Analysis
-
max time kernel
150s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-05-2021 05:26
Static task
static1
Behavioral task
behavioral1
Sample
123.exe
Resource
win7v20210410
General
-
Target
123.exe
-
Size
9.3MB
-
MD5
49e1e065b2d619c84ce34f2bf5b04105
-
SHA1
3b4c8300fcc847c715a6f8d9606c3daabfa9365d
-
SHA256
c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d
-
SHA512
d28e8663ee08923b0b4ba8729329bd25ca054db648f3fb43aa037e1cc87e725954450f5d132457dc506836f03d8c5faa3c2031b2624a7be011037179e6ef06b1
Malware Config
Extracted
C:\Users\Admin\Desktop\@LegionReadMe@.txt
CobraLocker@mail2tor.com
131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
http://mail2tor2zyjdctd.onion/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
123.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectPop.raw => C:\Users\Admin\Pictures\SelectPop.raw.Legion 123.exe File renamed C:\Users\Admin\Pictures\SelectRead.crw => C:\Users\Admin\Pictures\SelectRead.crw.Legion 123.exe File renamed C:\Users\Admin\Pictures\ConnectSet.crw => C:\Users\Admin\Pictures\ConnectSet.crw.Legion 123.exe File renamed C:\Users\Admin\Pictures\DenyRequest.png => C:\Users\Admin\Pictures\DenyRequest.png.Legion 123.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
123.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 123.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/788-61-0x0000000000C90000-0x0000000000C91000-memory.dmp themida -
Processes:
123.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
123.exepid process 788 123.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1632 vssadmin.exe 472 vssadmin.exe 2040 vssadmin.exe 1848 vssadmin.exe 1616 vssadmin.exe 848 vssadmin.exe 832 vssadmin.exe 1544 vssadmin.exe 572 vssadmin.exe 1688 vssadmin.exe 1384 vssadmin.exe 1624 vssadmin.exe 2036 vssadmin.exe 1824 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
123.exepid process 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe 788 123.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
123.exevssvc.exedescription pid process Token: SeDebugPrivilege 788 123.exe Token: SeBackupPrivilege 1696 vssvc.exe Token: SeRestorePrivilege 1696 vssvc.exe Token: SeAuditPrivilege 1696 vssvc.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
123.execmd.exedescription pid process target process PID 788 wrote to memory of 1344 788 123.exe cmd.exe PID 788 wrote to memory of 1344 788 123.exe cmd.exe PID 788 wrote to memory of 1344 788 123.exe cmd.exe PID 788 wrote to memory of 1344 788 123.exe cmd.exe PID 1344 wrote to memory of 832 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 832 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 832 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 832 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 472 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 472 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 472 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 472 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1544 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1544 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1544 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1544 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2036 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2036 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2036 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2036 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1824 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1824 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1824 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1824 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 572 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 572 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 572 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 572 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2040 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2040 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2040 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 2040 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1616 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1616 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1616 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1616 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1688 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1688 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1688 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1688 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1384 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1384 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1384 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1384 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1632 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1632 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1632 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1632 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1848 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1624 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1624 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1624 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1624 1344 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WTHBNZD.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WTHBNZD.batMD5
d2aba3e1af80edd77e206cd43cfd3129
SHA13116da65d097708fad63a3b73d1c39bffa94cb01
SHA2568940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA5120059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec
-
\??\c:\Users\Admin\Desktop\BackupSplit.asp.LegionMD5
66f56ee935f6f7c8752ec6694339acae
SHA11724e008e05a8d5176580055dbc99f7c62df465a
SHA2564aabdc10e596bc41937a7326c2a4e2ef1514c925ebf37a48e6678351952c45e6
SHA51226ca6e65881967cd0af4eaf0a1b43a4a56619586d00db82838f1b712d39bc84dfb3dae5ec502461c62824a7a41d592130271ae98de1809ab5d978baae4ebd9d8
-
\??\c:\Users\Admin\Pictures\BackupTrace.cr2.LegionMD5
bedf393fd9c0bbed1104527583f146cb
SHA1b0244b5967ee986a0213d4a20761b540b625e970
SHA256552e9d362867d490fbe38e2cb90a00a3c258843a46028b164ccb942533d07ba0
SHA5128c2efb43f21e0d14448c97d03117ac0d840639f5b35bec179eaf0e7406cd82d81d156a4ce5aa53b7aa2fb28116ac36596efb557bb3c7e909d54a0e05f1be3c1a
-
memory/472-67-0x0000000000000000-mapping.dmp
-
memory/572-72-0x0000000000000000-mapping.dmp
-
memory/788-69-0x0000000005C85000-0x0000000005C96000-memory.dmpFilesize
68KB
-
memory/788-83-0x0000000005C96000-0x0000000005C97000-memory.dmpFilesize
4KB
-
memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/788-61-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/788-84-0x0000000005C97000-0x0000000005C98000-memory.dmpFilesize
4KB
-
memory/788-63-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB
-
memory/832-66-0x0000000000000000-mapping.dmp
-
memory/848-75-0x0000000000000000-mapping.dmp
-
memory/1344-64-0x0000000000000000-mapping.dmp
-
memory/1384-77-0x0000000000000000-mapping.dmp
-
memory/1544-68-0x0000000000000000-mapping.dmp
-
memory/1616-74-0x0000000000000000-mapping.dmp
-
memory/1624-80-0x0000000000000000-mapping.dmp
-
memory/1632-78-0x0000000000000000-mapping.dmp
-
memory/1688-76-0x0000000000000000-mapping.dmp
-
memory/1824-71-0x0000000000000000-mapping.dmp
-
memory/1848-79-0x0000000000000000-mapping.dmp
-
memory/2036-70-0x0000000000000000-mapping.dmp
-
memory/2040-73-0x0000000000000000-mapping.dmp