Overview

overview

10

Static

static

10

LegionLocker3.0.exe

windows7_x64

10

LegionLocker3.0.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09-05-2021 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegionLocker3.0.exe

  • Size

    3.0MB

  • MD5

    cdccf5b587aac1a4aeb53f8aaa465759

  • SHA1

    3d804d15282a5b031684cc6bd8b9b7d9d880d13d

  • SHA256

    f6289c13d79d8de611e9c143602298970b5969c15a4d6a3e40efec794bc371dd

  • SHA512

    61668842acbb52c8c1e35e5ba4cca412ea1a56b4de6e3adb58f158cee77f8e04e24be99bbbc92c5f551afc2bbe45cf9c99c7b0b63affb8cef3d6718dc0c950f3

Score
10/10
evasionransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. Please don't forget to attach ID.txt file in the e-mail. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us (LegionLocker@mail2tor.com) In case of no anwser in 72 hours write us to this email: CobraLocker@mail2tor.com What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Emails

LegionLocker@mail2tor.com

CobraLocker@mail2tor.com
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegionLocker3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\LegionLocker3.0.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\WTHBNZD.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1652
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        3⤵
        • Interacts with shadow copies
        PID:484
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        3⤵
        • Interacts with shadow copies
        PID:1480
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1164
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:336
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:472
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1000
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1896
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1828
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1952
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1616
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1500
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1608
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1840
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1504
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1556
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LegionReadMe.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:1348
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:368

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File Deletion

      2
      T1107

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\WTHBNZD.bat
        MD5

        d2aba3e1af80edd77e206cd43cfd3129

        SHA1

        3116da65d097708fad63a3b73d1c39bffa94cb01

        SHA256

        8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

        SHA512

        0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

        Download Submit
      • C:\Users\Admin\Desktop\LegionReadMe.txt
        MD5

        b25bea1bbb40ad5ba0eec8e424a0f1e3

        SHA1

        65f0a000857f8b6fffab92f799abb89acf03892b

        SHA256

        21d408264be4fe486bcbb06700320cdf8cb7cd810d9472754990c60afa197a81

        SHA512

        e0c52155171339ad64acd115f570946e110a921603e0780caef25c5bdb855d6720345eedf30da36dd5872d5890e0dd97ac88698def0792b8f4c0910128f6ae18

        Download Submit
      • memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp
        Filesize

        8KB

        Download
      • memory/308-62-0x00000000001B0000-0x00000000001B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/308-64-0x0000000005610000-0x0000000005611000-memory.dmp
        Filesize

        4KB

        Download
      • memory/308-85-0x0000000005626000-0x0000000005627000-memory.dmp
        Filesize

        4KB

        Download
      • memory/308-89-0x0000000005629000-0x000000000562A000-memory.dmp
        Filesize

        4KB

        Download
      • memory/308-88-0x0000000005628000-0x0000000005629000-memory.dmp
        Filesize

        4KB

        Download
      • memory/308-70-0x0000000005615000-0x0000000005626000-memory.dmp
        Filesize

        68KB

        Download
      • memory/308-86-0x0000000005627000-0x0000000005628000-memory.dmp
        Filesize

        4KB

        Download
      • memory/336-72-0x0000000000000000-mapping.dmp
        Download
      • memory/472-73-0x0000000000000000-mapping.dmp
        Download
      • memory/484-68-0x0000000000000000-mapping.dmp
        Download
      • memory/848-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1000-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1164-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1480-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1500-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1556-82-0x000007FEFC661000-0x000007FEFC663000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1608-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1616-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1652-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1828-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1840-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1896-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1952-77-0x0000000000000000-mapping.dmp
        Download