Overview

overview

10

Static

static

8

pandora/3b...be.exe

windows7_x64

10

pandora/3b...be.exe

windows10-2004_x64

10

pandora/43...e4.exe

windows7_x64

10

pandora/43...e4.exe

windows10-2004_x64

10

pandora/54...97.exe

windows7_x64

10

pandora/54...97.exe

windows10-2004_x64

10

pandora/58...ce.exe

windows7_x64

10

pandora/58...ce.exe

windows10-2004_x64

10

pandora/6d...ae.exe

windows7_x64

10

pandora/6d...ae.exe

windows10-2004_x64

10

pandora/74...2d.exe

windows7_x64

10

pandora/74...2d.exe

windows10-2004_x64

10

pandora/89...d4.exe

windows7_x64

10

pandora/89...d4.exe

windows10-2004_x64

10

pandora/95...cf.exe

windows7_x64

10

pandora/95...cf.exe

windows10-2004_x64

10

pandora/b1...00.exe

windows7_x64

10

pandora/b1...00.exe

windows10-2004_x64

10

pandora/ce...6f.exe

windows7_x64

10

pandora/ce...6f.exe

windows10-2004_x64

10

pandora/ce...30.exe

windows7_x64

10

pandora/ce...30.exe

windows10-2004_x64

10

pandora/ce...e1.exe

windows7_x64

10

pandora/ce...e1.exe

windows10-2004_x64

10

pandora/eb...1d.exe

windows7_x64

10

pandora/eb...1d.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pandora.zip

  • Size

    4.5MB

  • Sample

    220505-vl4y9agdd4

  • MD5

    b58ecc56a17ffaed9e1f96ffb668cc3a

  • SHA1

    d382e80893582703a7338567b481acf70523fbfe

  • SHA256

    6003da433c9240d051c7925dc0fb616a13985ffe8ff65ba1e1092dee7418782d

  • SHA512

    3b214944728d25af7b105ba5175d441c213d67fb8f4b08307de4cd14ee1d26e46ab92b187cc0b625ab1eb4f3009569cc7b13be70e9ebffc126950efc5658694e

Score
10/10
lockbitdiscoveryevasionpersistenceransomwarevmprotect

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?CB814BF5252F2B2EA3FE8107302E50FF | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA3FE8107302E50FF This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?CB814BF5252F2B2EA3FE8107302E50FF

http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA3FE8107302E50FF

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?CB814BF5252F2B2EA3FE8107302E50FF Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA3FE8107302E50FF This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?CB814BF5252F2B2EA3FE8107302E50FF

http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA3FE8107302E50FF

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?CB814BF5252F2B2EA736BAE86CBCF628 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA736BAE86CBCF628 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?CB814BF5252F2B2EA736BAE86CBCF628

http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA736BAE86CBCF628

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?85C01E35FD24495CD7F75DBE06DD8A8E | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?85C01E35FD24495CD7F75DBE06DD8A8E This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?85C01E35FD24495CD7F75DBE06DD8A8E

http://lockbitks2tvnmwk.onion/?85C01E35FD24495CD7F75DBE06DD8A8E

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?85C01E35FD24495CD7F75DBE06DD8A8E Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?85C01E35FD24495CD7F75DBE06DD8A8E This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?85C01E35FD24495CD7F75DBE06DD8A8E

http://lockbitks2tvnmwk.onion/?85C01E35FD24495CD7F75DBE06DD8A8E

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?85C01E35FD24495CABD967551F73C273 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?85C01E35FD24495CABD967551F73C273 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?85C01E35FD24495CABD967551F73C273

http://lockbitks2tvnmwk.onion/?85C01E35FD24495CABD967551F73C273

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8B28321ABD4E73FF947FFDB0830A9BBD | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FF947FFDB0830A9BBD This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8B28321ABD4E73FF947FFDB0830A9BBD

http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FF947FFDB0830A9BBD

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?8B28321ABD4E73FF947FFDB0830A9BBD Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FF947FFDB0830A9BBD This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8B28321ABD4E73FF947FFDB0830A9BBD

http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FF947FFDB0830A9BBD

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8B28321ABD4E73FFA3972C962701B1C6 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FFA3972C962701B1C6 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8B28321ABD4E73FFA3972C962701B1C6

http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FFA3972C962701B1C6

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFCB8A22CE2D1F7A6A | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFCB8A22CE2D1F7A6A This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?8841DD9B0AC925FFCB8A22CE2D1F7A6A

http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFCB8A22CE2D1F7A6A

Targets

    • Target

      pandora/3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe

    • Size

      146KB

    • MD5

      ef4a5d286011e8cd66514fa07ac99a29

    • SHA1

      8458579dd79056cdddbab67f3c82832acd00ab6d

    • SHA256

      3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe

    • SHA512

      3b71b1b5bd5717728cb1435c88555d2bc9dbc30d735d34798cb160023321e2b6cb97af8de6a6e80ac49b6b911fe0878863fb50c556a1fce918f305110753b2a7

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      pandora/43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4

    • Size

      174KB

    • MD5

      7f0312a1f928c3aeab672ca8d5afc6a9

    • SHA1

      efb367a61cb29e63a7269765c6071005a643a55d

    • SHA256

      43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4

    • SHA512

      854592111580d11597824a16b2d62ad313cf4ecdd2329cd9b333f2e3185f4cd21b16164f2e2330e3c5ecf5184471266528fa38d059920b900a32528f40bebcf6

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      pandora/54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97

    • Size

      146KB

    • MD5

      ee9e9d6b90c5df29a52464e977b566ad

    • SHA1

      d8f9b34d0e14f303373a86f52716ca0351977b1a

    • SHA256

      54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97

    • SHA512

      252884ad25e49e9a167b0172602badb605dcdf4aea20743900ceb4adda5b638307fefebda48bea9b035d63c8f680a1bfb68477e2bc52ecb7f5e65088962c6773

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      pandora/581b977029692c0b8599660f84374c9516275dd348f3ad62dab47dcc7fc44dce

    • Size

      472KB

    • MD5

      7e250f427d3a3c977331e0f959cbda5d

    • SHA1

      c0098a524b6b78e95cddba3f91782e2ec1c9f8a9

    • SHA256

      581b977029692c0b8599660f84374c9516275dd348f3ad62dab47dcc7fc44dce

    • SHA512

      5057755e7dcacba2bd9dbd28e4e43c7c6901a6820d01ba2cefc0c94d0ec6e71e2cda8f86a9d59334d99496f95b1389bcf0a4af9748dbca9d8e6ac6d62ab64575

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      pandora/6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae

    • Size

      4.3MB

    • MD5

      18cea7c5ab3ffb0146bad18ea79b6745

    • SHA1

      08cf96e2bc9509163da4e7c3fdffd9ade068ff66

    • SHA256

      6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae

    • SHA512

      a2e599e74ebb477de6d05da14018dee9537303b56074d62e454e1511c394eb6be223d4dcbbcf92060660fc81cccf0337b9c6b24100b2d54592995504d325f550

    Score
    10/10
    lockbitdiscoveryevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

    • Target

      pandora/745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d

    • Size

      146KB

    • MD5

      4c052f71a6097f2e243ca792a979833a

    • SHA1

      866de5f4982f1fac69df382aca57417afa0f6d92

    • SHA256

      745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d

    • SHA512

      06166b3eb49592b08b69844187bf0056d356568f5a1a1c1e0a94cc52faa8e036dbffac624df317e7b618e623f7337b36b4908b1b8c35ff0f7ae942c2d417a103

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      pandora/890c8453f6d62e49b77614199599848e6c58bfd38255be7d3809444012349ed4

    • Size

      146KB

    • MD5

      ba7f3406526469fc750194c438b61e7f

    • SHA1

      8fd61eaba77bd3960cddad16ed352d85559ed6cf

    • SHA256

      890c8453f6d62e49b77614199599848e6c58bfd38255be7d3809444012349ed4

    • SHA512

      39f8f310d035fa2c0c4944c5d5931dffb1d560a2f06bd980201405c566213f7d0028b94457eeebd689bec5d0052fb4a05e235110ff35b24f0da226c9710aadf9

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      pandora/95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

    • Size

      146KB

    • MD5

      69bec32d50744293e85606a5e8f80425

    • SHA1

      101b90ac7e0c2a8b570686c13dfa0e161ddd00e0

    • SHA256

      95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

    • SHA512

      e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15behavioral16

    • Target

      pandora/b131e8d134d56da4a7d894f6fbcacc6eb50f88aa72700ac539f4966bcccf0d00

    • Size

      146KB

    • MD5

      8269a3a9d7b82c1abc3da4af0a7342dc

    • SHA1

      bd42d083127d97c6c23541bffd5471e294bc919a

    • SHA256

      b131e8d134d56da4a7d894f6fbcacc6eb50f88aa72700ac539f4966bcccf0d00

    • SHA512

      4e77b0b0c3499b2db0bbd162fbff5a19a2666b0b2406badb68f9b42b5151a67f0a8c3971922c87a549dbca375d664ef738da4f5b6529ae24f0fb1341d926c0b1

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      pandora/ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f

    • Size

      150KB

    • MD5

      94d7e268d4a1bc11f50b7e493a76d7a0

    • SHA1

      5cfdfa1aa620ad8dcf85685b0f8103441211e0ed

    • SHA256

      ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f

    • SHA512

      3e769697a3ad8dec988875aef053a1355f46e40df5c4695192e03f22941f9f94ef8d0c2ac8c11b8e1bfc4c4fbfa55bffe35ad706de691c19f057f3c2a5a4f0ab

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      pandora/ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30

    • Size

      146KB

    • MD5

      10b3fd3c861d5cf657934c89260590ab

    • SHA1

      7f34253a70c74ab3059714ff8de44de89609803c

    • SHA256

      ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30

    • SHA512

      a01f7dde1ddd9e23c5c0d94ef8755eace5493f27dd173f4b3fde38411319c683d05d06cf30fea235c909fb9f3e4f80089bd2249a3f99a637305afd7f849758d9

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      pandora/cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1

    • Size

      148KB

    • MD5

      a7637dfb6b9408fe020d9333d0ade6dc

    • SHA1

      930c34743ab12c80512723db0aa7b8b4762fcc84

    • SHA256

      cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1

    • SHA512

      a522e3be00f3c32cd318cca7995e0f6f604a0590de3f4c2830920347328d405d178bdd2c2406e3b835cc5e5037e2d2348456b138878644231af94e51fc4b4e94

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      pandora/ebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d

    • Size

      146KB

    • MD5

      c5ada42d5c2f48db3d4c752405325ddf

    • SHA1

      965991c75771455dd8fe9fba5957b14a3e6163a3

    • SHA256

      ebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d

    • SHA512

      ca23492de2a1aa61c519ea5c333e5c58423a7fc581952ccd6bf7ddd1ce0774a13346d8b9b9ed356e80ed6e7e120ecd1a853eaa97c82f8ac38c79d1d9b82d964a

    Score
    10/10
    lockbitevasionpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

12
T1059

Persistence

Registry Run Keys / Startup Folder

13
T1060

Privilege Escalation

Defense Evasion

File Deletion

38
T1107

Modify Registry

30
T1112

Credential Access

Discovery

Query Registry

25
T1012

System Information Discovery

38
T1082

Peripheral Device Discovery

12
T1120

Remote System Discovery

9
T1018

Network Service Scanning

1
T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

51
T1490

Defacement

10
T1491

Tasks

static1

vmprotect
Score
8/10

behavioral1

lockbitevasionpersistenceransomware
Score
10/10

behavioral2

lockbitevasionpersistenceransomware
Score
10/10

behavioral3

lockbitevasionpersistenceransomware
Score
10/10

behavioral4

lockbitevasionpersistenceransomware
Score
10/10

behavioral5

lockbitevasionpersistenceransomware
Score
10/10

behavioral6

lockbitevasionpersistenceransomware
Score
10/10

behavioral7

lockbitevasionpersistenceransomware
Score
10/10

behavioral8

lockbitevasionpersistenceransomware
Score
10/10

behavioral9

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral10

lockbitdiscoveryevasionpersistenceransomware
Score
10/10

behavioral11

lockbitevasionpersistenceransomware
Score
10/10

behavioral12

lockbitevasionpersistenceransomware
Score
10/10

behavioral13

lockbitevasionpersistenceransomware
Score
10/10

behavioral14

lockbitevasionpersistenceransomware
Score
10/10

behavioral15

lockbitevasionpersistenceransomware
Score
10/10

behavioral16

lockbitevasionpersistenceransomware
Score
10/10

behavioral17

lockbitevasionpersistenceransomware
Score
10/10

behavioral18

lockbitevasionpersistenceransomware
Score
10/10

behavioral19

lockbitevasionpersistenceransomware
Score
10/10

behavioral20

lockbitevasionpersistenceransomware
Score
10/10

behavioral21

lockbitevasionpersistenceransomware
Score
10/10

behavioral22

lockbitevasionpersistenceransomware
Score
10/10

behavioral23

lockbitevasionpersistenceransomware
Score
10/10

behavioral24

lockbitevasionpersistenceransomware
Score
10/10

behavioral25

lockbitevasionpersistenceransomware
Score
10/10

behavioral26

lockbitevasionpersistenceransomware
Score
10/10