lockergoga | 09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6

Analysis

max time kernel
157s
max time network
139s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Size

1.2MB
MD5

63c1b0ae512be7b03dafeb33f0b0d1d1
SHA1

b51bedb106478f509d9c84406281d2d28b165e50
SHA256

09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6
SHA512

2fae034adf02fab6bfa7352ea9fae2ecce2a0eab3bb022d29aba84cc590ff4f1f25c97fb355437e12875f8e2c7cd29c73b66d806201a4abb450790f644d8d81e

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	tgytutrc7117.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	tgytutrc7117.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipBand.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\SETUP.XML	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.ELM	tgytutrc7117.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\micaut.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF	tgytutrc7117.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	tgytutrc7117.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.INF	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\PREVIEW.GIF	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\extensibility.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML	tgytutrc7117.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mip.exe.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG	tgytutrc7117.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	tgytutrc7117.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1716	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
2000	tgytutrc7117.exe
2000	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
2000	tgytutrc7117.exe
2000	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
1856	tgytutrc7117.exe
1856	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
2000	tgytutrc7117.exe
2000	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
2000	tgytutrc7117.exe
2000	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe
756	tgytutrc7117.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
828	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeBackupPrivilege	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeRestorePrivilege	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeLockMemoryPrivilege	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeCreateGlobalPrivilege	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeDebugPrivilege	1724	tgytutrc7117.exe
Token: SeBackupPrivilege	1724	tgytutrc7117.exe
Token: SeRestorePrivilege	1724	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1724	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1724	tgytutrc7117.exe
Token: SeDebugPrivilege	1716	tgytutrc7117.exe
Token: SeBackupPrivilege	1716	tgytutrc7117.exe
Token: SeDebugPrivilege	1856	tgytutrc7117.exe
Token: SeRestorePrivilege	1716	tgytutrc7117.exe
Token: SeBackupPrivilege	1856	tgytutrc7117.exe
Token: SeRestorePrivilege	1856	tgytutrc7117.exe
Token: SeDebugPrivilege	756	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1716	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1856	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1716	tgytutrc7117.exe
Token: SeBackupPrivilege	756	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1856	tgytutrc7117.exe
Token: SeRestorePrivilege	756	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	756	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	756	tgytutrc7117.exe
Token: SeDebugPrivilege	2000	tgytutrc7117.exe
Token: SeBackupPrivilege	2000	tgytutrc7117.exe
Token: SeRestorePrivilege	2000	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	2000	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	2000	tgytutrc7117.exe
Token: SeDebugPrivilege	1632	tgytutrc7117.exe
Token: SeBackupPrivilege	1632	tgytutrc7117.exe
Token: SeRestorePrivilege	1632	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1632	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1632	tgytutrc7117.exe
Token: SeDebugPrivilege	1536	tgytutrc7117.exe
Token: SeBackupPrivilege	1536	tgytutrc7117.exe
Token: SeRestorePrivilege	1536	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1536	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1536	tgytutrc7117.exe
Token: SeDebugPrivilege	1744	tgytutrc7117.exe
Token: SeBackupPrivilege	1744	tgytutrc7117.exe
Token: SeRestorePrivilege	1744	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1744	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1744	tgytutrc7117.exe
Token: SeDebugPrivilege	1956	tgytutrc7117.exe
Token: SeBackupPrivilege	1956	tgytutrc7117.exe
Token: SeRestorePrivilege	1956	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1956	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1956	tgytutrc7117.exe
Token: SeDebugPrivilege	1720	tgytutrc7117.exe
Token: SeDebugPrivilege	2024	tgytutrc7117.exe
Token: SeBackupPrivilege	1720	tgytutrc7117.exe
Token: SeBackupPrivilege	2024	tgytutrc7117.exe
Token: SeRestorePrivilege	1720	tgytutrc7117.exe
Token: SeRestorePrivilege	2024	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	1720	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	2024	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	1720	tgytutrc7117.exe
Token: SeCreateGlobalPrivilege	2024	tgytutrc7117.exe
Token: SeDebugPrivilege	108	tgytutrc7117.exe
Token: SeBackupPrivilege	108	tgytutrc7117.exe
Token: SeRestorePrivilege	108	tgytutrc7117.exe
Token: SeLockMemoryPrivilege	108	tgytutrc7117.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 828	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	27
PID 1668 wrote to memory of 828	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	27
PID 1668 wrote to memory of 828	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	27
PID 1668 wrote to memory of 828	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	27
PID 1668 wrote to memory of 1724	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	29
PID 1668 wrote to memory of 1724	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	29
PID 1668 wrote to memory of 1724	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	29
PID 1668 wrote to memory of 1724	1668	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	29
PID 1724 wrote to memory of 368	1724	tgytutrc7117.exe	30
PID 1724 wrote to memory of 368	1724	tgytutrc7117.exe	30
PID 1724 wrote to memory of 368	1724	tgytutrc7117.exe	30
PID 1724 wrote to memory of 368	1724	tgytutrc7117.exe	30
PID 1724 wrote to memory of 576	1724	tgytutrc7117.exe	31
PID 1724 wrote to memory of 576	1724	tgytutrc7117.exe	31
PID 1724 wrote to memory of 576	1724	tgytutrc7117.exe	31
PID 1724 wrote to memory of 576	1724	tgytutrc7117.exe	31
PID 1724 wrote to memory of 320	1724	tgytutrc7117.exe	32
PID 1724 wrote to memory of 320	1724	tgytutrc7117.exe	32
PID 1724 wrote to memory of 320	1724	tgytutrc7117.exe	32
PID 1724 wrote to memory of 320	1724	tgytutrc7117.exe	32
PID 1724 wrote to memory of 736	1724	tgytutrc7117.exe	33
PID 1724 wrote to memory of 736	1724	tgytutrc7117.exe	33
PID 1724 wrote to memory of 736	1724	tgytutrc7117.exe	33
PID 1724 wrote to memory of 736	1724	tgytutrc7117.exe	33
PID 1724 wrote to memory of 556	1724	tgytutrc7117.exe	34
PID 1724 wrote to memory of 556	1724	tgytutrc7117.exe	34
PID 1724 wrote to memory of 556	1724	tgytutrc7117.exe	34
PID 1724 wrote to memory of 556	1724	tgytutrc7117.exe	34
PID 1724 wrote to memory of 876	1724	tgytutrc7117.exe	40
PID 1724 wrote to memory of 876	1724	tgytutrc7117.exe	40
PID 1724 wrote to memory of 876	1724	tgytutrc7117.exe	40
PID 1724 wrote to memory of 876	1724	tgytutrc7117.exe	40
PID 876 wrote to memory of 1100	876	net.exe	42
PID 876 wrote to memory of 1100	876	net.exe	42
PID 876 wrote to memory of 1100	876	net.exe	42
PID 1724 wrote to memory of 1960	1724	tgytutrc7117.exe	44
PID 1724 wrote to memory of 1960	1724	tgytutrc7117.exe	44
PID 1724 wrote to memory of 1960	1724	tgytutrc7117.exe	44
PID 1724 wrote to memory of 1960	1724	tgytutrc7117.exe	44
PID 1960 wrote to memory of 1992	1960	net.exe	46
PID 1960 wrote to memory of 1992	1960	net.exe	46
PID 1960 wrote to memory of 1992	1960	net.exe	46
PID 1724 wrote to memory of 1716	1724	tgytutrc7117.exe	47
PID 1724 wrote to memory of 1716	1724	tgytutrc7117.exe	47
PID 1724 wrote to memory of 1716	1724	tgytutrc7117.exe	47
PID 1724 wrote to memory of 1716	1724	tgytutrc7117.exe	47
PID 1724 wrote to memory of 756	1724	tgytutrc7117.exe	48
PID 1724 wrote to memory of 756	1724	tgytutrc7117.exe	48
PID 1724 wrote to memory of 756	1724	tgytutrc7117.exe	48
PID 1724 wrote to memory of 756	1724	tgytutrc7117.exe	48
PID 1724 wrote to memory of 1856	1724	tgytutrc7117.exe	49
PID 1724 wrote to memory of 1856	1724	tgytutrc7117.exe	49
PID 1724 wrote to memory of 1856	1724	tgytutrc7117.exe	49
PID 1724 wrote to memory of 1856	1724	tgytutrc7117.exe	49
PID 1724 wrote to memory of 2000	1724	tgytutrc7117.exe	50
PID 1724 wrote to memory of 2000	1724	tgytutrc7117.exe	50
PID 1724 wrote to memory of 2000	1724	tgytutrc7117.exe	50
PID 1724 wrote to memory of 2000	1724	tgytutrc7117.exe	50
PID 1724 wrote to memory of 1632	1724	tgytutrc7117.exe	54
PID 1724 wrote to memory of 1632	1724	tgytutrc7117.exe	54
PID 1724 wrote to memory of 1632	1724	tgytutrc7117.exe	54
PID 1724 wrote to memory of 1632	1724	tgytutrc7117.exe	54
PID 1724 wrote to memory of 1536	1724	tgytutrc7117.exe	56
PID 1724 wrote to memory of 1536	1724	tgytutrc7117.exe	56

C:\Users\Admin\AppData\Local\Temp\09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
"C:\Users\Admin\AppData\Local\Temp\09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:828
- C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:368
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:576
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:320
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:736
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:556
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:1100
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1460
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:764
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1328
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1004
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1096
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1340
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc7117.exe -i SM-tgytutrc -s
    3⤵
    PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download