Analysis Overview
SHA256
898854195bf8d9bb4f9d05a0fe87a6ddad5cba2bb9875ec4727b6fd5962c3d5d
Threat Level: Likely malicious
The file 2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber was found to be: Likely malicious.
Malicious Activity Summary
Suspicious Office macro
Loads dropped DLL
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:31
Reported
2024-06-28 00:33
Platform
win7-20240419-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe"
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Network
Files
memory/2628-8-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2628-9-0x0000000072A8D000-0x0000000072A98000-memory.dmp
C:\Users\Admin\AppData\Local\SpreadsheetTools\lxLdr.xlam
| MD5 | 68ae3f8f60641e3b6e40c907e9f01daa |
| SHA1 | 204d0f28e2970af8a6727198b88edbfdd19d5c51 |
| SHA256 | 759024e88c6e0063004bb09392922af4010aec87dc7c8377451c87ab13a68bf0 |
| SHA512 | 443d53552354407df61d688223381bfc31f61c6b2bf9618f38e18f74490e8f98ad0dbb3128990c58b4f3094790908b84eb63e62070c337385c20c8a8699bcbcf |
memory/2628-16-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-48-0x00000000007C0000-0x00000000008C0000-memory.dmp
C:\Users\Admin\AppData\Local\SpreadsheetTools\32\LockXLSRuntime.dll
| MD5 | 22d7d6457caf3af57a14d0a7b8d35a07 |
| SHA1 | 131137c90aba5c4da2f18a00bec117727ab420b7 |
| SHA256 | 0197528c3575c6ba5fd456cc5736f554f3f219eae9fcf8da6413753aa5882186 |
| SHA512 | f5b637723db041c9ab322fa134b3509da2b1f8dc7cf56128cd6a9132bbdf4504d7b02975bca06fc93b77ccab9377a38a84b14bb57f7bd24eb7b525ce318236c6 |
memory/2628-44-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-28-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-27-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-26-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-25-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-24-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-51-0x0000000005390000-0x0000000005490000-memory.dmp
memory/2628-23-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-22-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-21-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-20-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-19-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-17-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-15-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-14-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-13-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-12-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-18-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-69-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-70-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-78-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-76-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-74-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-73-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-71-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-68-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-66-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-65-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-63-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-62-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-60-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-59-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-58-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-55-0x000000006D0D0000-0x000000006D35D000-memory.dmp
memory/2628-77-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-75-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-72-0x0000000076130000-0x0000000076345000-memory.dmp
memory/2628-67-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-64-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-61-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-57-0x000000006D0D0000-0x000000006D35D000-memory.dmp
memory/2628-56-0x000000006D0D0000-0x000000006D35D000-memory.dmp
memory/2628-54-0x000000006CC60000-0x000000006CE48000-memory.dmp
memory/2628-50-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-45-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-53-0x0000000075E70000-0x0000000075FCC000-memory.dmp
memory/2628-52-0x0000000075E70000-0x0000000075FCC000-memory.dmp
C:\Users\Admin\AppData\Local\SpreadsheetTools\empty.xls
| MD5 | 29c44d16abfff0d8ccbd43a80871a904 |
| SHA1 | 5f6417443a42856fd13d90e56153a8b5d272dffd |
| SHA256 | 63c99e16ff5432d4432fd01de90d549f1c898049d63422450cb93ab8e29fdb2d |
| SHA512 | ed62a24fb42abb49a8c23aab6c4e140b4b98a25227c100f9c8081f325ba3a41d6b49a5628a704db7f1207bc0c3bb852ea02d88f4a868e7ec1f2ddf599d0839e7 |
memory/2628-121-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-138-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-193-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-194-0x0000000072A8D000-0x0000000072A98000-memory.dmp
memory/2628-195-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-196-0x0000000005390000-0x0000000005490000-memory.dmp
memory/2628-197-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-198-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-199-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2628-239-0x0000000072A8D000-0x0000000072A98000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:31
Reported
2024-06-28 00:33
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_696e1d61dcfdfb10c161f4e817c557f6_magniber.exe"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/4540-8-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-11-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-10-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-9-0x00007FFDA2AAD000-0x00007FFDA2AAE000-memory.dmp
memory/4540-12-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-13-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-14-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-15-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-16-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-17-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-18-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-19-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-21-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-20-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-22-0x00007FFD60A30000-0x00007FFD60A40000-memory.dmp
memory/4540-23-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-24-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-26-0x00007FFD60A30000-0x00007FFD60A40000-memory.dmp
C:\Users\Admin\AppData\Local\SpreadsheetTools\lxLdr.xlam
| MD5 | 68ae3f8f60641e3b6e40c907e9f01daa |
| SHA1 | 204d0f28e2970af8a6727198b88edbfdd19d5c51 |
| SHA256 | 759024e88c6e0063004bb09392922af4010aec87dc7c8377451c87ab13a68bf0 |
| SHA512 | 443d53552354407df61d688223381bfc31f61c6b2bf9618f38e18f74490e8f98ad0dbb3128990c58b4f3094790908b84eb63e62070c337385c20c8a8699bcbcf |
C:\Users\Admin\AppData\Local\SpreadsheetTools\64\LockXLSRuntime64.dll
| MD5 | 5a208f13a53c40b009eda98326426dab |
| SHA1 | b66e179205a5da79fc45d3a268e703089c549e1c |
| SHA256 | ab2f5b1456e22b2c67d4c8d9e04d4ae9622930979fa1b640cdfc43fbcd8d2dd2 |
| SHA512 | 5885382c1ba6b9061a043d2f1f9690423e206a611b565afd2b5802807f76e0537bd7b5b5f5056a1b31d3324165d4b8f7e6879c462e7b3f32e43d8f322d7ae9fd |
memory/4540-44-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-47-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-46-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-45-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-56-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-57-0x00007FFDA2AAD000-0x00007FFDA2AAE000-memory.dmp
memory/4540-58-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4540-68-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-70-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-69-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-71-0x00007FFDA0E50000-0x00007FFDA0F7A000-memory.dmp
memory/4540-72-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-75-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-74-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-73-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp
memory/4540-76-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp