Overview

overview

10

Static

static

10

LegionLocker3.0.exe

windows7_x64

10

LegionLocker3.0.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LegionLocker3.0.exe

  • Size

    3.0MB

  • Sample

    210509-6lmtnjlrkj

  • MD5

    cdccf5b587aac1a4aeb53f8aaa465759

  • SHA1

    3d804d15282a5b031684cc6bd8b9b7d9d880d13d

  • SHA256

    f6289c13d79d8de611e9c143602298970b5969c15a4d6a3e40efec794bc371dd

  • SHA512

    61668842acbb52c8c1e35e5ba4cca412ea1a56b4de6e3adb58f158cee77f8e04e24be99bbbc92c5f551afc2bbe45cf9c99c7b0b63affb8cef3d6718dc0c950f3

Score
10/10
legionlockerevasionransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. Please don't forget to attach ID.txt file in the e-mail. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Targets

    • Target

      LegionLocker3.0.exe

    • Size

      3.0MB

    • MD5

      cdccf5b587aac1a4aeb53f8aaa465759

    • SHA1

      3d804d15282a5b031684cc6bd8b9b7d9d880d13d

    • SHA256

      f6289c13d79d8de611e9c143602298970b5969c15a4d6a3e40efec794bc371dd

    • SHA512

      61668842acbb52c8c1e35e5ba4cca412ea1a56b4de6e3adb58f158cee77f8e04e24be99bbbc92c5f551afc2bbe45cf9c99c7b0b63affb8cef3d6718dc0c950f3

    Score
    10/10
    evasionransomwarespywarestealerthemidatrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks