c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d

General

Target

123.exe
Size

9.3MB
MD5

49e1e065b2d619c84ce34f2bf5b04105
SHA1

3b4c8300fcc847c715a6f8d9606c3daabfa9365d
SHA256

c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d
SHA512

d28e8663ee08923b0b4ba8729329bd25ca054db648f3fb43aa037e1cc87e725954450f5d132457dc506836f03d8c5faa3c2031b2624a7be011037179e6ef06b1

Score

10^/10

evasion ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@LegionReadMe@.txt

Ransom Note

Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is at the bottom of the sheet) and attach 4-5 encrypted files. You have to pay $120 in bitcoin to decrypt other files. How to contact us? 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us (CobraLocker@mail2tor.com) What if i have already paid? Send your Bitcoin wallet ID to e-mail provided above P.S. Do not modify encrypted files Our bitcoin address 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

Emails

CobraLocker@mail2tor.com

Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

123.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SelectPop.raw => C:\Users\Admin\Pictures\SelectPop.raw.Legion	123.exe
File renamed	C:\Users\Admin\Pictures\SelectRead.crw => C:\Users\Admin\Pictures\SelectRead.crw.Legion	123.exe
File renamed	C:\Users\Admin\Pictures\ConnectSet.crw => C:\Users\Admin\Pictures\ConnectSet.crw.Legion	123.exe
File renamed	C:\Users\Admin\Pictures\DenyRequest.png => C:\Users\Admin\Pictures\DenyRequest.png.Legion	123.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	123.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/788-61-0x0000000000C90000-0x0000000000C91000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

123.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	123.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

123.exe

pid process

788 123.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1632	vssadmin.exe
472	vssadmin.exe
2040	vssadmin.exe
1848	vssadmin.exe
1616	vssadmin.exe
848	vssadmin.exe
832	vssadmin.exe
1544	vssadmin.exe
572	vssadmin.exe
1688	vssadmin.exe
1384	vssadmin.exe
1624	vssadmin.exe
2036	vssadmin.exe
1824	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

123.exe

pid	process
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe
788	123.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

123.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	788	123.exe
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

123.execmd.exe

description	pid	process	target process
PID 788 wrote to memory of 1344	788	123.exe	cmd.exe
PID 788 wrote to memory of 1344	788	123.exe	cmd.exe
PID 788 wrote to memory of 1344	788	123.exe	cmd.exe
PID 788 wrote to memory of 1344	788	123.exe	cmd.exe
PID 1344 wrote to memory of 832	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 832	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 832	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 832	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 472	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 472	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 472	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 472	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1544	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1544	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1544	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1544	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2036	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2036	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2036	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2036	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1824	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1824	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1824	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1824	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 572	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 572	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 572	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 572	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2040	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2040	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2040	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 2040	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1616	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1616	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1616	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1616	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1688	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1688	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1688	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1688	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1384	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1384	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1384	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1384	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1632	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1632	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1632	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1632	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1848	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1624	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1624	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1624	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1624	1344	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WTHBNZD.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:832

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:472

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1544

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2036

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1824

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:572

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2040

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1616

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:848

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1688

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1384

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1632

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1848

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WTHBNZD.bat
MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\Desktop\BackupSplit.asp.Legion
MD5
66f56ee935f6f7c8752ec6694339acae

SHA1
1724e008e05a8d5176580055dbc99f7c62df465a

SHA256
4aabdc10e596bc41937a7326c2a4e2ef1514c925ebf37a48e6678351952c45e6

SHA512
26ca6e65881967cd0af4eaf0a1b43a4a56619586d00db82838f1b712d39bc84dfb3dae5ec502461c62824a7a41d592130271ae98de1809ab5d978baae4ebd9d8

Download Submit
\??\c:\Users\Admin\Pictures\BackupTrace.cr2.Legion
MD5
bedf393fd9c0bbed1104527583f146cb

SHA1
b0244b5967ee986a0213d4a20761b540b625e970

SHA256
552e9d362867d490fbe38e2cb90a00a3c258843a46028b164ccb942533d07ba0

SHA512
8c2efb43f21e0d14448c97d03117ac0d840639f5b35bec179eaf0e7406cd82d81d156a4ce5aa53b7aa2fb28116ac36596efb557bb3c7e909d54a0e05f1be3c1a

Download Submit
memory/472-67-0x0000000000000000-mapping.dmp

Download
memory/572-72-0x0000000000000000-mapping.dmp

Download
memory/788-69-0x0000000005C85000-0x0000000005C96000-memory.dmp

Filesize
68KB

Download
memory/788-83-0x0000000005C96000-0x0000000005C97000-memory.dmp

Filesize
4KB

Download
memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/788-61-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/788-84-0x0000000005C97000-0x0000000005C98000-memory.dmp

Filesize
4KB

Download
memory/788-63-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/848-75-0x0000000000000000-mapping.dmp

Download
memory/1344-64-0x0000000000000000-mapping.dmp

Download
memory/1384-77-0x0000000000000000-mapping.dmp

Download
memory/1544-68-0x0000000000000000-mapping.dmp

Download
memory/1616-74-0x0000000000000000-mapping.dmp

Download
memory/1624-80-0x0000000000000000-mapping.dmp

Download
memory/1632-78-0x0000000000000000-mapping.dmp

Download
memory/1688-76-0x0000000000000000-mapping.dmp

Download
memory/1824-71-0x0000000000000000-mapping.dmp

Download
memory/1848-79-0x0000000000000000-mapping.dmp

Download
memory/2036-70-0x0000000000000000-mapping.dmp

Download
memory/2040-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads