Overview

overview

10

Static

static

10

LegionLocker.exe

windows7_x64

10

LegionLocker.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-02-2022 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegionLocker.exe

  • Size

    3.4MB

  • MD5

    ff781960baad7ac1974e254bbc7d8044

  • SHA1

    263450e71b84d608d40448c73add2719875c4732

  • SHA256

    9d13fde85da13d3c9533ace39fdfb71c95419f002c946265e6d12030890d8b9d

  • SHA512

    fc572d058d0c4782621d069cc9d16b575363bdd51a3d50bedc4b91b12c0e6ac6d93256ae9266c5cac17878dd0da474477bc283735e8d4decf206e68150495d8a

Score
10/10
legionlockerevasionransomwarethemidatrojan

Malware Config

Signatures

  • Detected LegionLocker ransomware 3 IoCs

    Sample contains strings associated with the LegionLocker family.

    ransomware
  • LegionLocker

    Ransomware family active in 2021.

    ransomwarelegionlocker
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegionLocker.exe
    "C:\Users\Admin\AppData\Local\Temp\LegionLocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\LegionL0cker.exe
      "C:\Users\Admin\AppData\Local\Temp\LegionL0cker.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k color 47 && taskkill /f /im explorer.exe && Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im explorer.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1684-64-0x0000000000010000-0x00000000008E4000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1684-65-0x0000000000010000-0x00000000008E4000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/1684-66-0x00000000058C0000-0x00000000058C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-67-0x00000000058C5000-0x00000000058D6000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1684-68-0x00000000058D6000-0x00000000058D7000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-69-0x00000000058D7000-0x00000000058D8000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-54-0x0000000000020000-0x0000000000390000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2044-55-0x0000000075191000-0x0000000075193000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2044-56-0x0000000005090000-0x0000000005091000-memory.dmp

    Filesize

    4KB

    Download