lockergoga | 037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310

Analysis

max time kernel
160s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Size

1.2MB
MD5

1f63061d9ace24c0b6a62332bef23859
SHA1

3983993ede8c08f77fc0a0c30e7aefc0d623e1ee
SHA256

037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310
SHA512

e76c54267e7d5b9c5b05bc7a41737ea870551be3051330fc1edaf4008a6907db6da7e4db0aa2472fdbdd9ab6a7d59f859dc658ecf717a83d7f2eb202093ac686

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1460	112	WerFault.exe	33
1988	540	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
540	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
112	yxugwjud8690.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1460	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1848	cmd.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeBackupPrivilege	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeRestorePrivilege	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeLockMemoryPrivilege	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeCreateGlobalPrivilege	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeDebugPrivilege	836	yxugwjud8690.exe
Token: SeBackupPrivilege	836	yxugwjud8690.exe
Token: SeRestorePrivilege	836	yxugwjud8690.exe
Token: SeLockMemoryPrivilege	836	yxugwjud8690.exe
Token: SeCreateGlobalPrivilege	836	yxugwjud8690.exe
Token: SeDebugPrivilege	540	yxugwjud8690.exe
Token: SeDebugPrivilege	112	yxugwjud8690.exe
Token: SeBackupPrivilege	112	yxugwjud8690.exe
Token: SeBackupPrivilege	540	yxugwjud8690.exe
Token: SeRestorePrivilege	112	yxugwjud8690.exe
Token: SeLockMemoryPrivilege	112	yxugwjud8690.exe
Token: SeCreateGlobalPrivilege	112	yxugwjud8690.exe
Token: SeRestorePrivilege	540	yxugwjud8690.exe
Token: SeLockMemoryPrivilege	540	yxugwjud8690.exe
Token: SeCreateGlobalPrivilege	540	yxugwjud8690.exe
Token: SeDebugPrivilege	1460	WerFault.exe
Token: SeDebugPrivilege	1988	WerFault.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1848	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	27
PID 1672 wrote to memory of 1848	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	27
PID 1672 wrote to memory of 1848	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	27
PID 1672 wrote to memory of 1848	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	27
PID 1672 wrote to memory of 836	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	29
PID 1672 wrote to memory of 836	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	29
PID 1672 wrote to memory of 836	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	29
PID 1672 wrote to memory of 836	1672	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	29
PID 836 wrote to memory of 536	836	yxugwjud8690.exe	30
PID 836 wrote to memory of 536	836	yxugwjud8690.exe	30
PID 836 wrote to memory of 536	836	yxugwjud8690.exe	30
PID 836 wrote to memory of 536	836	yxugwjud8690.exe	30
PID 836 wrote to memory of 540	836	yxugwjud8690.exe	32
PID 836 wrote to memory of 540	836	yxugwjud8690.exe	32
PID 836 wrote to memory of 540	836	yxugwjud8690.exe	32
PID 836 wrote to memory of 540	836	yxugwjud8690.exe	32
PID 836 wrote to memory of 552	836	yxugwjud8690.exe	31
PID 836 wrote to memory of 552	836	yxugwjud8690.exe	31
PID 836 wrote to memory of 552	836	yxugwjud8690.exe	31
PID 836 wrote to memory of 552	836	yxugwjud8690.exe	31
PID 836 wrote to memory of 112	836	yxugwjud8690.exe	33
PID 836 wrote to memory of 112	836	yxugwjud8690.exe	33
PID 836 wrote to memory of 112	836	yxugwjud8690.exe	33
PID 836 wrote to memory of 112	836	yxugwjud8690.exe	33
PID 112 wrote to memory of 1460	112	yxugwjud8690.exe	36
PID 112 wrote to memory of 1460	112	yxugwjud8690.exe	36
PID 112 wrote to memory of 1460	112	yxugwjud8690.exe	36
PID 112 wrote to memory of 1460	112	yxugwjud8690.exe	36
PID 540 wrote to memory of 1988	540	yxugwjud8690.exe	37
PID 540 wrote to memory of 1988	540	yxugwjud8690.exe	37
PID 540 wrote to memory of 1988	540	yxugwjud8690.exe	37
PID 540 wrote to memory of 1988	540	yxugwjud8690.exe	37

C:\Users\Admin\AppData\Local\Temp\037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
"C:\Users\Admin\AppData\Local\Temp\037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe
  C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 184
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud8690.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 184
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-66-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1672-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1988-67-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download