43122d3515ea01396d5f4a067bcb2c5eb3dc

SHA512
183ada39db5fa69bc5f0d22f7aa2be4278cac213a85de8b364b0bb3ee76343e44f94e140b8d6d42cc57c51d1f138d86ded733dbc9cc8f3c24e5053ffa54887c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
1d6674843789246cf61bfed203014033

SHA1
abb1b5eca603911c4b14b29ed343f82e5b0fc4ce

SHA256
11e0b87aa3bae0cadcb45226ad0a6b4427c8e47b4f7f257c89976771a2031bc0

SHA512
8266ae1219257faf2fdac62e8440dbc12a9b89d584707e2dd7d136504ae2ff654a21ad0bda39bb45ec11c73c446642b6aaa401d6f9773adc7783b69c448c94c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
e56fa14aab1528c50c4f5bbeb04f3b6d

SHA1
cb1fa91e7b12e37c4afd4bd1ed4378876fe16425

SHA256
ad7cf4acef9522fcac2d19bce2e0966466801f0295272a9809270070acc559eb

SHA512
cb92b804417ed7ed3288c0dccb448c47c9a4136925d1aebd9d98c98c13bc7ad666aa9a211ad8ef86f96bbf42a0f7f2adb23425d29d2a5ce0fc1bfbe029186af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0

Filesize
552B

MD5
63a16203e997f141ef209d18d2aae954

SHA1
4ac69219feeba9030fa7c3a7517020ec45c7c37d

SHA256
d1095763bfd2e1c6b1000f850a8e526fc75ad90c61a76dc3fdb048d028b3aeaa

SHA512
352bb4b46307ab52e19c9681985cbe8e17a86d42a9631658190f5625e0d295b4539a2a51f30a2f1d4002d5a1355b0d28eb78efaab5a5d83a7c7af8624737dbb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
7965b82472293e346ba65c5b2b820524

SHA1
899b31122270deda25d0c73dc506ea307bf1bf86

SHA256
d7c03cd33cca69c55f9fa864af75ece1f3e43aef88cfd1b1d26c722e5c780be4

SHA512
12763ff831fa1b29938e7e3caaccb7b58168b8691337f5c83eaeac1ab3a689c7c4b55023ec8e7b9d1b8da45afe171a7ffb84722e6aad3fdc91c218a750a0bf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\D09BC76E-65C1-4BFF-83AE-AA9798EA976C\SodaPDFDesktop14.exe

Filesize
13.1MB

MD5
767e55cae732d423fe44d31f3cfd8203

SHA1
30efbec5ca6063b85c11563f34b489784fea8377

SHA256
6442f25eb20706d2ca238115f7d23985fc6f5dde33d4489f8c434ad73c79b106

SHA512
a4c1aa46e067f5d1fc165db9ce30dc6be3b5973a47e00f013165b6d79c02bf4eb2c9c720270f8b15ea66ce641c23f735c5b856888e3a4dde94ae1863ef0d3b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\38105F28-0FF9-414D-BD38-C90D46C4EE73\SodaPDFDesktop14.exe

Filesize
11.4MB

MD5
9917f5a1478ae346d38bf0a20728d665

SHA1
9bdd8ac7112a32e4172b43bd447b989607dee3b6

SHA256
0df854fd54996e0124d76db9a13f22758298d96af5fb28c98ae8a4420779b744

SHA512
36aeae8a14bc3c8489cfda530e02a114fa4d789acd5252c1f1f9095a39e00ea6e2cdf9ab0cffee90041c2f7c2d7ab4009be8756f8816e83f7bebc412e64673da

Download Submit