legionlocker

General

Target

9e3e436d4345c5b6f20bc060d766a7ee0c3ea8c4aebee80d0cfe3481515961a1
Size

3.2MB
Sample

220206-2ebgpacdhn
MD5

faeaf4e3d7440fba8482c97cf510baa7
SHA1

6f69dc27f9c3f6fa6d3134cceddaab9d2888bf91
SHA256

9e3e436d4345c5b6f20bc060d766a7ee0c3ea8c4aebee80d0cfe3481515961a1
SHA512

7433a18a2b5b75b8faa8aed88c07bc264b034de048b6aa7063b33758d97e74477226b378905979c2cbaad552cff5df5a9fc136a417e53b2694356b003e700411

Score

10^/10

Malware Config

Targets

- Target
  
  LegionLocker.bin
- Size
  
  3.4MB
- MD5
  
  ff781960baad7ac1974e254bbc7d8044
- SHA1
  
  263450e71b84d608d40448c73add2719875c4732
- SHA256
  
  9d13fde85da13d3c9533ace39fdfb71c95419f002c946265e6d12030890d8b9d
- SHA512
  
  fc572d058d0c4782621d069cc9d16b575363bdd51a3d50bedc4b91b12c0e6ac6d93256ae9266c5cac17878dd0da474477bc283735e8d4decf206e68150495d8a
Score

10^/10

legionlocker evasion ransomware themida trojan
- Detected LegionLocker ransomware
  Sample contains strings associated with the LegionLocker family.
  ransomware
- LegionLocker
  Ransomware family active in 2021.
  ransomware legionlocker
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Detected LegionLocker ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Modifies extensions of user files

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2