5222785d721ce9f856d31d7088406589c3afe28256bef0a6fb6214aa8962b722

Analysis

max time kernel
4294233s
max time network
143s
platform
windows7_x64
resource
win7-20220311-en
submitted
16-03-2022 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
Size

218KB
MD5

0c4a84b66832a08dccc42b478d9d5e1b
SHA1

160320b920a5ef22ac17b48146152ffbef60461f
SHA256

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
SHA512

56e4b07baca1c4c82e518088cc713b97eb2aa4e096d39bd7076396e075621bc47a20fd6a65fb897dc974d77c01f242a872532136d4bd3097a57c4664d8430872

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Restore_My_Files.txt

Ransom Note

### What happened? #### !!!Your files are encrypted!!! *All your files are protected by strong encryption with RSA-2048.* *There is no public decryption software.* *We have successfully stolen your confidential document data, finances, emails, employee information, customers, research and development products...* #### What is the price? *The price depends on how fast you can write to us.* *After payment, we will send you the decryption tool which will decrypt all your files.* #### What should I do? *There is only one way to get your files back -->>Contact us, pay and get decryption software.* *If you decline payment, we will share your data files with the world.* *You can browse your data breach here: http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion* (you should download and install TOR browser first hxxps://torproject.org) #### !!!Decryption Guaranteed!!! *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* #### !!!Contact us!!! email: contact@pandoraxyz.xyz #### !!!Warning!!! *Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.* *Decrypting your files with the help of a third party may result in a price increase (they charge us a fee), or you may fall victim to a scam.* *Don't try to delete programs or run antivirus tools. It won't work.* *Attempting to self-decrypt the file will result in the loss of your data.*

Emails

contact@pandoraxyz.xyz

URLs

http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion*

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\HideStart.crw => C:\Users\Admin\Pictures\HideStart.crw.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\RedoProtect.tif => C:\Users\Admin\Pictures\RedoProtect.tif.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\StartResolve.tiff => C:\Users\Admin\Pictures\StartResolve.tiff.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteBlock.tiff	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\CompleteBlock.tiff => C:\Users\Admin\Pictures\CompleteBlock.tiff.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened for modification	C:\Users\Admin\Pictures\WatchStart.tiff	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\WatchStart.tiff => C:\Users\Admin\Pictures\WatchStart.tiff.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\ApproveHide.tif => C:\Users\Admin\Pictures\ApproveHide.tif.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File renamed	C:\Users\Admin\Pictures\FindDismount.crw => C:\Users\Admin\Pictures\FindDismount.crw.pandora	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened for modification	C:\Users\Admin\Pictures\StartResolve.tiff	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification \??\M:\$RECYCLE.BIN\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini explorer.exe

description	ioc	process
File opened for modification	\??\M:\$RECYCLE.BIN\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe

description	ioc	process
File opened (read-only)	\??\A:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\F:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\E:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\T:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\P:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\B:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\N:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\Q:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\G:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\Z:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\U:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\I:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\O:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\H:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\L:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\W:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\R:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\Y:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\V:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\M:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\X:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\S:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\J:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
File opened (read-only)	\??\K:	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1360 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe

pid	process
1360	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe

Modifies registry class 7 IoCs

Processes:

explorer.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 4 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

2028 NOTEPAD.EXE
548 NOTEPAD.EXE
1104 NOTEPAD.EXE
1996 NOTEPAD.EXE

pid	process
2028	NOTEPAD.EXE
548	NOTEPAD.EXE
1104	NOTEPAD.EXE
1996	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe

pid	process
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exerundll32.exe

pid process

864 explorer.exe
680 rundll32.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exevssvc.exeexplorer.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe
Token: SeShutdownPrivilege	864	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exe

pid	process
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exe

pid	process
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.execmd.exeexplorer.exe

description	pid	process	target process
PID 1084 wrote to memory of 580	1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe	cmd.exe
PID 1084 wrote to memory of 580	1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe	cmd.exe
PID 1084 wrote to memory of 580	1084	5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe	cmd.exe
PID 580 wrote to memory of 1360	580	cmd.exe	vssadmin.exe
PID 580 wrote to memory of 1360	580	cmd.exe	vssadmin.exe
PID 580 wrote to memory of 1360	580	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1996	864	explorer.exe	NOTEPAD.EXE
PID 864 wrote to memory of 1996	864	explorer.exe	NOTEPAD.EXE
PID 864 wrote to memory of 1996	864	explorer.exe	NOTEPAD.EXE
PID 864 wrote to memory of 680	864	explorer.exe	rundll32.exe
PID 864 wrote to memory of 680	864	explorer.exe	rundll32.exe
PID 864 wrote to memory of 680	864	explorer.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe
"C:\Users\Admin\AppData\Local\Temp\5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Restore_My_Files.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2028

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Restore_My_Files.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Restore_My_Files.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1104

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Restore_My_Files.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1996

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnprotectPing.tif.pandora
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\AddUnlock.css.pandora
MD5
e59051bba4a5850226f2ef586e3fe81a

SHA1
52e19f8548918e5b97d8bfd5bf6adc5a1b0575ba

SHA256
598f80efbb781cc8d8ad9c92e87245fd378ae483782b3229b13d7757e6db4d32

SHA512
552b055c6fe35bf95a59a6638342fce4e485dd4d356a8d287298a658db22aac575aebaf79422d325ddc7658bcf08be2631a50c54764a90972f1452222e0ce79e

Download Submit
C:\Users\Admin\Desktop\ConvertFromUnblock.dxf.pandora
MD5
23150a360b004c5a6f54917c7b252ad4

SHA1
a32ff46b00fe2afb63ba1a1d77fb4277ab322ff7

SHA256
99e1f0b0bdb75caf9355c7f31166cd56202f3b5a32892ba8c9b783bc6c327403

SHA512
2c39ea9f7912cfde12df2b7b7f184f654f56ec8d7d7d35c98d234648d56f58894c42ed566e20c93444f7c9ed78829cc10fc83c24c02dbeb902c7812dbb9f0d9c

Download Submit
C:\Users\Admin\Desktop\DebugFind.docx.pandora
MD5
2239b2e009a5079c2ea1057a7d0243b2

SHA1
073036e2e90332b53eaaa92102164ab206889f18

SHA256
07a3ac0b4fc64aac53b8da1a6f700ea7419ba3b5b7f7f0bee2e07aaa7ff508d7

SHA512
5a19f490adde17dd74c180755d7279aa707e35077845017fc99d60fe266f3254cf4af3373b97e70b50ddfce38eb792ab0da5b5a8cff4e688a2b36b0e60b7469e

Download Submit
C:\Users\Admin\Desktop\DisableSkip.rle.pandora
MD5
7c6622f779afff7def0805f46bc77ccb

SHA1
1483dc7914b233614b7965fa7d8e2354d5987f80

SHA256
5ed85d40d2566e797241fec2baf71916245a0c432cd065a02513a564eba85523

SHA512
ba1ceccb4930038d65199035dcbdf1050653dc5aad690099d8bf04cbe5a6adbf4d05d75b2a1368e97f4c3a5e0ad01d1b9666d3bcc07e3abfdbb25401c0ff2ccd

Download Submit
C:\Users\Admin\Desktop\EditGroup.gif.pandora
MD5
02ec56f57a88ea8c1579b3d71db1b373

SHA1
f9e65dd2bcb7f845eb07d20d5cba7bea7ce6b26d

SHA256
a5a7df01a60cb8ab251de5834e633a7d59283d118dda690e11286cb3b5f53e56

SHA512
99d1b6198fe757b2c3a1ec42a3504ef52cb8aedfbb4be23b8a994e7d32349aadc569d87fda12bb694658606d7601acc702983ffc28836845e606f25999a0f5cc

Download Submit
C:\Users\Admin\Desktop\ExpandTest.xltm.pandora
MD5
16a890fc393310be265dcc029ad4bf43

SHA1
fe474252acad5a512f0b2983d79791afe8bda1ec

SHA256
45ca552e020ed2e1e44214a35dd31f25c3ce2e4581cdec55c053ac539a67d3f5

SHA512
5d713e0f8c6150b7500293154a0116b84224c53b9edbc4d2638dc228bf1d7620c4b910817635ea687a5fa04e3cf7e7fbcf4f181970f95c23dee5b2fdc05154c0

Download Submit
C:\Users\Admin\Desktop\ExportProtect.xlt.pandora
MD5
12e6a1d2b74ddc3ffa33e245b10f3591

SHA1
bcd63929d8e58dd89d5c7d30a40c38f68cea9412

SHA256
143a156fa7144b57096e6a7949562313371824f8323cbfb89ea7954d224855dc

SHA512
7f50ac826ff50f799f3c17451db722ed645193d6762202ab32cd1941759e494dc1295d188eb5ea3cfc09b262a4516c5713891054d439acbd4c7f336bad6af105

Download Submit
C:\Users\Admin\Desktop\GetGroup.vssx.pandora
MD5
2fc952f639f772660efb547f55c0007e

SHA1
bfb1035c37e8b22d15cece8116f9552b2cbbb3fb

SHA256
55230fbc28b54846e086f0a83f3e7db606df2f575dbfafb88991523696cf7939

SHA512
16ad25d257a6008911d15ec886b630c2c492fbe157a48b0ee0339e55b008c13aed9b7cc9a6d3d3f9b71848a120f9d01883712f69da046640bde161ee41dbbd9f

Download Submit
C:\Users\Admin\Desktop\MergeResolve.vsd.pandora
MD5
31a43af46bdf79094514d176e730b6d6

SHA1
dce73fc5636c4817472d61ba5360b8e73c51aba1

SHA256
5567aae9b7fcf4144392163d04be6caf4dc8617d5b03267874689c71dc6dd116

SHA512
3c6485c6aefdd3d07c4d095dd6952fabf16e62c6b31cdf6c2b7171154b25299ed8f7711c0fc8a3a24bd58433800d34f314974b05b0f0c86602cfa04b3a4609b2

Download Submit
C:\Users\Admin\Desktop\MoveWait.vsdx.pandora
MD5
5d0415c1d9c914fc9035c4dbb55dc5c9

SHA1
7ce4efe98f7c4788c47ac4ecf894f3a953b11c16

SHA256
2287352cca099c4c869fbfaf2dc611ac1e32c90da272ddbdf8b1267df36adf45

SHA512
b47573adf3b2f0409530d4072233455a1585a7db4d365fdbec4b846639fbae7ac998ef4d284e0281aefaf7c8d00dfa9ffcc3041cdb96c333784c351f7237cd91

Download Submit
C:\Users\Admin\Desktop\ReadConvertTo.wps.pandora
MD5
69dc048311c5ef9ff75b8bbf4f310335

SHA1
a84ba466a1a16883ff8350cf54f82c9b8098a82f

SHA256
fc033ea5b7fabd059966c37beb86703cc21b1358b86d8a7f4ebc9f44265af1af

SHA512
aafd27a36ee891b82899cc98c339f475295fac102382fe5154d5ea419e1ddcd0d1572c814f4957995a79897c0a539f5e68a391067fb6596a417f30b51edac695

Download Submit
C:\Users\Admin\Desktop\RepairSearch.3gpp.pandora
MD5
0dbe81887927a2e22eb4db1b8236b678

SHA1
d5f80009be85550ea390b33cadd7cc0efae45fd6

SHA256
4ea0285c85aceec0b5e4e61ed356cc74c32d23cc59bdf8bc453b84cbfdf43352

SHA512
fb8ac2ebc8bb6bf88c37f4aa4b3cb7a292e7950476fb5dfefcfca068d5a8430c02deb4194369449ef368e10ad8b8b1de06bf8381dd3b19f1f103f96df2ce6a02

Download Submit
C:\Users\Admin\Desktop\ResolveEnter.dib.pandora
MD5
c6ee50dc1e3a8592ad10126a652dbae8

SHA1
708f7103145fdf0691eba0d2e6759b11dc3ab56e

SHA256
4c2c8f7a1858ed62dff36f48fff6cbc26780457999e1b3ca958d32337eb1164e

SHA512
13176488f0b26fc998ee2b439bb84d4cacb125dd933f05e4fadebcee041d53617c68508851a8a14998a741475161c5a2437d62b77f57697966a2e70e4d26bb70

Download Submit
C:\Users\Admin\Desktop\Restore_My_Files.txt
MD5
667e8eb6a857d892d3fd53c18dd6e284

SHA1
cf40c1d329976081ddc1e03fa8d27cd8a1a31d88

SHA256
442f18c233c0a7672d4f163cfbe946987fc9b63da48734893ae4cf975d7de07a

SHA512
94c0548f2475f5f4dc645eb383ca9d2dbc862670d149c4bb9646409bd0373bb2acf694606db572a64b901eb966379e0bbf7830846b1fd6a939ab1ef660460d4f

Download Submit
C:\Users\Admin\Desktop\StepMerge.wmv.pandora
MD5
fc20be2a9be8b7ba1a2795778becd06d

SHA1
38d8202826bb51e2842fe96286f55a35e9defc0f

SHA256
65b462567081e7bb19540b6093851eaf17805d79ab49a8ee673312a014c687d8

SHA512
5716bd27356536ece5344320ce026c8a5362a311b7d941d493a488e68fd6e4edd5fc8e13f648432a8e4cb215fb7bff1eae0c93850f7cd1201e2a607e2da57fce

Download Submit
C:\Users\Admin\Desktop\SubmitLimit.svg.pandora
MD5
a768582e8613b2d22bf43a94e8e09db4

SHA1
76a65f1bda86d2fb7bfaf96dbdd4cee833d863e0

SHA256
1e11d722511c22b8296458f7aecbce204833bb2a0fd07c16a831c070ddb7a8a5

SHA512
ea1ca5f62515869e8f8cd5d4b0a87537142d2e93555c863d0dccc09394705370a8b14aceddde4337411afec12eed57351d32ce82dc9daa89ad9dd1289bf399e9

Download Submit
C:\Users\Admin\Desktop\SwitchWatch.au3.pandora
MD5
0a786019b9bd328545b10ccf7e4fd3c2

SHA1
546a91058de3350d17d3c07c5aa70a669ee8b4af

SHA256
3a810142b00c0d8bd7036436d3f6de821841b6cfebec2f0a635010f963cd8f9f

SHA512
e3bffe47c6b0f1c85d6e98ab1054eccaae36f9d427a0380f9121c02a41a7ad4ec881e2a656f85a11786bde3880085630c49e3b89fc376857037bb3b91ee72889

Download Submit
C:\Users\Admin\Desktop\TestResume.MOD.pandora
MD5
0e9c76b8593c472ca71ff3cd300616ba

SHA1
a4d48f0bbecfadff4edd9fdb670e4f3113650921

SHA256
b584630b2a2f601cc86cab0aeaf1ffbf55f9dbb64094faeed55d34cb16370249

SHA512
5a735e30c90d14c6dc1a391f7c523f6d64fe0531e79cc08c5be476e12e2087cfb3fcaaaca1dd4ec2c02786caf71f334bf5c207bc02a22d527b08578f2b54370e

Download Submit
C:\Users\Admin\Desktop\TestUndo.fon.pandora
MD5
50ba57f982de1dce219c20f03a84ba5b

SHA1
5abdeae891faee0941b2b559fd94fb6f81ff648d

SHA256
4d07cb0f12fdfbf5ad8723e1243f4c11f12f285e849f21704d1107a6856f05e1

SHA512
78510b8e635f75ce754d3c2a0a560ddd634384a836c5e8d6497d7a470937349b73a280f88ec4c89b4e88ec9f3d6096133216e289fd80fde1414d9fdfc9192833

Download Submit
C:\Users\Admin\Desktop\TraceDeny.pptm.pandora
MD5
d059e6015e99f009dc7f129ca2be1514

SHA1
2596f230190f91bc2749f4239f945534dfe22593

SHA256
e342db4523a152e4f39bef7bbf3548859210cbb498f2f41367c157e4906bc23d

SHA512
8dd354e9ccbfa5f6f8c5347270910327d59aea5d43f5c83470bb92641f6df42501376a7e5f64963ec92aebe6cf4ab694b35a4fd0cc92b1a3e5ea01f131bf868a

Download Submit
C:\Users\Admin\Desktop\UnprotectPing.tif.pandora
MD5
f6002330cf48739180cfd8aab195bc8b

SHA1
e3c1d3ddf749affb57a853075423e633839da512

SHA256
2bd9b20e67d194b9c1949be4b64e26390d96d645c6d0222c049df5816c9a45a1

SHA512
127b6d0f9db842185b2c2f27c8a8ac5c55387d9832bfa881fef22dcbf5fb781bd5d11ce6da3cc141b446e43d2cf668613c26d57c28e99cc274285a8e4dfe851e

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.pandora
MD5
2970c7c631baf928271d1b1f6a08d4bf

SHA1
8c3acd50bc09c2ecec2f1ea2e40fbac3b9a10678

SHA256
76884bdb493a3a0127530c4043f11ac70a9f2ff02930e07878ef7c111013aa49

SHA512
a6dc79a12f6e26aaf671937e7ae091e3d90f93b4cf138036c372e2728e398fd888fbfe720247b00d650f8be314871bceb1a644b35259ca6be5ca0eba07b875db

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.pandora
MD5
58156f282876890ed2a9c12bcddea8eb

SHA1
8c2313c8fdafbeb64ed72c27894e96e75ed99d0c

SHA256
5f154161e99dbcc9269d845d22600f495da4594f5863671dc52cbbf732dd2378

SHA512
ec7082e1133bdf08ea2b13690c2baecf42a648d2d7f6017d1e26ab26db0e80ae563e0b3424a93b4e7037d25daf20eb87c2cbe73a7fd8e83937ec71e3a49d9a6d

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.pandora
MD5
b2ed74653098d21c80dc6dbd130b8a85

SHA1
2d7699e58801ba8a55bebb39d601405e0b2a16d6

SHA256
c92936338fa12d5c8f3674452f5f1956d4f8a66ea71a9c55c12def30776ce397

SHA512
e961d670168a8d04a75f085e9e980de025a7ae308669e502a99efee49f952ea5a82d3dc8653d9f7da32f7c062ee4e92082a0cba52e52088af1c22c1f3f1e8bd3

Download Submit
C:\Users\Public\Desktop\Restore_My_Files.txt
MD5
667e8eb6a857d892d3fd53c18dd6e284

SHA1
cf40c1d329976081ddc1e03fa8d27cd8a1a31d88

SHA256
442f18c233c0a7672d4f163cfbe946987fc9b63da48734893ae4cf975d7de07a

SHA512
94c0548f2475f5f4dc645eb383ca9d2dbc862670d149c4bb9646409bd0373bb2acf694606db572a64b901eb966379e0bbf7830846b1fd6a939ab1ef660460d4f

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.pandora
MD5
5b3f29f2f40a3a766acaa2ec02cf8210

SHA1
169846db33090c4251d336eac9049d4b71d7bce9

SHA256
e8197ffa89e3c6f2c15f86c3f09559e85cfd8032a79dce128f5eea4911b992a1

SHA512
8ffa2fa6cb34d6a2d97a87a01fa193a99fdf19f94d94fe2e4f72e38fe08e33f4d5a7238ed568ae054e4e07ee9b6ebcfdeb8c5bd195d5bb37a0a642cdd2baf09d

Download Submit
memory/864-85-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1084-57-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1084-56-0x000007FEFFA40000-0x000007FEFFC43000-memory.dmp

Filesize
2.0MB

Download
memory/1084-54-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1084-55-0x000007FEFD230000-0x000007FEFD27E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads