Edit tour

Windows Analysis Report
lock.exe

Overview

General Information

Sample name:	lock.exe
Analysis ID:	1587970
MD5:	298dcbbe53e340a4a430c430ec9e3b5d
SHA1:	0231acec8068d615edf6b6eb1abc3d4afb828028
SHA256:	b58b7853318f6c9f0d66d1f2a8d7ff5ad42be424fdf8e04615d8c38980b3811b
Tags:	cryptcryptlockerexelockerpythontrojanuser-gesgov
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found pyInstaller with non standard icon

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

lock.exe (PID: 3268 cmdline: "C:\Users\user\Desktop\lock.exe" MD5: 298DCBBE53E340A4A430C430EC9E3B5D)

conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lock.exe (PID: 1816 cmdline: "C:\Users\user\Desktop\lock.exe" MD5: 298DCBBE53E340A4A430C430EC9E3B5D)

cleanup

Code function: 0_2_00007FF693144C40 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF693144C40

Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lock.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32682\_lzma.pyd	Jump to dropped file