lockergoga | 2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b

Analysis

max time kernel
156s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
Size

1.2MB
MD5

d62c6d8c6bbb845302757504fdcc38be
SHA1

c46abb02c682683a4e92657a07da2bedc8d640ad
SHA256

2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b
SHA512

9a3702e6988973f49b4090e4250a09afd0cbec17e8fe8af4dfc38e1b29cfc238bee05c535cb9a7d9d37a84ef5d14ae790f942ead05ce987d7a6bb374aafc5a60

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jdwp.dll	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll	tgytutrc9130.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jre7\bin\instrument.dll	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.dll	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jre7\bin\hprof.dll	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jre7\bin\installer.dll	tgytutrc9130.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	tgytutrc9130.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar	tgytutrc9130.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1468	tgytutrc9130.exe
1776	tgytutrc9130.exe
1468	tgytutrc9130.exe
1776	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1468	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1776	tgytutrc9130.exe
1696	tgytutrc9130.exe
1696	tgytutrc9130.exe
1696	tgytutrc9130.exe
1696	tgytutrc9130.exe
1696	tgytutrc9130.exe
1696	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1696	tgytutrc9130.exe
1696	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe
1960	tgytutrc9130.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1912	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
Token: SeBackupPrivilege	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
Token: SeRestorePrivilege	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
Token: SeLockMemoryPrivilege	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
Token: SeCreateGlobalPrivilege	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
Token: SeDebugPrivilege	472	tgytutrc9130.exe
Token: SeBackupPrivilege	472	tgytutrc9130.exe
Token: SeRestorePrivilege	472	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	472	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	472	tgytutrc9130.exe
Token: SeDebugPrivilege	1776	tgytutrc9130.exe
Token: SeDebugPrivilege	1468	tgytutrc9130.exe
Token: SeBackupPrivilege	1776	tgytutrc9130.exe
Token: SeBackupPrivilege	1468	tgytutrc9130.exe
Token: SeRestorePrivilege	1776	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1776	tgytutrc9130.exe
Token: SeRestorePrivilege	1468	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	1776	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1468	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	1468	tgytutrc9130.exe
Token: SeDebugPrivilege	1696	tgytutrc9130.exe
Token: SeBackupPrivilege	1696	tgytutrc9130.exe
Token: SeRestorePrivilege	1696	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1696	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	1696	tgytutrc9130.exe
Token: SeDebugPrivilege	1960	tgytutrc9130.exe
Token: SeBackupPrivilege	1960	tgytutrc9130.exe
Token: SeRestorePrivilege	1960	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1960	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	1960	tgytutrc9130.exe
Token: SeDebugPrivilege	820	tgytutrc9130.exe
Token: SeBackupPrivilege	820	tgytutrc9130.exe
Token: SeRestorePrivilege	820	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	820	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	820	tgytutrc9130.exe
Token: SeDebugPrivilege	1472	tgytutrc9130.exe
Token: SeBackupPrivilege	1472	tgytutrc9130.exe
Token: SeRestorePrivilege	1472	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1472	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	1472	tgytutrc9130.exe
Token: SeDebugPrivilege	676	tgytutrc9130.exe
Token: SeBackupPrivilege	676	tgytutrc9130.exe
Token: SeRestorePrivilege	676	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	676	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	676	tgytutrc9130.exe
Token: SeDebugPrivilege	972	tgytutrc9130.exe
Token: SeBackupPrivilege	972	tgytutrc9130.exe
Token: SeDebugPrivilege	1880	tgytutrc9130.exe
Token: SeRestorePrivilege	972	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	972	tgytutrc9130.exe
Token: SeBackupPrivilege	1880	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	972	tgytutrc9130.exe
Token: SeRestorePrivilege	1880	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1880	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	1880	tgytutrc9130.exe
Token: SeDebugPrivilege	880	tgytutrc9130.exe
Token: SeBackupPrivilege	880	tgytutrc9130.exe
Token: SeRestorePrivilege	880	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	880	tgytutrc9130.exe
Token: SeCreateGlobalPrivilege	880	tgytutrc9130.exe
Token: SeDebugPrivilege	1828	tgytutrc9130.exe
Token: SeBackupPrivilege	1828	tgytutrc9130.exe
Token: SeRestorePrivilege	1828	tgytutrc9130.exe
Token: SeLockMemoryPrivilege	1828	tgytutrc9130.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1912	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	27
PID 1572 wrote to memory of 1912	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	27
PID 1572 wrote to memory of 1912	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	27
PID 1572 wrote to memory of 1912	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	27
PID 1572 wrote to memory of 472	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	29
PID 1572 wrote to memory of 472	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	29
PID 1572 wrote to memory of 472	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	29
PID 1572 wrote to memory of 472	1572	2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe	29
PID 472 wrote to memory of 1132	472	tgytutrc9130.exe	30
PID 472 wrote to memory of 1132	472	tgytutrc9130.exe	30
PID 472 wrote to memory of 1132	472	tgytutrc9130.exe	30
PID 472 wrote to memory of 1132	472	tgytutrc9130.exe	30
PID 472 wrote to memory of 668	472	tgytutrc9130.exe	31
PID 472 wrote to memory of 668	472	tgytutrc9130.exe	31
PID 472 wrote to memory of 668	472	tgytutrc9130.exe	31
PID 472 wrote to memory of 668	472	tgytutrc9130.exe	31
PID 472 wrote to memory of 360	472	tgytutrc9130.exe	33
PID 472 wrote to memory of 360	472	tgytutrc9130.exe	33
PID 472 wrote to memory of 360	472	tgytutrc9130.exe	33
PID 472 wrote to memory of 360	472	tgytutrc9130.exe	33
PID 472 wrote to memory of 1472	472	tgytutrc9130.exe	34
PID 472 wrote to memory of 1472	472	tgytutrc9130.exe	34
PID 472 wrote to memory of 1472	472	tgytutrc9130.exe	34
PID 472 wrote to memory of 1472	472	tgytutrc9130.exe	34
PID 472 wrote to memory of 616	472	tgytutrc9130.exe	35
PID 472 wrote to memory of 616	472	tgytutrc9130.exe	35
PID 472 wrote to memory of 616	472	tgytutrc9130.exe	35
PID 472 wrote to memory of 616	472	tgytutrc9130.exe	35
PID 472 wrote to memory of 1864	472	tgytutrc9130.exe	41
PID 472 wrote to memory of 1864	472	tgytutrc9130.exe	41
PID 472 wrote to memory of 1864	472	tgytutrc9130.exe	41
PID 472 wrote to memory of 1864	472	tgytutrc9130.exe	41
PID 1864 wrote to memory of 1164	1864	net.exe	43
PID 1864 wrote to memory of 1164	1864	net.exe	43
PID 1864 wrote to memory of 1164	1864	net.exe	43
PID 472 wrote to memory of 1828	472	tgytutrc9130.exe	44
PID 472 wrote to memory of 1828	472	tgytutrc9130.exe	44
PID 472 wrote to memory of 1828	472	tgytutrc9130.exe	44
PID 472 wrote to memory of 1828	472	tgytutrc9130.exe	44
PID 1828 wrote to memory of 1768	1828	net.exe	46
PID 1828 wrote to memory of 1768	1828	net.exe	46
PID 1828 wrote to memory of 1768	1828	net.exe	46
PID 472 wrote to memory of 1880	472	tgytutrc9130.exe	47
PID 472 wrote to memory of 1880	472	tgytutrc9130.exe	47
PID 472 wrote to memory of 1880	472	tgytutrc9130.exe	47
PID 472 wrote to memory of 1880	472	tgytutrc9130.exe	47
PID 472 wrote to memory of 1776	472	tgytutrc9130.exe	48
PID 472 wrote to memory of 1776	472	tgytutrc9130.exe	48
PID 472 wrote to memory of 1776	472	tgytutrc9130.exe	48
PID 472 wrote to memory of 1776	472	tgytutrc9130.exe	48
PID 472 wrote to memory of 1468	472	tgytutrc9130.exe	49
PID 472 wrote to memory of 1468	472	tgytutrc9130.exe	49
PID 472 wrote to memory of 1468	472	tgytutrc9130.exe	49
PID 472 wrote to memory of 1468	472	tgytutrc9130.exe	49
PID 472 wrote to memory of 1696	472	tgytutrc9130.exe	50
PID 472 wrote to memory of 1696	472	tgytutrc9130.exe	50
PID 472 wrote to memory of 1696	472	tgytutrc9130.exe	50
PID 472 wrote to memory of 1696	472	tgytutrc9130.exe	50
PID 472 wrote to memory of 1960	472	tgytutrc9130.exe	51
PID 472 wrote to memory of 1960	472	tgytutrc9130.exe	51
PID 472 wrote to memory of 1960	472	tgytutrc9130.exe	51
PID 472 wrote to memory of 1960	472	tgytutrc9130.exe	51
PID 472 wrote to memory of 820	472	tgytutrc9130.exe	55
PID 472 wrote to memory of 820	472	tgytutrc9130.exe	55

C:\Users\Admin\AppData\Local\Temp\2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
"C:\Users\Admin\AppData\Local\Temp\2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1132
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:668
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:360
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1472
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:616
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:1164
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc9130.exe -i SM-tgytutrc -s
    3⤵
    PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download