legionlocker

General

Target

HEUR-Trojan-Ransom.Win32.Encoder.vho-188b2408a0b511905428f95eacc3b60f5c9db195fa8493891baf3db8a4de1e99.exe
Size

3.4MB
Sample

220920-fppleacac5
MD5

35acbf4b0e8cfe8b9c3c2d5da5eb0131
SHA1

bc2d3b96b8f5d227b41611f64216753a898e804c
SHA256

188b2408a0b511905428f95eacc3b60f5c9db195fa8493891baf3db8a4de1e99
SHA512

381f3a0867207e9824a1382620c17d1b445e307512982279a285e7cb4ce2f79a7f48b549d5c78e0f1ef707ff10ec249784a1d6e88788eba1e861f492f19fe2ca
SSDEEP

98304:NUqA6Sp+ZIogCxfwijqisUzS5Q1J6KtqxxwwpJKILMW:JAOC/MINxxVpEp

Score

10^/10

Malware Config

Targets

- Target
  
  HEUR-Trojan-Ransom.Win32.Encoder.vho-188b2408a0b511905428f95eacc3b60f5c9db195fa8493891baf3db8a4de1e99.exe
- Size
  
  3.4MB
- MD5
  
  35acbf4b0e8cfe8b9c3c2d5da5eb0131
- SHA1
  
  bc2d3b96b8f5d227b41611f64216753a898e804c
- SHA256
  
  188b2408a0b511905428f95eacc3b60f5c9db195fa8493891baf3db8a4de1e99
- SHA512
  
  381f3a0867207e9824a1382620c17d1b445e307512982279a285e7cb4ce2f79a7f48b549d5c78e0f1ef707ff10ec249784a1d6e88788eba1e861f492f19fe2ca
- SSDEEP
  
  98304:NUqA6Sp+ZIogCxfwijqisUzS5Q1J6KtqxxwwpJKILMW:JAOC/MINxxVpEp
Score

10^/10

legionlocker evasion ransomware themida trojan
- Detected LegionLocker ransomware
  Sample contains strings associated with the LegionLocker family.
  ransomware
- LegionLocker
  Ransomware family active in 2021.
  ransomware legionlocker
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Detected LegionLocker ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Modifies extensions of user files

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2