Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 12:23

General

  • Target

    Ransomware LegionLocker.exe

  • Size

    3.1MB

  • MD5

    6a85d0ba4d1db63d390b7a071d60e0ef

  • SHA1

    79a32ee067e19b43bc3f29fde3a3ff95986f8e2e

  • SHA256

    369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412

  • SHA512

    16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce

  • SSDEEP

    49152:uZik4UvxXDFSuvXKWC9BKtKkd1UOe65qeVyODIaihosmrcvCM97Wd84T3D:YGuDppmT+Be6bymIhoBcaY6d84jD

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\HOW-TO-DECRYPT.TXT

Ransom Note
Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe
URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (465) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 5 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4132
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:704
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\HOW-TO-DECRYPT.TXT

    Filesize

    1KB

    MD5

    f2bbb85d6112bd7360a4ddbc23ea9a8b

    SHA1

    683eb7b2b0a5904337f204f71d25c02b9cc5daba

    SHA256

    be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2

    SHA512

    a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log

    Filesize

    16B

    MD5

    2caa6f3c95f6ec6bba5b54344938efa0

    SHA1

    2d5637f50e858fbaaeec7853d944dd3c3e91ec39

    SHA256

    16ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6

    SHA512

    4141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

    Filesize

    332KB

    MD5

    89b6590fcb9080db24875fa671b516ca

    SHA1

    20e472ccdba84d504e087418e703073f44c4f2d9

    SHA256

    d883bdee08b17e451d3be046fd7cd7b9c816c37f72fa123ca1c13c81e9fcd5ac

    SHA512

    3eea6d9796596d9d491b2fa1de794c33bda6447e11c611d769c32da6bd62f25d4b7b13748e70a601ae70f45eb36463d7080e16fcf80571e693109d9395345ee0

  • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

    Filesize

    8KB

    MD5

    5090259c42fc6263bc00e952846280e8

    SHA1

    9bf53e854027c9dec3b25ff1164e88872c71f66e

    SHA256

    a05288aa086504a20d2a3177854f8eb158778756ebc24dcfca266c52fa8d5a17

    SHA512

    8b44fb8fade639c6b4d4b1f8747a8176652700a16b38e43f5f74403c2af0882fb6095986f8e4d94f3d5a242e8d49ed99a03361c01469c8c6a7bf7a7c3527ec7f

  • memory/3928-14-0x0000000005C40000-0x0000000005CD2000-memory.dmp

    Filesize

    584KB

  • memory/3928-15-0x0000000005D00000-0x0000000005D0A000-memory.dmp

    Filesize

    40KB

  • memory/3928-2-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-7-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-8-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-11-0x0000000000720000-0x0000000000F50000-memory.dmp

    Filesize

    8.2MB

  • memory/3928-12-0x0000000000720000-0x0000000000F50000-memory.dmp

    Filesize

    8.2MB

  • memory/3928-13-0x00000000061F0000-0x0000000006794000-memory.dmp

    Filesize

    5.6MB

  • memory/3928-0-0x0000000000720000-0x0000000000F50000-memory.dmp

    Filesize

    8.2MB

  • memory/3928-3-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-5-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-64-0x0000000000720000-0x0000000000F50000-memory.dmp

    Filesize

    8.2MB

  • memory/3928-101-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-102-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-136-0x0000000076A10000-0x0000000076A11000-memory.dmp

    Filesize

    4KB

  • memory/3928-173-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-316-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-6-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-4-0x00000000769F0000-0x0000000076AE0000-memory.dmp

    Filesize

    960KB

  • memory/3928-1-0x0000000076A10000-0x0000000076A11000-memory.dmp

    Filesize

    4KB