lockergoga | 09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6

Analysis

max time kernel
177s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01/02/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Size

1.2MB
MD5

63c1b0ae512be7b03dafeb33f0b0d1d1
SHA1

b51bedb106478f509d9c84406281d2d28b165e50
SHA256

09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6
SHA512

2fae034adf02fab6bfa7352ea9fae2ecce2a0eab3bb022d29aba84cc590ff4f1f25c97fb355437e12875f8e2c7cd29c73b66d806201a4abb450790f644d8d81e

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPMediaSharing.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	tgytutrc8218.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL	tgytutrc8218.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\wsdetect.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\Revert.wmz	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-black.png	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\WindowsAccessBridge-64.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.scale-125.png	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\orb.idl	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\wsdetect.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL	tgytutrc8218.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\msasxpress.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.dll	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL	tgytutrc8218.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png	tgytutrc8218.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\updater.jar	tgytutrc8218.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\prism_common.dll	tgytutrc8218.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
4384	tgytutrc8218.exe
4384	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
4200	tgytutrc8218.exe
4200	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
1308	tgytutrc8218.exe
3728	tgytutrc8218.exe
3728	tgytutrc8218.exe
3728	tgytutrc8218.exe
3728	tgytutrc8218.exe
3728	tgytutrc8218.exe
3728	tgytutrc8218.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3744	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeBackupPrivilege	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeRestorePrivilege	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeLockMemoryPrivilege	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeCreateGlobalPrivilege	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
Token: SeDebugPrivilege	3612	tgytutrc8218.exe
Token: SeBackupPrivilege	3612	tgytutrc8218.exe
Token: SeRestorePrivilege	3612	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	3612	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	3612	tgytutrc8218.exe
Token: SeDebugPrivilege	1308	tgytutrc8218.exe
Token: SeBackupPrivilege	1308	tgytutrc8218.exe
Token: SeRestorePrivilege	1308	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	1308	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	1308	tgytutrc8218.exe
Token: SeDebugPrivilege	4200	tgytutrc8218.exe
Token: SeBackupPrivilege	4200	tgytutrc8218.exe
Token: SeRestorePrivilege	4200	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	4200	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	4200	tgytutrc8218.exe
Token: SeDebugPrivilege	4384	tgytutrc8218.exe
Token: SeBackupPrivilege	4384	tgytutrc8218.exe
Token: SeRestorePrivilege	4384	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	4384	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	4384	tgytutrc8218.exe
Token: SeDebugPrivilege	3728	tgytutrc8218.exe
Token: SeBackupPrivilege	3728	tgytutrc8218.exe
Token: SeRestorePrivilege	3728	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	3728	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	3728	tgytutrc8218.exe
Token: SeDebugPrivilege	1888	tgytutrc8218.exe
Token: SeBackupPrivilege	1888	tgytutrc8218.exe
Token: SeRestorePrivilege	1888	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	1888	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	1888	tgytutrc8218.exe
Token: SeDebugPrivilege	2804	tgytutrc8218.exe
Token: SeBackupPrivilege	2804	tgytutrc8218.exe
Token: SeRestorePrivilege	2804	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	2804	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	2804	tgytutrc8218.exe
Token: SeDebugPrivilege	4364	tgytutrc8218.exe
Token: SeBackupPrivilege	4364	tgytutrc8218.exe
Token: SeRestorePrivilege	4364	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	4364	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	4364	tgytutrc8218.exe
Token: SeDebugPrivilege	5064	tgytutrc8218.exe
Token: SeBackupPrivilege	5064	tgytutrc8218.exe
Token: SeRestorePrivilege	5064	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	5064	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	5064	tgytutrc8218.exe
Token: SeDebugPrivilege	4392	tgytutrc8218.exe
Token: SeBackupPrivilege	4392	tgytutrc8218.exe
Token: SeRestorePrivilege	4392	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	4392	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	4392	tgytutrc8218.exe
Token: SeDebugPrivilege	1060	tgytutrc8218.exe
Token: SeBackupPrivilege	1060	tgytutrc8218.exe
Token: SeRestorePrivilege	1060	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	1060	tgytutrc8218.exe
Token: SeCreateGlobalPrivilege	1060	tgytutrc8218.exe
Token: SeDebugPrivilege	4808	tgytutrc8218.exe
Token: SeBackupPrivilege	4808	tgytutrc8218.exe
Token: SeRestorePrivilege	4808	tgytutrc8218.exe
Token: SeLockMemoryPrivilege	4808	tgytutrc8218.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3744	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	86
PID 4164 wrote to memory of 3744	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	86
PID 4164 wrote to memory of 3612	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	88
PID 4164 wrote to memory of 3612	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	88
PID 4164 wrote to memory of 3612	4164	09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe	88
PID 3612 wrote to memory of 3608	3612	tgytutrc8218.exe	89
PID 3612 wrote to memory of 3608	3612	tgytutrc8218.exe	89
PID 3612 wrote to memory of 3400	3612	tgytutrc8218.exe	90
PID 3612 wrote to memory of 3400	3612	tgytutrc8218.exe	90
PID 3612 wrote to memory of 3452	3612	tgytutrc8218.exe	92
PID 3612 wrote to memory of 3452	3612	tgytutrc8218.exe	92
PID 3612 wrote to memory of 3576	3612	tgytutrc8218.exe	96
PID 3612 wrote to memory of 3576	3612	tgytutrc8218.exe	96
PID 3612 wrote to memory of 3580	3612	tgytutrc8218.exe	95
PID 3612 wrote to memory of 3580	3612	tgytutrc8218.exe	95
PID 3612 wrote to memory of 5048	3612	tgytutrc8218.exe	99
PID 3612 wrote to memory of 5048	3612	tgytutrc8218.exe	99
PID 5048 wrote to memory of 4452	5048	net.exe	101
PID 5048 wrote to memory of 4452	5048	net.exe	101
PID 3612 wrote to memory of 4068	3612	tgytutrc8218.exe	102
PID 3612 wrote to memory of 4068	3612	tgytutrc8218.exe	102
PID 4068 wrote to memory of 4480	4068	net.exe	104
PID 4068 wrote to memory of 4480	4068	net.exe	104
PID 3612 wrote to memory of 1308	3612	tgytutrc8218.exe	106
PID 3612 wrote to memory of 1308	3612	tgytutrc8218.exe	106
PID 3612 wrote to memory of 1308	3612	tgytutrc8218.exe	106
PID 3612 wrote to memory of 4200	3612	tgytutrc8218.exe	107
PID 3612 wrote to memory of 4200	3612	tgytutrc8218.exe	107
PID 3612 wrote to memory of 4200	3612	tgytutrc8218.exe	107
PID 3612 wrote to memory of 4384	3612	tgytutrc8218.exe	108
PID 3612 wrote to memory of 4384	3612	tgytutrc8218.exe	108
PID 3612 wrote to memory of 4384	3612	tgytutrc8218.exe	108
PID 3612 wrote to memory of 3728	3612	tgytutrc8218.exe	109
PID 3612 wrote to memory of 3728	3612	tgytutrc8218.exe	109
PID 3612 wrote to memory of 3728	3612	tgytutrc8218.exe	109
PID 3612 wrote to memory of 1888	3612	tgytutrc8218.exe	110
PID 3612 wrote to memory of 1888	3612	tgytutrc8218.exe	110
PID 3612 wrote to memory of 1888	3612	tgytutrc8218.exe	110
PID 3612 wrote to memory of 2804	3612	tgytutrc8218.exe	112
PID 3612 wrote to memory of 2804	3612	tgytutrc8218.exe	112
PID 3612 wrote to memory of 2804	3612	tgytutrc8218.exe	112
PID 3612 wrote to memory of 4364	3612	tgytutrc8218.exe	113
PID 3612 wrote to memory of 4364	3612	tgytutrc8218.exe	113
PID 3612 wrote to memory of 4364	3612	tgytutrc8218.exe	113
PID 3612 wrote to memory of 5064	3612	tgytutrc8218.exe	114
PID 3612 wrote to memory of 5064	3612	tgytutrc8218.exe	114
PID 3612 wrote to memory of 5064	3612	tgytutrc8218.exe	114
PID 3612 wrote to memory of 4392	3612	tgytutrc8218.exe	115
PID 3612 wrote to memory of 4392	3612	tgytutrc8218.exe	115
PID 3612 wrote to memory of 4392	3612	tgytutrc8218.exe	115
PID 3612 wrote to memory of 1060	3612	tgytutrc8218.exe	117
PID 3612 wrote to memory of 1060	3612	tgytutrc8218.exe	117
PID 3612 wrote to memory of 1060	3612	tgytutrc8218.exe	117
PID 3612 wrote to memory of 4808	3612	tgytutrc8218.exe	119
PID 3612 wrote to memory of 4808	3612	tgytutrc8218.exe	119
PID 3612 wrote to memory of 4808	3612	tgytutrc8218.exe	119
PID 3612 wrote to memory of 4800	3612	tgytutrc8218.exe	120
PID 3612 wrote to memory of 4800	3612	tgytutrc8218.exe	120
PID 3612 wrote to memory of 4800	3612	tgytutrc8218.exe	120
PID 3612 wrote to memory of 1160	3612	tgytutrc8218.exe	121
PID 3612 wrote to memory of 1160	3612	tgytutrc8218.exe	121
PID 3612 wrote to memory of 1160	3612	tgytutrc8218.exe	121
PID 3612 wrote to memory of 1548	3612	tgytutrc8218.exe	123
PID 3612 wrote to memory of 1548	3612	tgytutrc8218.exe	123

C:\Users\Admin\AppData\Local\Temp\09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe
"C:\Users\Admin\AppData\Local\Temp\09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\09221fce03bc396351a5dc73e42a3b5dd93b64b12c74259341a7a878aa0897f6.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:3608
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:3400
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:3452
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:3580
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:3576
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:4452
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4164
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4904
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:936
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3628
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4872
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:4144
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4896
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3272
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:780
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    PID:4660
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8218.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2992

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4c46bbddf1f0454492dfef180aac2266 XUKIHa4KP0WdUtg8yf/lTA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4692

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads