lock_Setup.exe

Queries for the computername (4 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 25, 2021, 2:27 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 25, 2021, 2:27 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 25, 2021, 2:27 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 25, 2021, 2:27 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 2:34 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 2:34 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b62000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 25, 2021, 2:28 p.m.	total_number_of_free_bytes: 13727109120 free_bytes_available: 13727109120 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Checks for known Chinese AV sofware registry keys (1 event)

regkey

.*360Safe

Attempts to modify Internet Explorer's start page (6 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page
registry	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\Start Page
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
registry	HKEY_CURRENT_USER\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\Main\Start Page
registry	HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk

Creates a shortcut to an executable file (22 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\????? ?? 2010.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\?? ??.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk

Creates a suspicious process (2 events)

cmdline	cmd.exe /c ping -n 3 127.1 & del /q "C:\Users\test22\AppData\Local\Temp\lock_Setup.exe"
cmdline	C:\Windows\system32\cmd.exe /C regini %temp%\regini.ini

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\lock_Setup.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x00000124 process_name: mobsync.exe process_identifier: 2492	1	1	0
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 604	1	1	0
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x00000124 process_name: lock_Setup.exe process_identifier: 2768	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00054e00', u'virtual_address': u'0x00098000', u'entropy': 7.9371091744154985, u'name': u'UPX1', u'virtual_size': u'0x00055000'}				entropy	7.93710917442				description	A section with a high entropy has been found
entropy	0.788617886179				description	Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /c ping -n 3 127.1 & del /q "C:\Users\test22\AppData\Local\Temp\lock_Setup.exe"
cmdline	ping -n 3 127.1

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.Click3.29713
MicroWorld-eScan	Trojan.GenericKD.46514503
ALYac	Trojan.GenericKD.46514503
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D2C5C147
Cyren	W32/Trojan.MOTR-5742
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.46514503
AegisLab	Trojan.Multi.Generic.4!c
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.46514503
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_FRS.VSNTFJ21
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.gc
FireEye	Generic.mg.4c5c0403d852fcd4
Emsisoft	Trojan.GenericKD.46514503 (B)
Jiangmin	Variant.Symmi.aeh
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Generic.ASMalwS.1C1636F
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Worm:Win32/Vigorf.A
GData	Trojan.GenericKD.46514503
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4531354
McAfee	RDN/Generic.cf
VBA32	Trojan.SelfDel
Malwarebytes	Malware.AI.1478680933
TrendMicro-HouseCall	TROJ_FRS.VSNTFJ21
Rising	Trojan.Obfus/Autoit!1.D77B (CLASSIC)
Yandex	Trojan.GenAsa!NHzzuRkQa3Y
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen