Overview

overview

10

Static

static

10

LegionLocker.exe

windows7_x64

9

LegionLocker.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    608s
  • max time network
    433s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-02-2022 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegionLocker.exe

  • Size

    6.6MB

  • MD5

    9a72a508fcee3de957167a386f173c44

  • SHA1

    55650582fc704d27cd7d95f971b0ddd13dcd9eaf

  • SHA256

    22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708

  • SHA512

    fb8073e5d0c14dbe1780bed15b6a492c0db386acb56b834f56eae9d76cf9872dd95396fd8d6d06048864227fcc90f8cae9d7853169536835a183ea2099994262

Score
10/10
evasionransomwarethemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegionLocker.exe
    "C:\Users\Admin\AppData\Local\Temp\LegionLocker.exe"
    1⤵
    • Modifies extensions of user files
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k color 47 && taskkill /f /im explorer.exe && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3252
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3956
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:1528
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:4080
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3508
  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
    1⤵
      PID:364
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 364 -s 2088
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2432
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 440 -p 364 -ip 364
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:1340
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wusvcs -p
      1⤵
        PID:2996

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Discovery

      Query Registry

      5
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      6
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/620-130-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-131-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-132-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-133-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-134-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-135-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-136-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-137-0x00000000768A0000-0x0000000076990000-memory.dmp
        Filesize

        960KB

        Download
      • memory/620-138-0x0000000077A40000-0x0000000077BE3000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/620-141-0x0000000074FA0000-0x0000000075750000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/620-142-0x00000000007F0000-0x00000000010C4000-memory.dmp
        Filesize

        8.8MB

        Download
      • memory/620-143-0x00000000007F0000-0x00000000010C4000-memory.dmp
        Filesize

        8.8MB

        Download
      • memory/620-144-0x0000000006170000-0x0000000006714000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/620-145-0x0000000005BC0000-0x0000000005C52000-memory.dmp
        Filesize

        584KB

        Download
      • memory/620-146-0x0000000005BC0000-0x0000000006164000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/620-147-0x0000000005B30000-0x0000000005B3A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/620-148-0x0000000005BC0000-0x0000000006164000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/620-149-0x0000000005BC0000-0x0000000006164000-memory.dmp
        Filesize

        5.6MB

        Download