3bbb96502670cff29e4c81875816e33d32095bb5d7ea8dc7ffe954ea7a3b60ad

General

Target

2024-04-24_9c979069a0164e31738876c3f0c569fd_magniber.exe
Size

9.0MB
MD5

9c979069a0164e31738876c3f0c569fd
SHA1

e8699c54ce3e19d5a15cfac16074b897b017ebdb
SHA256

3bbb96502670cff29e4c81875816e33d32095bb5d7ea8dc7ffe954ea7a3b60ad
SHA512

5226a336bbaaec1a363ca6daa3911f6e881cf4e01c37a17f2331d318f9b010a3aa71850b844e28d09af711b101562018ae89c2aa90ac918d2e7502b36bc09315
SSDEEP

196608:1WPkm3TXJz4gilPdkft8vUE5wHoav7BMmKSoFcX7P3seF:UMocgO2qsE53azBMR6r3sy

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\j2rsj2ij\tx581rho.xls	office_macro_on_action

Loads dropped DLL 1 IoCs

Processes:

EXCEL.EXE

pid process

4564 EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4564 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EXCEL.EXE

pid process

4564 EXCEL.EXE
4564 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXCEL.EXE

description pid process

Token: SeDebugPrivilege 4564 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	4564	EXCEL.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

EXCEL.EXE

pid	process
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 4564 wrote to memory of 4684	4564	EXCEL.EXE	splwow64.exe
PID 4564 wrote to memory of 4684	4564	EXCEL.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-24_9c979069a0164e31738876c3f0c569fd_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_9c979069a0164e31738876c3f0c569fd_magniber.exe"
1⤵
PID:4396

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\T9Qp4XVYwFX7cldJYrPtwOsTaujBSFEjv57
Filesize
92B

MD5
8b31b52d2f0e4220f24ad0db2f509ed7

SHA1
1548019de607a3bc6867154cedad15328839f484

SHA256
67df5d42a5ce3fa0b65b7247719454faa5c3a7b5055851c2d7a60015fcd4a9f2

SHA512
fd16aaccef364be3782256db97bc16e7d3af55a0696b375963fd5751fce16d0b204d587eae070605affa78d001801da359825b2ed81b362716b5d4abbd562a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2rsj2ij\2024-04-24_9c979069a0164e31738876c3f0c569fd_magniber.xlsm
Filesize
4.2MB

MD5
adfd95a40a4e962b4618babf563a4eda

SHA1
27255e2f581d1dbd9f7cc1d8a1deda1a274c107f

SHA256
d3b8b3ddda78e636c364c9fed3b0d5d6ac6d3cbe82e51402fda0d5f3f1482e63

SHA512
ae8eda9e39385d71fa87c8a992cffdbf525c3d51313fd8b23f997a043ca787f0a0278dfbddaa3902c3cc52bab6b4b0822108aaea2398c1099006d514ff218545

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2rsj2ij\execmdline
Filesize
193B

MD5
2e21b46af56edfda65310a802fb7c790

SHA1
040408d4d352a7a92f8bbf5f071bf20f1dddb4fa

SHA256
dcfd337b86f2e45357dcf128175fc723499650a61be0cbe1cbba157ac8f6b5e8

SHA512
4701b2487b398aaa601534be2dd6067df022e6e207d37ac2aedf0b0b3dbd26fb704796503868d7cfe7bd9a3693d04db1c621380a96a2913559bebc50cea2983b

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2rsj2ij\tx581rho.xls
Filesize
73KB

MD5
9849413cf9059c530934551be82a5484

SHA1
3cb1f08b6a88f41a9a853c16a8c1ee85cf8f2b88

SHA256
decd0ce0279662868d505c8752b1a6e79acaf47764d4bdcbf3345c3b85c7b812

SHA512
1e2911af3062d339bc43d7cbb45724e83cadf397394408b7b11e7c9c812d6161a3a64bbe91be5ea02b1ccb0fcf595bf515f91da6e77dfac32031a6305040b64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2rsj2ij\xcellstub.dll
Filesize
2.3MB

MD5
3c73e00c2e6a8dde97aeb26baaf13047

SHA1
cd3698cbe74cbe009c36ed71915f3d11f1eb3e8d

SHA256
7edb5169a70d3f1b7d0a883e26103845955cc4e28f87c8fc1c62107e4a98caef

SHA512
7ba93e884302189884d81a38679855d77b7547aac87572aedb84630b57c8810881185fe7fbb9cf816f7c908fbb58d461a625e2afe97cdc62c28dfa609b77c2e3

Download Submit
memory/4564-65-0x00000187795E0000-0x00000187797A2000-memory.dmp

Filesize
1.8MB

Download
memory/4564-117-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-8-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-7-0x00007FFBB6D10000-0x00007FFBB6D20000-memory.dmp

Filesize
64KB

Download
memory/4564-10-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-11-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-12-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-68-0x000001874E9C0000-0x000001874E9D0000-memory.dmp

Filesize
64KB

Download
memory/4564-16-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-15-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-14-0x00007FFBB4870000-0x00007FFBB4880000-memory.dmp

Filesize
64KB

Download
memory/4564-17-0x00007FFBB4870000-0x00007FFBB4880000-memory.dmp

Filesize
64KB

Download
memory/4564-6-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-27-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-5-0x00007FFBB6D10000-0x00007FFBB6D20000-memory.dmp

Filesize
64KB

Download
memory/4564-3-0x00007FFBB6D10000-0x00007FFBB6D20000-memory.dmp

Filesize
64KB

Download
memory/4564-37-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-39-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-40-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-4-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-56-0x000001875FA10000-0x000001875FC10000-memory.dmp

Filesize
2.0MB

Download
memory/4564-59-0x0000018779430000-0x00000187795D2000-memory.dmp

Filesize
1.6MB

Download
memory/4564-60-0x00007FFBCBCA0000-0x00007FFBCC761000-memory.dmp

Filesize
10.8MB

Download
memory/4564-61-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-62-0x000001877C040000-0x000001877EAA0000-memory.dmp

Filesize
42.4MB

Download
memory/4564-63-0x0000018779880000-0x0000018779B14000-memory.dmp

Filesize
2.6MB

Download
memory/4564-64-0x0000018751430000-0x000001875148C000-memory.dmp

Filesize
368KB

Download
memory/4564-1-0x00007FFBB6D10000-0x00007FFBB6D20000-memory.dmp

Filesize
64KB

Download
memory/4564-66-0x0000018751390000-0x00000187513B2000-memory.dmp

Filesize
136KB

Download
memory/4564-67-0x000001877A8B0000-0x000001877B640000-memory.dmp

Filesize
13.6MB

Download
memory/4564-70-0x00000187514E0000-0x0000018751502000-memory.dmp

Filesize
136KB

Download
memory/4564-9-0x00007FFBB6D10000-0x00007FFBB6D20000-memory.dmp

Filesize
64KB

Download
memory/4564-13-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-71-0x0000018782DC0000-0x00000187870D6000-memory.dmp

Filesize
67.1MB

Download
memory/4564-72-0x0000018751510000-0x0000018751538000-memory.dmp

Filesize
160KB

Download
memory/4564-73-0x0000018751590000-0x00000187515E0000-memory.dmp

Filesize
320KB

Download
memory/4564-74-0x000001874E820000-0x000001874E830000-memory.dmp

Filesize
64KB

Download
memory/4564-75-0x0000018750370000-0x0000018750388000-memory.dmp

Filesize
96KB

Download
memory/4564-76-0x00000187518A0000-0x00000187518FA000-memory.dmp

Filesize
360KB

Download
memory/4564-77-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-78-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-80-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-79-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-81-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-82-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-83-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-84-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-85-0x000001877A050000-0x000001877A578000-memory.dmp

Filesize
5.2MB

Download
memory/4564-86-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-87-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-2-0x00007FFBF6C90000-0x00007FFBF6E85000-memory.dmp

Filesize
2.0MB

Download
memory/4564-107-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-108-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-112-0x000001874AD60000-0x000001874B560000-memory.dmp

Filesize
8.0MB

Download
memory/4564-113-0x000001875FA10000-0x000001875FC10000-memory.dmp

Filesize
2.0MB

Download
memory/4564-114-0x00007FFBCBCA0000-0x00007FFBCC761000-memory.dmp

Filesize
10.8MB

Download
memory/4564-115-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-116-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-69-0x00000187513E0000-0x00000187513EA000-memory.dmp

Filesize
40KB

Download
memory/4564-118-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download
memory/4564-119-0x00000187515E0000-0x00000187515F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads