lockergoga | 661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d

Analysis

max time kernel
149s
max time network
3s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
Size

1.2MB
MD5

37af7a672cde1b63aaf577f2e7f9794f
SHA1

5ad0add2e99f94f348b9b40c40bfec64bb132231
SHA256

661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d
SHA512

65b2a0949c59f0b00bef1cc74c14dee2317da39bf0a4ba4e5edfd223284b4a65c901220b7e405c22e09e6e8b3620c670c8587b681e533e36a5c8611cdba3244e

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	yxugwjud5458.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui	yxugwjud5458.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll	yxugwjud5458.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll	yxugwjud5458.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1548	860	WerFault.exe	30
1952	472	WerFault.exe	33
1644	668	WerFault.exe	31
336	1608	WerFault.exe	45

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
668	yxugwjud5458.exe
668	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
860	yxugwjud5458.exe
860	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
472	yxugwjud5458.exe
532	yxugwjud5458.exe
532	yxugwjud5458.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1876	cmd.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
Token: SeBackupPrivilege	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
Token: SeRestorePrivilege	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
Token: SeLockMemoryPrivilege	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
Token: SeCreateGlobalPrivilege	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
Token: SeDebugPrivilege	524	yxugwjud5458.exe
Token: SeBackupPrivilege	524	yxugwjud5458.exe
Token: SeRestorePrivilege	524	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	524	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	524	yxugwjud5458.exe
Token: SeDebugPrivilege	860	yxugwjud5458.exe
Token: SeBackupPrivilege	860	yxugwjud5458.exe
Token: SeRestorePrivilege	860	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	860	yxugwjud5458.exe
Token: SeDebugPrivilege	472	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	860	yxugwjud5458.exe
Token: SeDebugPrivilege	532	yxugwjud5458.exe
Token: SeBackupPrivilege	472	yxugwjud5458.exe
Token: SeBackupPrivilege	532	yxugwjud5458.exe
Token: SeRestorePrivilege	472	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	472	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	472	yxugwjud5458.exe
Token: SeRestorePrivilege	532	yxugwjud5458.exe
Token: SeDebugPrivilege	668	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	532	yxugwjud5458.exe
Token: SeBackupPrivilege	668	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	532	yxugwjud5458.exe
Token: SeRestorePrivilege	668	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	668	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	668	yxugwjud5458.exe
Token: SeDebugPrivilege	864	yxugwjud5458.exe
Token: SeBackupPrivilege	864	yxugwjud5458.exe
Token: SeRestorePrivilege	864	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	864	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	864	yxugwjud5458.exe
Token: SeDebugPrivilege	1716	yxugwjud5458.exe
Token: SeBackupPrivilege	1716	yxugwjud5458.exe
Token: SeRestorePrivilege	1716	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	1716	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	1716	yxugwjud5458.exe
Token: SeDebugPrivilege	1548	WerFault.exe
Token: SeDebugPrivilege	1952	WerFault.exe
Token: SeDebugPrivilege	1748	yxugwjud5458.exe
Token: SeBackupPrivilege	1748	yxugwjud5458.exe
Token: SeRestorePrivilege	1748	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	1748	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	1748	yxugwjud5458.exe
Token: SeDebugPrivilege	1644	WerFault.exe
Token: SeDebugPrivilege	1520	yxugwjud5458.exe
Token: SeBackupPrivilege	1520	yxugwjud5458.exe
Token: SeRestorePrivilege	1520	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	1520	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	1520	yxugwjud5458.exe
Token: SeDebugPrivilege	1608	yxugwjud5458.exe
Token: SeBackupPrivilege	1608	yxugwjud5458.exe
Token: SeRestorePrivilege	1608	yxugwjud5458.exe
Token: SeLockMemoryPrivilege	1608	yxugwjud5458.exe
Token: SeCreateGlobalPrivilege	1608	yxugwjud5458.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1876	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	27
PID 1648 wrote to memory of 1876	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	27
PID 1648 wrote to memory of 1876	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	27
PID 1648 wrote to memory of 1876	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	27
PID 1648 wrote to memory of 524	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	29
PID 1648 wrote to memory of 524	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	29
PID 1648 wrote to memory of 524	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	29
PID 1648 wrote to memory of 524	1648	661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe	29
PID 524 wrote to memory of 472	524	yxugwjud5458.exe	33
PID 524 wrote to memory of 472	524	yxugwjud5458.exe	33
PID 524 wrote to memory of 472	524	yxugwjud5458.exe	33
PID 524 wrote to memory of 472	524	yxugwjud5458.exe	33
PID 524 wrote to memory of 532	524	yxugwjud5458.exe	32
PID 524 wrote to memory of 532	524	yxugwjud5458.exe	32
PID 524 wrote to memory of 532	524	yxugwjud5458.exe	32
PID 524 wrote to memory of 532	524	yxugwjud5458.exe	32
PID 524 wrote to memory of 668	524	yxugwjud5458.exe	31
PID 524 wrote to memory of 668	524	yxugwjud5458.exe	31
PID 524 wrote to memory of 668	524	yxugwjud5458.exe	31
PID 524 wrote to memory of 668	524	yxugwjud5458.exe	31
PID 524 wrote to memory of 860	524	yxugwjud5458.exe	30
PID 524 wrote to memory of 860	524	yxugwjud5458.exe	30
PID 524 wrote to memory of 860	524	yxugwjud5458.exe	30
PID 524 wrote to memory of 860	524	yxugwjud5458.exe	30
PID 524 wrote to memory of 864	524	yxugwjud5458.exe	39
PID 524 wrote to memory of 864	524	yxugwjud5458.exe	39
PID 524 wrote to memory of 864	524	yxugwjud5458.exe	39
PID 524 wrote to memory of 864	524	yxugwjud5458.exe	39
PID 860 wrote to memory of 1548	860	yxugwjud5458.exe	37
PID 860 wrote to memory of 1548	860	yxugwjud5458.exe	37
PID 860 wrote to memory of 1548	860	yxugwjud5458.exe	37
PID 860 wrote to memory of 1548	860	yxugwjud5458.exe	37
PID 472 wrote to memory of 1952	472	yxugwjud5458.exe	40
PID 472 wrote to memory of 1952	472	yxugwjud5458.exe	40
PID 472 wrote to memory of 1952	472	yxugwjud5458.exe	40
PID 472 wrote to memory of 1952	472	yxugwjud5458.exe	40
PID 524 wrote to memory of 1716	524	yxugwjud5458.exe	41
PID 524 wrote to memory of 1716	524	yxugwjud5458.exe	41
PID 524 wrote to memory of 1716	524	yxugwjud5458.exe	41
PID 524 wrote to memory of 1716	524	yxugwjud5458.exe	41
PID 668 wrote to memory of 1644	668	yxugwjud5458.exe	42
PID 668 wrote to memory of 1644	668	yxugwjud5458.exe	42
PID 668 wrote to memory of 1644	668	yxugwjud5458.exe	42
PID 668 wrote to memory of 1644	668	yxugwjud5458.exe	42
PID 524 wrote to memory of 1748	524	yxugwjud5458.exe	43
PID 524 wrote to memory of 1748	524	yxugwjud5458.exe	43
PID 524 wrote to memory of 1748	524	yxugwjud5458.exe	43
PID 524 wrote to memory of 1748	524	yxugwjud5458.exe	43
PID 524 wrote to memory of 1520	524	yxugwjud5458.exe	44
PID 524 wrote to memory of 1520	524	yxugwjud5458.exe	44
PID 524 wrote to memory of 1520	524	yxugwjud5458.exe	44
PID 524 wrote to memory of 1520	524	yxugwjud5458.exe	44
PID 524 wrote to memory of 1608	524	yxugwjud5458.exe	45
PID 524 wrote to memory of 1608	524	yxugwjud5458.exe	45
PID 524 wrote to memory of 1608	524	yxugwjud5458.exe	45
PID 524 wrote to memory of 1608	524	yxugwjud5458.exe	45

C:\Users\Admin\AppData\Local\Temp\661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe
"C:\Users\Admin\AppData\Local\Temp\661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\661c3cf835253ff1ab43ecf3ba70ee718d800e791b0158935016aa22c0e7eb0d.exe C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
  C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 184
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 184
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 184
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud5458.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 184
      4⤵
      Program crash
      PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-80-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1548-76-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1648-54-0x0000000076001000-0x0000000076003000-memory.dmp

Filesize
8KB

Download
memory/1952-77-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download