risepro | 8b3d51402f409cfae91aed05e3b8cd03392ea56b594b0b3f17b2aa6c3d281f7d

Analysis

max time kernel
129s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exe
Size

13.1MB
MD5

4fa265a317e6d90cdecce7ed6b805122
SHA1

a6e12216cc8d9539085177fc437e0db6d340fa8e
SHA256

8b3d51402f409cfae91aed05e3b8cd03392ea56b594b0b3f17b2aa6c3d281f7d
SHA512

f46be468a7e8d4cb335788b6181ab0e9a933bd86c3cf6b4d3c87d78164f1b7667d1b9b7f687adb25fd925ab4900972293a494032560f1c038e9b609d2b499cae
SSDEEP

196608:s16y1UicZXDmaEKCqtf6PaaLCtx+zFUlBbLrqNDaUQGX52RKh:srp0hUPaSfUBbLrqN2/GXdh

Score

10^/10

risepro stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Executes dropped EXE 5 IoCs

Processes:

SodaPDFDesktop14.exeSodaPDFDesktop14.exeSodaPDFDesktop14.exeSodaPDFDesktop14.exeSodaPDFDesktop14.exe

pid process

408 SodaPDFDesktop14.exe
4900 SodaPDFDesktop14.exe
3848 SodaPDFDesktop14.exe
4940 SodaPDFDesktop14.exe
1480 SodaPDFDesktop14.exe

Modifies registry class 46 IoCs

Processes:

SodaPDFDesktop14.exeSodaPDFDesktop14.exeSodaPDFDesktop14.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\IconReference = "@C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe,-501"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\ = "GlamInstallerComLib"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Programmable	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\TypeLib\ = "{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version	SodaPDFDesktop14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation\Enabled = "1"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\TypeLib\Version = "1.0"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\0\win32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\HELPDIR\ = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ProxyStubClsid32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\ = "Installer Class"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Version\ = "1.0"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ = "\"C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe\""	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\LocalServer32\ServerExecutable = "C:\\ProgramData\\Soda PDF Desktop 14\\Installation\\SodaPDFDesktop14.exe"	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48B27F31-9BA2-49F8-B146-D406C44E8688}\Elevation	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49DC3DAF-B07F-425D-A53C-ADD8E180E51C}\1.0\FLAGS\ = "0"	SodaPDFDesktop14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B377F344-CAC6-42E6-B284-0117A87B5520}\ = "IInstaller"	SodaPDFDesktop14.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SodaPDFDesktop14.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SodaPDFDesktop14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	SodaPDFDesktop14.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

SodaPDFDesktop14.exeSodaPDFDesktop14.exeSodaPDFDesktop14.exe

pid	process
408	SodaPDFDesktop14.exe
408	SodaPDFDesktop14.exe
408	SodaPDFDesktop14.exe
408	SodaPDFDesktop14.exe
408	SodaPDFDesktop14.exe
408	SodaPDFDesktop14.exe
4900	SodaPDFDesktop14.exe
4900	SodaPDFDesktop14.exe
4900	SodaPDFDesktop14.exe
4900	SodaPDFDesktop14.exe
4940	SodaPDFDesktop14.exe
4940	SodaPDFDesktop14.exe
4940	SodaPDFDesktop14.exe
4940	SodaPDFDesktop14.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SodaPDFDesktop14.exeSodaPDFDesktop14.exe

pid process

408 SodaPDFDesktop14.exe
408 SodaPDFDesktop14.exe
4940 SodaPDFDesktop14.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exeSodaPDFDesktop14.exeSodaPDFDesktop14.exe

description	pid	process	target process
PID 3412 wrote to memory of 408	3412	2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 3412 wrote to memory of 408	3412	2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 3412 wrote to memory of 408	3412	2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exe	SodaPDFDesktop14.exe
PID 408 wrote to memory of 4900	408	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 408 wrote to memory of 4900	408	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 408 wrote to memory of 4900	408	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 3848	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 3848	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 3848	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 4940	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 4940	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 4940	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 1480	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 1480	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe
PID 4900 wrote to memory of 1480	4900	SodaPDFDesktop14.exe	SodaPDFDesktop14.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_4fa265a317e6d90cdecce7ed6b805122_avoslocker_magniber_metamorfo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\F031B8CC-960C-4F56-B1A4-D522C84E668F\SodaPDFDesktop14.exe
"C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\F031B8CC-960C-4F56-B1A4-D522C84E668F\SodaPDFDesktop14.exe" /update=start /welcome
2⤵
- Executes dropped EXE
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\0C3EB4EE-C4BD-4679-97FF-81ACAD120A4C\SodaPDFDesktop14.exe
"C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\0C3EB4EE-C4BD-4679-97FF-81ACAD120A4C\SodaPDFDesktop14.exe" /update=finish /welcome
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
"C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /RegServer
4⤵
- Executes dropped EXE
- Modifies registry class
PID:3848

C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
"C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /welcome /no-check-updates
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4940

C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe
"C:\ProgramData\Soda PDF Desktop 14\Installation\SodaPDFDesktop14.exe" /CleanupTempFolder /ParentProcessId=4900
4⤵
- Executes dropped EXE
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Soda PDF Desktop 14\Installation\updates-info.json
Filesize
2KB

MD5
2120b53a6e54f76d41a77135446a5b26

SHA1
c1734abda74ca48615a8dca3e3e9f4b755723d0d

SHA256
c0dca3cddc938ce75398f600f76b375e7fc2eb450f052654509181085049d17a

SHA512
8e38621818402ef88925a9852f282773c6c5ba268e03e8bd219131c06ca69764f79b8486326cd3c265cdaac04cbe4fe3c606ecc1f1f8f2132f02f38db155d214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF
Filesize
812B

MD5
c930736f83fb0cd4c01787bb61d2a04b

SHA1
d27c3ff1a3aa66e33fec1ce6fa4f67f58946637c

SHA256
643eda261db1c399eb61f8b90246037604ab319118ee648d06be862be2677859

SHA512
12c640e68d15bf49924454fa147876d41500aabbbc4ab02f975b8f521c637ad2212c07263d9048f7d38bae3468865a485015f09921293a424aa9902208fa7abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c8597fb65a7a004cb22e09fa5a9409cc

SHA1
7c65ec586b2341626cace015b4d597f1eba2154f

SHA256
53f831bcd51fb96eacc19710541775915b8ee191d8b8a00c8284fcc4b85a57f6

SHA512
96741ba79e209d0276a7053b9a9a33712d84c51a77b38eac9b74ef94e541bb9c81508b86feaed37db2f4546f1fa81db62608a4ffb9cfb8e5b47f4a6879184b9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D
Filesize
1KB

MD5
3cbb0b5a5553a70286e68c248ccd3b9b

SHA1
a066d343b43f63ccd718b0ca9986706b77df0caf

SHA256
1318a5bb97b175f00368676a562b23fc6f8cdc2a44d97492b67f57ed59c7e3c9

SHA512
4aee8eaf081a9e9eddabfb43400ae4923e3cd5e1dc4c5063163482fb13544328d56af9b90af7d0ff2cb095cd203c3bbd21ed04728b52e0dbcc0ad28da2c2219e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0
Filesize
806B

MD5
35b826bb51512265a04f25bdc44de7c8

SHA1
90b84e7b88c72444d440155559b02b1f889a5249

SHA256
2395bca052608b56c3ea5a6755ed7f1526fc9a04bcbc591f23507872998ed81e

SHA512
fed4d3eae663abe64fd271490123962921108d6c45a4a32690931d60ffd8254a672b83f107f8df66a759c1501f5ed133a91825fc4e34efa0a44e913505146769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF
Filesize
540B

MD5
c7f19ce91e040ee4f6ba939f761fef98

SHA1
e7c1ab5df085572c21270310732fc6d0989c8789

SHA256
e204c6b2e990f547b4c8caeeda3f0c1aea45fba2ee391269c9784d8e5610bede

SHA512
a7170d6ca94a5c3f00482fd0f45e5b238082718d4907e307b89b0ad616124dc5c4525420e85e94c89bccde90d91ed3dfd0dd463692181709ca2ee6f049f1a825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
f9a1f92cea0fdf60bea8dd9cbe658538

SHA1
0316e8ab931c3b29d58d5991c6a32bf90c0eb730

SHA256
4126c43652438c6e89f53b501d35f32bcd08cba3082d6eefdcb926129c122255

SHA512
2f0a8568c02828c3d90f50d8841ea009ae2a4b152444bd34422b46edce0797c770e72fe00b76ddf76621cff7ee90c2941241a093d3284b2e1590675f789f6e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D
Filesize
528B

MD5
df7dbe4b56158e41b542c7fa0c1bdac2

SHA1
a77217c19695a08839ee54f7aa922607853af7e3

SHA256
001a7159b869158a3dde0872098ab95316a8565c3084e90088b0cc9f56c876cc

SHA512
460079c6e541f86fa2faa4096f401c4f608f3e74bd142fea48b8e2a01d8e67e0b615b5d9a371d0347290b4b791f4b816a3550b71db1b9c840bb5e8ce09d34198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AF360AACB1570042DEFBC833317997D0_FB2F322741B359ABDC63489C2FBB09D0
Filesize
552B

MD5
b2d0cc7be23e1b371d70a374d5035efe

SHA1
8b619e3985f0cea163fc6d25b40942049e625536

SHA256
9cf652fd817b225b5a992875335dfee203c9ebb94e315b19bcc11c0f19b5bb58

SHA512
9caba2d6a53c6acfc7821f363dde870d9dd4ff852bce6f7e2e69dd8c5a62d6b2e4a1240d21971f8416ae93797f93a90cbc34864d3927fac14e313d639206d2a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
848ff33dedd02301135938322a60eca7

SHA1
a993abc44217b80379d7114158c2ba9e52b949a5

SHA256
96c035762c3e4806f051ddc2a35e54a695d84f34efb67c3cce0832b451f338fe

SHA512
e8d7ea4a7796bfcc3df292f3f71ae42e6f3f9fd88cf60ef0ac4e9087585b140ee1560b3861445444557e535fbc406281dfa8e1062f1bc6b2948240e678920b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.356.3146\F031B8CC-960C-4F56-B1A4-D522C84E668F\SodaPDFDesktop14.exe
Filesize
13.1MB

MD5
4fa265a317e6d90cdecce7ed6b805122

SHA1
a6e12216cc8d9539085177fc437e0db6d340fa8e

SHA256
8b3d51402f409cfae91aed05e3b8cd03392ea56b594b0b3f17b2aa6c3d281f7d

SHA512
f46be468a7e8d4cb335788b6181ab0e9a933bd86c3cf6b4d3c87d78164f1b7667d1b9b7f687adb25fd925ab4900972293a494032560f1c038e9b609d2b499cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SodaPDFDesktop14\14.0.400.3196\0C3EB4EE-C4BD-4679-97FF-81ACAD120A4C\SodaPDFDesktop14.exe
Filesize
11.4MB

MD5
a679079f3e898b7e379d646b920a8ada

SHA1
c26120a44da618a1d2b0729afe852f40f923183c

SHA256
ed666aa56a68269ed1c25fd3838d80b283be11a841e0e7a094f01bb5803edaae

SHA512
4f707495c887d3cfe506a642c51a8fa9b6814e27f623b8061e7a4ec20bd3da898881db68a5e74a1b8d91159e9f9958fc123d06dea0916e7da7391794ed4954f0

Download Submit