Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 19, 2021, 9:01 a.m.	June 19, 2021, 9:05 a.m.

Size	763.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`688cba9c88f928b0cf854b43e97bec75`
SHA256	`481509a67f836e3826fd7835cded0619a1491ed914152d893c6d8ac950445f4f`
CRC32	`53D5A3A8`
ssdeep	`12288:0hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aZ+u4L7v8MRv:MRmJkcoQricOIQxiZY1iaZB43LF`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

KarLocker_exe.exe "C:\Users\test22\AppData\Local\Temp\KarLocker_exe.exe"
2972
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 19, 2021, 9:01 a.m.			0	0
IsDebuggerPresent June 19, 2021, 9:01 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 19, 2021, 9:01 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 19, 2021, 9:01 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 19, 2021, 9:02 a.m.	total_number_of_free_bytes: 13725929472 free_bytes_available: 13725929472 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates (office) documents on the filesystem (18 events)

file	C:\Users\test22\Documents\Lock.FAaWoqRZplEQFsGvV.docm
file	C:\Users\test22\Documents\Lock.readme.xls
file	C:\Users\test22\Documents\Lock.cXMLMLMlMJidCP.doc
file	C:\Users\test22\Documents\Lock.ONyeiyAHXnG.docx
file	C:\Users\test22\Documents\Lock.FOwRatdvSt.docm
file	C:\Users\test22\Documents\Lock.sByekmDWYN.docm
file	C:\Users\test22\Documents\Lock.axTZwDBeUngqBG.ppt
file	C:\Users\test22\Documents\Lock.OejfVnyKEZi.docx
file	C:\Users\test22\Documents\Lock.tZFlnDanbFCgvTi.docm
file	C:\Users\test22\Documents\Lock.readme.doc
file	C:\Users\test22\Documents\Lock.HnLBNMQcuiDk.docm
file	C:\Users\test22\Documents\Lock.wROAvotNOWsR.ppt
file	C:\Users\test22\Documents\Lock.vBALutNOxj.pptx
file	C:\Users\test22\Documents\Lock.ATwjKHHgPIXqpQbCw.doc
file	C:\Users\test22\Documents\Lock.mHOldbtpjtgW.pptx
file	C:\Users\test22\Documents\Lock.JDHeJjBWHuxqp.doc
file	C:\Users\test22\Documents\Lock.YjNGHHaCFd.docx
file	C:\Users\test22\Documents\Lock.WmXfDlmbAt.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk

Creates a shortcut to an executable file (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: mobsync.exe process_identifier: 2060	1	1
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: pw.exe process_identifier: 3060	1	1
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: taskhost.exe process_identifier: 2576	1	1
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972	1	1
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 564 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: dllhost.exe process_identifier: 2388		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0
Process32NextW June 19, 2021, 9:01 a.m.	snapshot_handle: 0x000001a0 process_name: KarLocker_exe.exe process_identifier: 2972		0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk

Attempts to modify desktop wallpaper (1 event)

registry

HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

Drops 63 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 63 events)

file	C:\Users\test22\Documents\Lock.LLpBgBfEvgEiJ.txt
file	C:\Users\test22\Documents\Lock.NXaoSxjTqzdYG.txt
file	C:\Users\test22\Documents\ZyMQVIOJRV.rtf
file	C:\Users\test22\Documents\HnLBNMQcuiDk.docm
file	C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
file	C:\Users\test22\Documents\OejfVnyKEZi.docx
file	C:\Users\test22\Documents\Lock.desktop.ini
file	C:\Users\test22\Documents\Lock.WmXfDlmbAt.doc
file	C:\Users\test22\Documents\vBALutNOxj.pptx
file	C:\Users\test22\Documents\Lock.FOwRatdvSt.docm
file	C:\Users\test22\Documents\YjNGHHaCFd.docx
file	C:\Users\test22\Documents\Lock.axTZwDBeUngqBG.ppt
file	C:\Users\test22\Videos\Lock.desktop.ini
file	C:\Users\test22\AppData\Local\Lock.GDIPFONTCACHEV1.DAT
file	C:\Users\test22\Documents\gxeffFGQwhrjD.rtf
file	C:\Users\test22\Documents\FOwRatdvSt.docm
file	C:\Users\Public\Documents\Lock.desktop.ini
file	C:\Users\Public\Pictures\Lock.desktop.ini
file	C:\Users\test22\Pictures\Lock.readme.bmp
file	C:\Users\test22\Documents\Lock.gxeffFGQwhrjD.rtf
file	C:\Users\test22\Documents\Lock.HnLBNMQcuiDk.docm
file	C:\Users\test22\AppData\Local\Lock.IconCache.db
file	C:\Users\test22\Documents\mHOldbtpjtgW.pptx
file	C:\Users\test22\Documents\sByekmDWYN.docm
file	C:\Users\test22\Documents\Lock.cXMLMLMlMJidCP.doc
file	C:\Users\test22\Documents\Lock.tZFlnDanbFCgvTi.docm
file	C:\Users\test22\Documents\wROAvotNOWsR.ppt
file	C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
file	C:\Users\test22\Documents\Lock.mHOldbtpjtgW.pptx
file	C:\Users\test22\Documents\Lock.sByekmDWYN.docm
file	C:\Users\test22\Documents\Lock.ONyeiyAHXnG.docx
file	C:\Users\test22\Documents\LLpBgBfEvgEiJ.txt
file	C:\Users\test22\AppData\Local\IconCache.db
file	C:\Users\test22\Documents\Lock.xTgoutelmxZUthF.rtf
file	C:\Users\test22\Documents\Lock.ZyMQVIOJRV.rtf
file	C:\Users\test22\Pictures\Lock.desktop.ini
file	C:\Users\test22\Music\Lock.desktop.ini
file	C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt
file	C:\Users\test22\Documents\Lock.YjNGHHaCFd.docx
file	C:\Users\test22\Documents\ONyeiyAHXnG.docx
file	C:\Users\test22\Documents\Lock.QAXyTXeWuxZprZY.rtf
file	C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
file	C:\Users\test22\Documents\Lock.CJgZNzWBCXYHnBkZq.txt
file	C:\Users\test22\Documents\Lock.xTuXcPDuCnGBi.rtf
file	C:\Users\Public\Videos\Lock.desktop.ini
file	C:\Users\test22\Desktop\Lock.desktop.ini
file	C:\Users\test22\Documents\Lock.jsGIrPlHsPM.txt
file	C:\Users\test22\Documents\Lock.JDHeJjBWHuxqp.doc
file	C:\Users\test22\Documents\jsGIrPlHsPM.txt
file	C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Generic.Ransom.Locked.767B115C
McAfee	Artemis!688CBA9C88F9
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Ransom:Win32/Pocrimcrypt.cfc916b8
Cybereason	malicious.c88f92
Arcabit	Generic.Ransom.Locked.767B115C
Symantec	Ransom.Cryptolocker
ESET-NOD32	a variant of Win32/Filecoder.Crypt888.B
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Autoit-6992337-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Generic.Ransom.Locked.767B115C
Avast	AutoIt:Ransom-L [Trj]
Tencent	Win32.Trojan.Filecoder.Wpts
Ad-Aware	Generic.Ransom.Locked.767B115C
Emsisoft	Generic.Ransom.Locked.767B115C (B)
F-Secure	Heuristic.HEUR/AGEN.1110296
DrWeb	Trojan.Encoder.24597
TrendMicro	Ransom.AutoIt.CRYPTEIGHT.SMTH
McAfee-GW-Edition	BehavesLike.Win32.Dropper.bh
MaxSecure	Trojan.Autoit.AZA
FireEye	Generic.mg.688cba9c88f928b0
Ikarus	Win32.Outbreak
Jiangmin	Trojan.Banker.Agent.cal
Avira	HEUR/AGEN.1110296
Antiy-AVL	Trojan/Generic.ASCommon.1A0
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Ransom:Win32/Pocrimcrypt.A
AegisLab	Trojan.Win32.Autoit.lzM7
GData	Generic.Ransom.Locked.767B115C (2x)
Cynet	Malicious (score: 99)
ALYac	Generic.Ransom.Locked.767B115C
MAX	malware (ai score=88)
Malwarebytes	Malware.AI.3512376734
TrendMicro-HouseCall	Ransom.AutoIt.CRYPTEIGHT.SMTH
Rising	Ransom.Crypt888/Autoit!1.C27B (CLASSIC)
eGambit	Unsafe.AI_Score_62%
Fortinet	W32/Filecoder.DYB!tr
BitDefenderTheta	AI:Packer.E19D7A3317
AVG	AutoIt:Ransom-L [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

KarLocker_exe.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All