Overview
overview
10Static
static
8pandora/3b...be.exe
windows7_x64
10pandora/3b...be.exe
windows10-2004_x64
10pandora/43...e4.exe
windows7_x64
10pandora/43...e4.exe
windows10-2004_x64
10pandora/54...97.exe
windows7_x64
10pandora/54...97.exe
windows10-2004_x64
10pandora/58...ce.exe
windows7_x64
10pandora/58...ce.exe
windows10-2004_x64
10pandora/6d...ae.exe
windows7_x64
10pandora/6d...ae.exe
windows10-2004_x64
10pandora/74...2d.exe
windows7_x64
10pandora/74...2d.exe
windows10-2004_x64
10pandora/89...d4.exe
windows7_x64
10pandora/89...d4.exe
windows10-2004_x64
10pandora/95...cf.exe
windows7_x64
10pandora/95...cf.exe
windows10-2004_x64
10pandora/b1...00.exe
windows7_x64
10pandora/b1...00.exe
windows10-2004_x64
10pandora/ce...6f.exe
windows7_x64
10pandora/ce...6f.exe
windows10-2004_x64
10pandora/ce...30.exe
windows7_x64
10pandora/ce...30.exe
windows10-2004_x64
10pandora/ce...e1.exe
windows7_x64
10pandora/ce...e1.exe
windows10-2004_x64
10pandora/eb...1d.exe
windows7_x64
10pandora/eb...1d.exe
windows10-2004_x64
10General
-
Target
pandora.zip
-
Size
4.5MB
-
Sample
220505-vl4y9agdd4
-
MD5
b58ecc56a17ffaed9e1f96ffb668cc3a
-
SHA1
d382e80893582703a7338567b481acf70523fbfe
-
SHA256
6003da433c9240d051c7925dc0fb616a13985ffe8ff65ba1e1092dee7418782d
-
SHA512
3b214944728d25af7b105ba5175d441c213d67fb8f4b08307de4cd14ee1d26e46ab92b187cc0b625ab1eb4f3009569cc7b13be70e9ebffc126950efc5658694e
Static task
static1
Behavioral task
behavioral1
Sample
pandora/3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
pandora/3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
pandora/43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
pandora/43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
pandora/54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
pandora/54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
pandora/581b977029692c0b8599660f84374c9516275dd348f3ad62dab47dcc7fc44dce.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
pandora/581b977029692c0b8599660f84374c9516275dd348f3ad62dab47dcc7fc44dce.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
pandora/6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
pandora/6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
pandora/745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
pandora/745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
pandora/890c8453f6d62e49b77614199599848e6c58bfd38255be7d3809444012349ed4.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
pandora/890c8453f6d62e49b77614199599848e6c58bfd38255be7d3809444012349ed4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
pandora/95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
pandora/95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
pandora/b131e8d134d56da4a7d894f6fbcacc6eb50f88aa72700ac539f4966bcccf0d00.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
pandora/b131e8d134d56da4a7d894f6fbcacc6eb50f88aa72700ac539f4966bcccf0d00.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
pandora/ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
pandora/ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral21
Sample
pandora/ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe
Resource
win7-20220414-en
Behavioral task
behavioral22
Sample
pandora/ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral23
Sample
pandora/cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1.exe
Resource
win7-20220414-en
Behavioral task
behavioral24
Sample
pandora/cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral25
Sample
pandora/ebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d.exe
Resource
win7-20220414-en
Behavioral task
behavioral26
Sample
pandora/ebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?CB814BF5252F2B2EA3FE8107302E50FF
http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA3FE8107302E50FF
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?CB814BF5252F2B2EA3FE8107302E50FF
http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA3FE8107302E50FF
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?CB814BF5252F2B2EA736BAE86CBCF628
http://lockbitks2tvnmwk.onion/?CB814BF5252F2B2EA736BAE86CBCF628
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?85C01E35FD24495CD7F75DBE06DD8A8E
http://lockbitks2tvnmwk.onion/?85C01E35FD24495CD7F75DBE06DD8A8E
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?85C01E35FD24495CD7F75DBE06DD8A8E
http://lockbitks2tvnmwk.onion/?85C01E35FD24495CD7F75DBE06DD8A8E
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?85C01E35FD24495CABD967551F73C273
http://lockbitks2tvnmwk.onion/?85C01E35FD24495CABD967551F73C273
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8B28321ABD4E73FF947FFDB0830A9BBD
http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FF947FFDB0830A9BBD
Extracted
C:\Users\Admin\Desktop\LockBit-note.hta
http://lockbit-decryptor.top/?8B28321ABD4E73FF947FFDB0830A9BBD
http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FF947FFDB0830A9BBD
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8B28321ABD4E73FFA3972C962701B1C6
http://lockbitks2tvnmwk.onion/?8B28321ABD4E73FFA3972C962701B1C6
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8841DD9B0AC925FFCB8A22CE2D1F7A6A
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFCB8A22CE2D1F7A6A
Targets
-
-
Target
pandora/3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe
-
Size
146KB
-
MD5
ef4a5d286011e8cd66514fa07ac99a29
-
SHA1
8458579dd79056cdddbab67f3c82832acd00ab6d
-
SHA256
3b52db44c2cdd8adfacb906362837ed449e96fcf761de4b1f26388b66b6edabe
-
SHA512
3b71b1b5bd5717728cb1435c88555d2bc9dbc30d735d34798cb160023321e2b6cb97af8de6a6e80ac49b6b911fe0878863fb50c556a1fce918f305110753b2a7
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4
-
Size
174KB
-
MD5
7f0312a1f928c3aeab672ca8d5afc6a9
-
SHA1
efb367a61cb29e63a7269765c6071005a643a55d
-
SHA256
43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4
-
SHA512
854592111580d11597824a16b2d62ad313cf4ecdd2329cd9b333f2e3185f4cd21b16164f2e2330e3c5ecf5184471266528fa38d059920b900a32528f40bebcf6
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97
-
Size
146KB
-
MD5
ee9e9d6b90c5df29a52464e977b566ad
-
SHA1
d8f9b34d0e14f303373a86f52716ca0351977b1a
-
SHA256
54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97
-
SHA512
252884ad25e49e9a167b0172602badb605dcdf4aea20743900ceb4adda5b638307fefebda48bea9b035d63c8f680a1bfb68477e2bc52ecb7f5e65088962c6773
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/581b977029692c0b8599660f84374c9516275dd348f3ad62dab47dcc7fc44dce
-
Size
472KB
-
MD5
7e250f427d3a3c977331e0f959cbda5d
-
SHA1
c0098a524b6b78e95cddba3f91782e2ec1c9f8a9
-
SHA256
581b977029692c0b8599660f84374c9516275dd348f3ad62dab47dcc7fc44dce
-
SHA512
5057755e7dcacba2bd9dbd28e4e43c7c6901a6820d01ba2cefc0c94d0ec6e71e2cda8f86a9d59334d99496f95b1389bcf0a4af9748dbca9d8e6ac6d62ab64575
Score10/10-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae
-
Size
4.3MB
-
MD5
18cea7c5ab3ffb0146bad18ea79b6745
-
SHA1
08cf96e2bc9509163da4e7c3fdffd9ade068ff66
-
SHA256
6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae
-
SHA512
a2e599e74ebb477de6d05da14018dee9537303b56074d62e454e1511c394eb6be223d4dcbbcf92060660fc81cccf0337b9c6b24100b2d54592995504d325f550
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d
-
Size
146KB
-
MD5
4c052f71a6097f2e243ca792a979833a
-
SHA1
866de5f4982f1fac69df382aca57417afa0f6d92
-
SHA256
745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d
-
SHA512
06166b3eb49592b08b69844187bf0056d356568f5a1a1c1e0a94cc52faa8e036dbffac624df317e7b618e623f7337b36b4908b1b8c35ff0f7ae942c2d417a103
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/890c8453f6d62e49b77614199599848e6c58bfd38255be7d3809444012349ed4
-
Size
146KB
-
MD5
ba7f3406526469fc750194c438b61e7f
-
SHA1
8fd61eaba77bd3960cddad16ed352d85559ed6cf
-
SHA256
890c8453f6d62e49b77614199599848e6c58bfd38255be7d3809444012349ed4
-
SHA512
39f8f310d035fa2c0c4944c5d5931dffb1d560a2f06bd980201405c566213f7d0028b94457eeebd689bec5d0052fb4a05e235110ff35b24f0da226c9710aadf9
Score10/10-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
-
Size
146KB
-
MD5
69bec32d50744293e85606a5e8f80425
-
SHA1
101b90ac7e0c2a8b570686c13dfa0e161ddd00e0
-
SHA256
95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
-
SHA512
e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/b131e8d134d56da4a7d894f6fbcacc6eb50f88aa72700ac539f4966bcccf0d00
-
Size
146KB
-
MD5
8269a3a9d7b82c1abc3da4af0a7342dc
-
SHA1
bd42d083127d97c6c23541bffd5471e294bc919a
-
SHA256
b131e8d134d56da4a7d894f6fbcacc6eb50f88aa72700ac539f4966bcccf0d00
-
SHA512
4e77b0b0c3499b2db0bbd162fbff5a19a2666b0b2406badb68f9b42b5151a67f0a8c3971922c87a549dbca375d664ef738da4f5b6529ae24f0fb1341d926c0b1
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f
-
Size
150KB
-
MD5
94d7e268d4a1bc11f50b7e493a76d7a0
-
SHA1
5cfdfa1aa620ad8dcf85685b0f8103441211e0ed
-
SHA256
ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f
-
SHA512
3e769697a3ad8dec988875aef053a1355f46e40df5c4695192e03f22941f9f94ef8d0c2ac8c11b8e1bfc4c4fbfa55bffe35ad706de691c19f057f3c2a5a4f0ab
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30
-
Size
146KB
-
MD5
10b3fd3c861d5cf657934c89260590ab
-
SHA1
7f34253a70c74ab3059714ff8de44de89609803c
-
SHA256
ce9261b9bcbf5be7ec01b8224ac5179b76108fe5d37a6bdc62731392df2b2c30
-
SHA512
a01f7dde1ddd9e23c5c0d94ef8755eace5493f27dd173f4b3fde38411319c683d05d06cf30fea235c909fb9f3e4f80089bd2249a3f99a637305afd7f849758d9
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
-
Size
148KB
-
MD5
a7637dfb6b9408fe020d9333d0ade6dc
-
SHA1
930c34743ab12c80512723db0aa7b8b4762fcc84
-
SHA256
cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
-
SHA512
a522e3be00f3c32cd318cca7995e0f6f604a0590de3f4c2830920347328d405d178bdd2c2406e3b835cc5e5037e2d2348456b138878644231af94e51fc4b4e94
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pandora/ebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d
-
Size
146KB
-
MD5
c5ada42d5c2f48db3d4c752405325ddf
-
SHA1
965991c75771455dd8fe9fba5957b14a3e6163a3
-
SHA256
ebe038b29b9f535f975ac7e6c256b7b0597ff93710c2328e8c43a63c750b441d
-
SHA512
ca23492de2a1aa61c519ea5c333e5c58423a7fc581952ccd6bf7ddd1ce0774a13346d8b9b9ed356e80ed6e7e120ecd1a853eaa97c82f8ac38c79d1d9b82d964a
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-