legion | 119f71276feb0064a7382ae036cc9a7ef9a2cdef69f8b4ca65a0e0ce4643245a

Analysis

max time kernel
135s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 17:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winmm.dll
Size

841KB
MD5

d6a8c7fd490cd1149c0b51d961eab9f3
SHA1

73bb1220ead897fcc36df8d8622104ae82a9ad12
SHA256

119f71276feb0064a7382ae036cc9a7ef9a2cdef69f8b4ca65a0e0ce4643245a
SHA512

0273f74c072f48a3aaac1c6e808fcdcab465513651c5a7815fc75e767af85cd1654073f776a5f41ad2d9606264302333d4524cbe838dacfeae1e1d7ff413befc
SSDEEP

6144:oUCLuxLYxYooT5WjKkwxPQm9msflBOkV4ELEko/q+EIZtCn6Kyn3KzhJTTcAcYGR:TCv/o9rk8597u/PHvLKkAS84RQ8MoJ

Score

10^/10

legion discovery downloader loader stealer

Malware Config

Extracted

Family

legion

dns-beast.com

Attributes

url_paths
hittest.php
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko

Signatures

Legion, RobotDropper, Satacom
Legion aka 'RobotDropper' or 'Satacom' is a malware downloader written in C++ and Legion stealer is written C#.
downloader stealer legion

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 1060	3568	rundll32.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 1060	3568	rundll32.exe	85
PID 3568 wrote to memory of 1060	3568	rundll32.exe	85
PID 3568 wrote to memory of 1060	3568	rundll32.exe	85
PID 3568 wrote to memory of 1060	3568	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\winmm.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060

Network

DNS

fgrju.com

explorer.exe

Remote address:

8.8.8.8:53

Request

fgrju.com

IN A

Response
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

100.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.209.201.84.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

28.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.73.42.20.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

fgrju.com

dns

explorer.exe

55 B
128 B
1
1

DNS Request

fgrju.com
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

100.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

100.209.201.84.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

28.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

28.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-2-0x0000000000FE0000-0x0000000001007000-memory.dmp

Filesize
156KB

Download
memory/1060-3-0x0000000000FE0000-0x0000000001007000-memory.dmp

Filesize
156KB

Download
memory/1060-4-0x0000000000FE0000-0x0000000001007000-memory.dmp

Filesize
156KB

Download
memory/1060-5-0x0000000000FE0000-0x0000000001007000-memory.dmp

Filesize
156KB

Download
memory/1060-8-0x0000000000FE0000-0x0000000001007000-memory.dmp

Filesize
156KB

Download
memory/3568-1-0x000001FB984A0000-0x000001FB985A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.