Overview

overview

10

Static

static

2fe3c29913...5b.exe

windows7_x64

10

2fe3c29913...5b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01/02/2022, 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe

  • Size

    1.2MB

  • MD5

    d62c6d8c6bbb845302757504fdcc38be

  • SHA1

    c46abb02c682683a4e92657a07da2bedc8d640ad

  • SHA256

    2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b

  • SHA512

    9a3702e6988973f49b4090e4250a09afd0cbec17e8fe8af4dfc38e1b29cfc238bee05c535cb9a7d9d37a84ef5d14ae790f942ead05ce987d7a6bb374aafc5a60

Score
10/10
lockergogabankerransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at:

Signatures

  • LockerGoga

    LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.

    trojanbankerlockergoga
  • Drops file in Program Files directory 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe
    "C:\Users\Admin\AppData\Local\Temp\2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\2fe3c29913f66c255cb7aa5c34821ab182f889e7f96c25bad31267adc8a19e5b.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
      2⤵
      • Suspicious behavior: RenamesItself
      PID:3692
    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -m
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\system32\logoff.exe
        C:\Windows\system32\logoff.exe 0
        3⤵
          PID:2872
        • C:\Windows\system32\logoff.exe
          C:\Windows\system32\logoff.exe 0
          3⤵
            PID:3600
          • C:\Windows\system32\logoff.exe
            C:\Windows\system32\logoff.exe 0
            3⤵
              PID:3656
            • C:\Windows\system32\logoff.exe
              C:\Windows\system32\logoff.exe 0
              3⤵
                PID:2560
              • C:\Windows\system32\logoff.exe
                C:\Windows\system32\logoff.exe 0
                3⤵
                  PID:3816
                • C:\Windows\system32\net.exe
                  C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
                    4⤵
                      PID:3936
                  • C:\Windows\system32\net.exe
                    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2536
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
                      4⤵
                        PID:2376
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3484
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1604
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1248
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3840
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1872
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2916
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2980
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1820
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1212
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3908
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2936
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3936
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:1952
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:2948
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3320
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3976
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3404
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3852
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:780
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3212
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3584
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3992
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                      • Drops file in Program Files directory
                      PID:3800
                    • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                      C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                      3⤵
                        PID:3940
                      • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                        C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                        3⤵
                          PID:3596
                        • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                          C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                          3⤵
                          • Drops file in Program Files directory
                          PID:2056
                        • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                          C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                          3⤵
                          • Drops file in Program Files directory
                          PID:1860
                        • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                          C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                          3⤵
                            PID:2400
                          • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                            C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                            3⤵
                            • Drops file in Program Files directory
                            PID:3324
                          • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                            C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                            3⤵
                              PID:704
                            • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                              C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                              3⤵
                              • Drops file in Program Files directory
                              PID:1176
                            • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                              C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                              3⤵
                              • Drops file in Program Files directory
                              PID:3956
                            • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                              C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                              3⤵
                              • Drops file in Program Files directory
                              PID:4040
                            • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                              C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                              3⤵
                              • Drops file in Program Files directory
                              PID:2656
                            • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                              C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                              3⤵
                              • Drops file in Program Files directory
                              PID:1000
                            • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                              C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                              3⤵
                                PID:2960
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:3284
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:1248
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:2176
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:1628
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:4056
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:3964
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                • Drops file in Program Files directory
                                PID:2124
                              • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                3⤵
                                  PID:3984
                                • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                  C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                  3⤵
                                  • Drops file in Program Files directory
                                  PID:1224
                                • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                  C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                  3⤵
                                  • Drops file in Program Files directory
                                  PID:3188
                                • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                  C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                  3⤵
                                  • Drops file in Program Files directory
                                  PID:2912
                                • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                  C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                  3⤵
                                  • Drops file in Program Files directory
                                  PID:1396
                                • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                  C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                  3⤵
                                    PID:1472
                                  • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                    C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                    3⤵
                                    • Drops file in Program Files directory
                                    PID:3108
                                  • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                    C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                    3⤵
                                    • Drops file in Program Files directory
                                    PID:2648
                                  • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                    C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                    3⤵
                                    • Drops file in Program Files directory
                                    PID:3924
                                  • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                    C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                    3⤵
                                    • Drops file in Program Files directory
                                    PID:1896
                                  • C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe
                                    C:\Users\Admin\AppData\Local\Temp\tgytutrc4722.exe -i SM-tgytutrc -s
                                    3⤵
                                      PID:852

                                Network

                                MITRE ATT&CK Matrix

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads