Overview

overview

10

Static

static

10

LegionLocker4.1.exe

windows7_x64

10

LegionLocker4.1.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegionLocker4.1.exe

  • Size

    3.2MB

  • MD5

    563059c1ba238fb233200b053327313d

  • SHA1

    c50908fe140fe127a6c2168ad7a07df6b9836186

  • SHA256

    a4e002898d11ea511868a11a43dd29011dbe97bcbd9ee4b9fbcb0520d860f975

  • SHA512

    9bbfe87044543ecf7fc6c865fad533ce864309c63cbff070c7f69ec1373392d149628c58bc7312bf72aae2aaecd6874c5ec95542042df6f34d65570da5d810bb

Score
10/10
discoveryevasionexploitpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 5 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies file permissions 1 TTPs 5 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegionLocker4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\LegionLocker4.1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies extensions of user files
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1928
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1992
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:864
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1876
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:1012

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1012-71-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1972-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1972-64-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-77-0x0000000000EA5000-0x0000000000EB6000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1972-62-0x00000000013B0000-0x00000000013B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-79-0x0000000000EB6000-0x0000000000EB7000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-80-0x0000000000EB7000-0x0000000000EB8000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1972-81-0x0000000000EB8000-0x0000000000EB9000-memory.dmp

        Filesize

        4KB

        Download