legionlocker | 22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708 | Triage

Submit
Reports

Overview

overview

Static

static

LegionLocker.exe

windows7_x64

9

LegionLocker.exe

windows10-2004_x64

Sharing

General

Target

LegionLocker.exe
Size

6.6MB
Sample

220208-qpljvsgha2
MD5

9a72a508fcee3de957167a386f173c44
SHA1

55650582fc704d27cd7d95f971b0ddd13dcd9eaf
SHA256

22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708
SHA512

fb8073e5d0c14dbe1780bed15b6a492c0db386acb56b834f56eae9d76cf9872dd95396fd8d6d06048864227fcc90f8cae9d7853169536835a183ea2099994262

Score

10^/10

legionlocker evasion ransomware themida trojan

Static task

static1

themida ransomware legionlocker

Behavioral task

behavioral1

Sample

LegionLocker.exe

Resource

win7-en-20211208

evasion ransomware themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

LegionLocker.exe

Resource

win10v2004-en-20220112

evasion ransomware themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  LegionLocker.exe
- Size
  
  6.6MB
- MD5
  
  9a72a508fcee3de957167a386f173c44
- SHA1
  
  55650582fc704d27cd7d95f971b0ddd13dcd9eaf
- SHA256
  
  22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708
- SHA512
  
  fb8073e5d0c14dbe1780bed15b6a492c0db386acb56b834f56eae9d76cf9872dd95396fd8d6d06048864227fcc90f8cae9d7853169536835a183ea2099994262
Score

10^/10

evasion ransomware themida trojan
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

themidaransomwarelegionlocker

behavioral1

evasionransomwarethemidatrojan

behavioral2

evasionransomwarethemidatrojan

© 2018-2024

Terms | Privacy