lockergoga | eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08/01/2023, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
Size

1.2MB
MD5

16bcc3b7f32c41e7c7222bf37fe39fe6
SHA1

a25bc5442c86bdeb0dec6583f0e80e241745fb73
SHA256

eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
SHA512

f3e7087f569b3bcc201c006c5dfcea6cf560cad480bc03e6f17790190bc35bf6659e91a9f91219952bd139a3c9afde961032ee1d0861158409206feaa6540f9e
SSDEEP

24576:uj/6CtkHRos9l+zan4Q6eQqF5ZgQibE2zkMiJHic9OuTw258tox6T9G0SKoRl:A/NtkHRos9l+zan4QTB/2zkPtBq2itoP

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
688	yxugwjud3832.exe
688	yxugwjud3832.exe
580	yxugwjud3832.exe
580	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe
772	yxugwjud3832.exe
772	yxugwjud3832.exe
688	yxugwjud3832.exe
688	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe
580	yxugwjud3832.exe
580	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe
580	yxugwjud3832.exe
580	yxugwjud3832.exe
1704	yxugwjud3832.exe
1704	yxugwjud3832.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1280	cmd.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
Token: SeBackupPrivilege	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
Token: SeRestorePrivilege	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
Token: SeLockMemoryPrivilege	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
Token: SeCreateGlobalPrivilege	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
Token: SeDebugPrivilege	1260	yxugwjud3832.exe
Token: SeBackupPrivilege	1260	yxugwjud3832.exe
Token: SeRestorePrivilege	1260	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	1260	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	1260	yxugwjud3832.exe
Token: SeDebugPrivilege	688	yxugwjud3832.exe
Token: SeBackupPrivilege	688	yxugwjud3832.exe
Token: SeRestorePrivilege	688	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	688	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	688	yxugwjud3832.exe
Token: SeDebugPrivilege	772	yxugwjud3832.exe
Token: SeBackupPrivilege	772	yxugwjud3832.exe
Token: SeDebugPrivilege	580	yxugwjud3832.exe
Token: SeRestorePrivilege	772	yxugwjud3832.exe
Token: SeBackupPrivilege	580	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	772	yxugwjud3832.exe
Token: SeRestorePrivilege	580	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	772	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	580	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	580	yxugwjud3832.exe
Token: SeDebugPrivilege	1704	yxugwjud3832.exe
Token: SeBackupPrivilege	1704	yxugwjud3832.exe
Token: SeRestorePrivilege	1704	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	1704	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	1704	yxugwjud3832.exe
Token: SeDebugPrivilege	988	yxugwjud3832.exe
Token: SeBackupPrivilege	988	yxugwjud3832.exe
Token: SeRestorePrivilege	988	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	988	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	988	yxugwjud3832.exe
Token: SeDebugPrivilege	1100	yxugwjud3832.exe
Token: SeBackupPrivilege	1100	yxugwjud3832.exe
Token: SeRestorePrivilege	1100	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	1100	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	1100	yxugwjud3832.exe
Token: SeDebugPrivilege	1012	yxugwjud3832.exe
Token: SeBackupPrivilege	1012	yxugwjud3832.exe
Token: SeRestorePrivilege	1012	yxugwjud3832.exe
Token: SeLockMemoryPrivilege	1012	yxugwjud3832.exe
Token: SeCreateGlobalPrivilege	1012	yxugwjud3832.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1280	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	27
PID 1600 wrote to memory of 1280	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	27
PID 1600 wrote to memory of 1280	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	27
PID 1600 wrote to memory of 1280	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	27
PID 1600 wrote to memory of 1260	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	29
PID 1600 wrote to memory of 1260	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	29
PID 1600 wrote to memory of 1260	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	29
PID 1600 wrote to memory of 1260	1600	eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe	29
PID 1260 wrote to memory of 688	1260	yxugwjud3832.exe	31
PID 1260 wrote to memory of 688	1260	yxugwjud3832.exe	31
PID 1260 wrote to memory of 688	1260	yxugwjud3832.exe	31
PID 1260 wrote to memory of 688	1260	yxugwjud3832.exe	31
PID 1260 wrote to memory of 580	1260	yxugwjud3832.exe	30
PID 1260 wrote to memory of 580	1260	yxugwjud3832.exe	30
PID 1260 wrote to memory of 580	1260	yxugwjud3832.exe	30
PID 1260 wrote to memory of 580	1260	yxugwjud3832.exe	30
PID 1260 wrote to memory of 772	1260	yxugwjud3832.exe	32
PID 1260 wrote to memory of 772	1260	yxugwjud3832.exe	32
PID 1260 wrote to memory of 772	1260	yxugwjud3832.exe	32
PID 1260 wrote to memory of 772	1260	yxugwjud3832.exe	32
PID 1260 wrote to memory of 1704	1260	yxugwjud3832.exe	33
PID 1260 wrote to memory of 1704	1260	yxugwjud3832.exe	33
PID 1260 wrote to memory of 1704	1260	yxugwjud3832.exe	33
PID 1260 wrote to memory of 1704	1260	yxugwjud3832.exe	33
PID 1260 wrote to memory of 1100	1260	yxugwjud3832.exe	35
PID 1260 wrote to memory of 1100	1260	yxugwjud3832.exe	35
PID 1260 wrote to memory of 1100	1260	yxugwjud3832.exe	35
PID 1260 wrote to memory of 1100	1260	yxugwjud3832.exe	35
PID 1260 wrote to memory of 988	1260	yxugwjud3832.exe	36
PID 1260 wrote to memory of 988	1260	yxugwjud3832.exe	36
PID 1260 wrote to memory of 988	1260	yxugwjud3832.exe	36
PID 1260 wrote to memory of 988	1260	yxugwjud3832.exe	36
PID 1260 wrote to memory of 1012	1260	yxugwjud3832.exe	37
PID 1260 wrote to memory of 1012	1260	yxugwjud3832.exe	37
PID 1260 wrote to memory of 1012	1260	yxugwjud3832.exe	37
PID 1260 wrote to memory of 1012	1260	yxugwjud3832.exe	37
PID 1260 wrote to memory of 240	1260	yxugwjud3832.exe	38
PID 1260 wrote to memory of 240	1260	yxugwjud3832.exe	38
PID 1260 wrote to memory of 240	1260	yxugwjud3832.exe	38
PID 1260 wrote to memory of 240	1260	yxugwjud3832.exe	38

C:\Users\Admin\AppData\Local\Temp\eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe
"C:\Users\Admin\AppData\Local\Temp\eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0.exe C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
  C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud3832.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download