legionlocker | 22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708

General

Target

LegionLocker.exe
Size

6.6MB
Sample

220208-qpljvsgha2
MD5

9a72a508fcee3de957167a386f173c44
SHA1

55650582fc704d27cd7d95f971b0ddd13dcd9eaf
SHA256

22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708
SHA512

fb8073e5d0c14dbe1780bed15b6a492c0db386acb56b834f56eae9d76cf9872dd95396fd8d6d06048864227fcc90f8cae9d7853169536835a183ea2099994262

Score

10^/10

Malware Config

Targets

- Target
  
  LegionLocker.exe
- Size
  
  6.6MB
- MD5
  
  9a72a508fcee3de957167a386f173c44
- SHA1
  
  55650582fc704d27cd7d95f971b0ddd13dcd9eaf
- SHA256
  
  22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708
- SHA512
  
  fb8073e5d0c14dbe1780bed15b6a492c0db386acb56b834f56eae9d76cf9872dd95396fd8d6d06048864227fcc90f8cae9d7853169536835a183ea2099994262
Score

10^/10

evasion ransomware themida trojan
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

5

T1012

System Information Discovery

6

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies extensions of user files

Checks BIOS information in registry

Checks computer location settings

Themida packer

Checks whether UAC is enabled

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2