e221d2cb231f92828caef350a59261c7735c06f0b4f2286b1bcdf888a1dfe14b

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe
Size

9.3MB
MD5

0bd56da08de50c9406008b745387a1f8
SHA1

0d6ed02518347cef24837ffaab76a692c5e20d45
SHA256

e221d2cb231f92828caef350a59261c7735c06f0b4f2286b1bcdf888a1dfe14b
SHA512

661c863746e12942b49eb7d32603ba05d11b263f0f45be4a5dc91d3aa92f5e418588efe61cf58840728e0f40195d351a7e0d9b98d13d94d50694b0e86724a9a5
SSDEEP

196608:pesB4JFqeIJgYDD6CWrqNPh6PU4XCSeyvBP4n7:9B4npsZD6CWrqNOU4Tg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1896	Soda_PDF_7_Installer.exe
1496	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	regsvr32.exe
1496	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\TypeLib	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\ = "StartItemModule Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2007937E-38DE-45E3-BF37-D03862DA4CDB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ = "_IInstallEvents"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF 7\\Installation"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\Version	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\Elevation	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\ = "SaveUserDataStruct Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{874B4FE7-34F5-40E7-9D46-1617E39ACD57}\ = "Installer Class"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\TypeLib\Version = "1.0"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DFA580A-3B17-4614-876C-8A425AAF60DD}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\0\win32	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Soda_PDF_7_Installer.exe"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\TypeLib\ = "{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBC300F7-DC0D-4640-BFBF-F6458815C205}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\ = "GeoIpStruct Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\TypeLib\ = "{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DFA580A-3B17-4614-876C-8A425AAF60DD}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B6D2735-3392-47E1-83D6-6ED93BD71D54}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{261A211B-5D44-4D4A-BEC7-191D7B60D28A}	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\ = "DownloadItemModule Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53B5F6A7-83ED-4253-ABA6-278E1B9FF42A}\1.0\HELPDIR	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786}	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ProxyStubClsid32	Soda_PDF_7_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A749A56-CA0A-4378-A345-BDA07D2C641E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Soda_PDF_7_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D0796F7-CC0A-4353-A385-628CEAB598EB}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2A9A07E-68FF-4215-84F2-96115976F786}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F68E6DC-0B1A-4169-9966-C06D8F2DE3D3}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D47BD9D5-25E5-46F9-A3C2-120BE6CA31E4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F8259A6-AB6D-46E1-AF8D-9CD2AC821AC4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB1DBBC8-CAF8-4FEE-BF54-60E249E3395A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1D7020E-4EB0-4E0D-8A8E-DAA3BB2F033A}\TypeLib\ = "{B0B68DDE-4F2A-4DE3-9A7C-162CD7E487B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D37C2155-D129-4489-BB43-AF7B51CEA603}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2007937E-38DE-45E3-BF37-D03862DA4CDB}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E9FDA25-5E40-466B-81E2-53D1C1979BBE}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F152690-A6BF-4BAA-8E76-D52954B21275}\InprocServer32\ = "C:\\ProgramData\\Soda PDF 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63FC8865-E5C6-492D-8044-CBF135C63F61}\Version\ = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1496	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe
1496	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe
1496	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe
1496	39bf6b78-f83b-4d9d-b030-031cbe740d51.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1896	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	82
PID 2252 wrote to memory of 1896	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	82
PID 2252 wrote to memory of 1896	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	82
PID 2252 wrote to memory of 2964	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	84
PID 2252 wrote to memory of 2964	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	84
PID 2252 wrote to memory of 2964	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	84
PID 2252 wrote to memory of 1496	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	85
PID 2252 wrote to memory of 1496	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	85
PID 2252 wrote to memory of 1496	2252	2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_0bd56da08de50c9406008b745387a1f8_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe
  "C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1896
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\ProgramData\Soda PDF 7\Installation\Statistics.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\39bf6b78-f83b-4d9d-b030-031cbe740d51.exe
  C:\Users\Admin\AppData\Local\Temp\39bf6b78-f83b-4d9d-b030-031cbe740d51.exe /update
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF 7\Installation\Soda_PDF_7_Installer.exe

Filesize
9.3MB

MD5
0bd56da08de50c9406008b745387a1f8

SHA1
0d6ed02518347cef24837ffaab76a692c5e20d45

SHA256
e221d2cb231f92828caef350a59261c7735c06f0b4f2286b1bcdf888a1dfe14b

SHA512
661c863746e12942b49eb7d32603ba05d11b263f0f45be4a5dc91d3aa92f5e418588efe61cf58840728e0f40195d351a7e0d9b98d13d94d50694b0e86724a9a5

Download Submit
C:\ProgramData\Soda PDF 7\Installation\Statistics.dll

Filesize
1.0MB

MD5
e5dd75d62af0e9cfb9618339cb51c2cb

SHA1
b1a3874e296cc7ef067208630bf1e02890673b06

SHA256
dd9aa0212b11b15b7527b0cf85de98a620cb0635f9f15181d88da89126eefebb

SHA512
59969ab68b8ddb22be401378fa39848a5c014f6ae910c85c5abe8dce47767528547b14705bdc6253f363b3d3d7a43487bdee3e07c1cd7824f6d539c762f7bc61

Download Submit