Overview

overview

10

Static

static

10

LegionLocker.exe

windows7_x64

10

LegionLocker.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9e3e436d4345c5b6f20bc060d766a7ee0c3ea8c4aebee80d0cfe3481515961a1

  • Size

    3.2MB

  • Sample

    220206-2ebgpacdhn

  • MD5

    faeaf4e3d7440fba8482c97cf510baa7

  • SHA1

    6f69dc27f9c3f6fa6d3134cceddaab9d2888bf91

  • SHA256

    9e3e436d4345c5b6f20bc060d766a7ee0c3ea8c4aebee80d0cfe3481515961a1

  • SHA512

    7433a18a2b5b75b8faa8aed88c07bc264b034de048b6aa7063b33758d97e74477226b378905979c2cbaad552cff5df5a9fc136a417e53b2694356b003e700411

Score
10/10
legionlockerevasionransomwarethemidatrojan

Malware Config

Targets

    • Target

      LegionLocker.bin

    • Size

      3.4MB

    • MD5

      ff781960baad7ac1974e254bbc7d8044

    • SHA1

      263450e71b84d608d40448c73add2719875c4732

    • SHA256

      9d13fde85da13d3c9533ace39fdfb71c95419f002c946265e6d12030890d8b9d

    • SHA512

      fc572d058d0c4782621d069cc9d16b575363bdd51a3d50bedc4b91b12c0e6ac6d93256ae9266c5cac17878dd0da474477bc283735e8d4decf206e68150495d8a

    Score
    10/10
    legionlockerevasionransomwarethemidatrojan

    • Detected LegionLocker ransomware

      Sample contains strings associated with the LegionLocker family.

      ransomware

    • LegionLocker

      Ransomware family active in 2021.

      ransomwarelegionlocker

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks