MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LockBit


Vendor detections: 13


Maldoc score: 9


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561
SHA3-384 hash: 5ebd2b3917b7ff9ab08d74d53c028c4dd6d742b9f2c43251a4e50e1da6120da65fb61d923d1de637d4c634402e45d12b
SHA1 hash: 59edd4b3c523af71219fff0e15f8daa6ec11783d
MD5 hash: 03cea7c49abe78863ae2644ac77c8efb
humanhash: happy-ten-green-football
File name:03cea7c49abe78863ae2644ac77c8efb.docx
Download: download sample
Signature LockBit
Create hunting rule
File size:16'345 bytes
First seen:2022-12-12 17:22:09 UTC
Last seen:2022-12-21 20:17:49 UTC
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 384:t8gatPw7Y+vE4zUNxt/ZtNNO1yLHaHJ7rvg/k:3g47Yl4zuxllNuyTap75
TLSH T18372AE3DCA15B408D6B5453CD05E03F8F52E1641EB11A3BB3816BA9FE5689DB2723A8C
TrID 53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9)
23.9% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
17.8% (.ZIP) Open Packaging Conventions container (17500/1/4)
4.0% (.ZIP) ZIP compressed archive (4000/1)
1.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter abuse_ch
Tags:doc docx lockbit

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 6 sections in this file using oledump:

Section IDSection sizeSection name
A1369 bytesPROJECT
A241 bytesPROJECTwm
A32410 bytesVBA/ThisDocument
A42523 bytesVBA/_VBA_PROJECT
A5469 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
IOC195.201.101.146IPv4 address
IOC43et5rgr6hty6h76tuyrExecutable file name
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousexecMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
378
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b55624bf812c25712465543d5c0d687f523d3a93f6879817cef93dffef20888.docx
Verdict:
Malicious activity
Analysis date:
2022-12-12 14:17:02 UTC
Tags:
loader
Link:
https://app.any.run/tasks/974f9b38-ed45-4943-bb01-240c45196060

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.GOStringGamesBangBang.20200908.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.ICEDIDOGORiginalGangsterGOMethodsM1.20200923.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.HTTP
Create hunting rule

TwinWave.EvilDoc.CMDObfusGamesCarrotAndStick.M1.20220128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Result
Verdict:
Malicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561/results/dashboard
Payload URLs
URL
File name
195.201.101.146
vbaProject.bin
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cmd.exe evasive explorer.exe macros macros-on-open powershell shell32.dll
Link:
https://www.filescan.io/uploads/63976376f6e448d42df835f2/reports/b5295a56-dfe9-4623-9de8-dbe36f35dd0c/overview
Label:
Malicious
Suspicious Score:
7.5/10
Score Malicious:
76%
Score Benign:
24%
Link:
https://www.malware.ai/gui/files/?id=143ad314-5257-4cad-bdfd-939ddc9b2850
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
LockBit ransomware
Create hunting rule
Detection:
malicious
Classification:
expl.rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132890
Signature
Antivirus detection for URL or domain
Clears the windows event log
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious names
Deletes shadow drive data (may be related to ransomware)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found ransom note / readme
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Delete shadow copy via WMIC
Spreads via windows shares (copies files to share folders)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Yara detected LockBit ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 765610 Sample: NrAqXYRbpi.doc Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 11 other signatures 2->92 10 WINWORD.EXE 30 26 2->10         started        14 43et5rgr6hty6h76tuyr6t.exe 2->14         started        16 43et5rgr6hty6h76tuyr6t.exe 2->16         started        18 2 other processes 2->18 process3 file4 78 C:\Users\user\AppData\...78rAqXYRbpi.doc.LNK, MS 10->78 dropped 112 Obfuscated command line found 10->112 20 cmd.exe 1 10->20         started        22 cmd.exe 10->22         started        signatures5 process6 process7 24 powershell.exe 15 16 20->24         started        28 conhost.exe 20->28         started        30 powershell.exe 22->30         started        32 conhost.exe 22->32         started        file8 76 C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe, PE32 24->76 dropped 102 Drops PE files to the user root directory 24->102 104 Powershell drops PE file 24->104 34 43et5rgr6hty6h76tuyr6t.exe 8 507 24->34         started        39 43et5rgr6hty6h76tuyr6t.exe 30->39         started        signatures9 process10 dnsIp11 80 192.168.2.100 unknown unknown 34->80 82 192.168.2.101 unknown unknown 34->82 84 98 other IPs or domains 34->84 68 C:\...\Restore-My-Files.txt, ASCII 34->68 dropped 70 C:\...\Restore-My-Files.txt, ASCII 34->70 dropped 72 C:\...\Restore-My-Files.txt, ASCII 34->72 dropped 74 8 other files (7 malicious) 34->74 dropped 94 Multi AV Scanner detection for dropped file 34->94 96 Connects to many different private IPs via SMB (likely to spread or exploit) 34->96 98 Connects to many different private IPs (likely to spread or exploit) 34->98 100 9 other signatures 34->100 41 cmd.exe 34->41         started        44 cmd.exe 34->44         started        46 cmd.exe 34->46         started        48 12 other processes 34->48 file12 signatures13 process14 signatures15 106 May disable shadow drive data (uses vssadmin) 41->106 108 Deletes shadow drive data (may be related to ransomware) 41->108 110 Uses bcdedit to modify the Windows boot settings 41->110 50 conhost.exe 41->50         started        52 vssadmin.exe 41->52         started        62 3 other processes 41->62 54 conhost.exe 44->54         started        56 vssadmin.exe 44->56         started        64 2 other processes 46->64 58 conhost.exe 48->58         started        60 bcdedit.exe 48->60         started        66 22 other processes 48->66 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561/
Threat name:
Script.Trojan.Powload
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 08:02:59 UTC
File Type:
Document
Extracted files:
20
AV detection:
12 of 25 (48.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p62ghqkesi3nassqvgp4dach6dsrogccrr5yldd3qps6dhy4kvqq._file
Result
Malware family:
lockbit
Create hunting rule
Score:
  10/10
Tags:
family:lockbit discovery evasion persistence ransomware
Link:
https://tria.ge/reports/221212-vx44dseg51/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Interacts with shadow copies
Modifies Control Panel
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Creates a large amount of network flows
Deletes shadow copies
Modifies boot configuration data using bcdedit
Lockbit
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e55bf1fa-1785-4d70-b412-a9e333dc31d7
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fb463c14492/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LockBit

Word file doc 7fb463c1449236d04a50a99fc18047f0e51718428c7b858c7b83e5e19f1c5561

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2454880/
  
Delivery method
Distributed via web download

Comments