Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

LegendOnli...64.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    20s
  • max time network
    24s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/08/2024, 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LegendOnline.MSVC_20230822_x64.exe

  • Size

    28.5MB

  • MD5

    50342e2339f687332612b275e4f8f438

  • SHA1

    88817c6284b7e7173a28c6f84a64d9eb5cc47b97

  • SHA256

    3fdbf77c9b3a76e16719e3e4fce9f7f966dd7e59e0c2750d6144063e993a53b7

  • SHA512

    f94730daf48c99dc95bbbd82ad80e65d70e8f9e435ad0824a3a248f9c532bb7532a2ac52e35b34f4cdac1774f906c9869d43867bea0ef5fb931cd877812246ad

  • SSDEEP

    393216:etD/KubWwmVzHnGBpCNP2WySTp1ABDw0MgFvicF5M064qraCYZp1DXhfbJf4kw7t:2DSAPEbEUXGTFqcj3Rmybh4kw6DEL

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 15 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegendOnline.MSVC_20230822_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\LegendOnline.MSVC_20230822_x64.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\is-TT6UB.tmp\LegendOnline.MSVC_20230822_x64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TT6UB.tmp\LegendOnline.MSVC_20230822_x64.tmp" /SL5="$5021A,28976750,831488,C:\Users\Admin\AppData\Local\Temp\LegendOnline.MSVC_20230822_x64.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Legend Online Client by Brov (64-bit)\flash\Flash64_15_0_0_167.ocx"
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2132
      • C:\Windows\system32\icacls.exe
        "icacls" Flash64_15_0_0_167.ocx /reset
        3⤵
        • Modifies file permissions
        PID:4488
      • C:\Program Files\Legend Online Client by Brov (64-bit)\LegendOnline.exe
        "C:\Program Files\Legend Online Client by Brov (64-bit)\LegendOnline.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Legend Online Client by Brov (64-bit)\LegendOnline.exe
    Filesize

    1.1MB

    MD5

    8f5619812538063409154346b73e0a83

    SHA1

    e449b47052011c6e5094a145cf6fa166fcb07565

    SHA256

    67f17707e6c63311047ec69fd7e439491508de983e37ceb34e8f4828cb455b20

    SHA512

    820cf3db218a38e67add52856a83c1875dd29fb850c306823216f26bed3dbd58d56ddad723e275148b4d0480d6559171d799a9433b7ac99ba1013ccdfe1494f2

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\Qt5Core.dll
    Filesize

    5.4MB

    MD5

    4c298cc4ceb8ac3298cd1b9ae8d5ae71

    SHA1

    3e864d62e7ca790741d37b41194e379e0b673db8

    SHA256

    336953659a8da0431cbda1c146565b6d92cb1bb31657cf0d07c38412a026820f

    SHA512

    7a1ef2931e9de3ab38812a68588ce49f63d7abab549162c5913f6767504b38dd1a2b3f230a307e084c0aae87ac2ad5d587d27eedc445499b20e0520cf7cd97d2

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\Qt5Gui.dll
    Filesize

    5.8MB

    MD5

    147f51ab5682ff8916fb49b65ceddbdc

    SHA1

    3fb0b7bb22ec375e33d070aae5aed7592c26eb2f

    SHA256

    c482dded9127ad55e8057664ccf10268e0ef5001d926fe17e3fc7c1e4ef26ddf

    SHA512

    3bc1c9e8a40c337f963fa44e9cf4ec59fd2a14a32ba8fa0e7d0c7811031aacca0b25e70330b412440f9949ce1d9cda621c5a209c2ea3450282ef53cb527f6c9c

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\Qt5Network.dll
    Filesize

    1.0MB

    MD5

    01c0b09979d62031c32e6a20f7f86669

    SHA1

    ac416e341c5645c5d27288aa17050fccd89290f7

    SHA256

    0cd3f484c00d9dc0e8a85dd6964417815a0c90265d6275523d2eb71be14435d3

    SHA512

    f2e815f78415d3ab43556ee364bc33dbb1e6f5db801e3dc32092e90afd7d0e25cdaf56d66333e3445111328ecf08736ae7fa4a68958c58318b6354cd34999a7a

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\Qt5Widgets.dll
    Filesize

    5.2MB

    MD5

    748e1b7c4b9b025eadc4f88bc4e93c9b

    SHA1

    44925fa433c49c6b9e3859b4ffc0b8163bcca4f2

    SHA256

    4cfc9632c9c2ce079028c5232494b7a0d8c774491e059bbea086139606e7c429

    SHA512

    ff3632d45458276bfedcae5f7684a4b5f1170176ad456e80c5dd1b85114fd6a68abcd255ebe9ab8e0d16f5cd23a37aa6648d3884f0edfd0cba68257a384bf02e

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\flash\Flash64_15_0_0_167.ocx
    Filesize

    22.4MB

    MD5

    7f4bde3b60481e910d3abf158a52fa4b

    SHA1

    5c9bab954176eafc8546e0130ffa7b9e1f32053c

    SHA256

    7ac444d19ad9d7c8a26a1fe09a7052fb7c6c922ce6c4ee38798a963df42e38ec

    SHA512

    c9a2708e89331c5c2e5edb81744dec7d896e0092751b5dcf0273f094ae7b21b741f63fcbc5f53ff62eff9fba6f530d1af3f4548f26650124b163a01c0a99c967

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\imageformats\qgif.dll
    Filesize

    31KB

    MD5

    e73e6d70649cacdad2fb7cafadab4081

    SHA1

    c6dc6ea142983de167cf718bf76c2c411d4a978f

    SHA256

    703b039207e4fb82f904baf82fb4803f4506de96412699e6384fbbc60c330e02

    SHA512

    c28a4f4b976f8f73ae17c1c82f78570a91a2be4a481939acb0558edd2b3baa78e0d95d2e958b464563295f78aff11fecadece47c9df0f712d4cafe1f4ad0e242

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\imageformats\qico.dll
    Filesize

    33KB

    MD5

    bd1819f7b1dfdb3d9fa4821a9a0e4b42

    SHA1

    47a772b3a5901e946e8508f5171f4c003dca6ff1

    SHA256

    9352f22e60629c339eda05a947489b7bcd67d3b3b5b22e8da31f0f50fa55bb40

    SHA512

    5cb0ed9207e536e326b3afe27afce19e09f4185e94dda74984526e15041161f2627fd4228991e224ec5df2506d36452f003fbbca5aa5960290b6ad4a51593a26

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\imageformats\qjpeg.dll
    Filesize

    235KB

    MD5

    c380b449d2c79730405da91bc4dc3ff5

    SHA1

    da39cab9a4ef4aa232fe3b1bdc3f8bb0efa219c6

    SHA256

    1d20a86c23a88a5b8c9783c339d1c794d6d983e37f0ae3c095e09d90577e397d

    SHA512

    71214857e7489cfe2b0cd76ec8f136638b22580ca30639f2814f95e5b3f52c7f56a539bef0beea9cb3bc1905324ea83e5ba96d508261a102d422810f3f3a19ce

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\libeay32.dll
    Filesize

    2.0MB

    MD5

    c1075b52701f114a5c5c484244177a5c

    SHA1

    151058fd6fe5e88546ac5262e32f5b4c864d7e09

    SHA256

    8d831137ebc02429aa7a834818d2869cbfd8c06830e2d40631868b553275a333

    SHA512

    001e39b63293db40f96a3fa3d5ef90ea529cf7ac81f3091a5bacbdcebeca28b4cb6d2c5009c9247274adc431ded55c3322788f1f1d3d435de79f843e4b0f855f

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\msvcp140.dll
    Filesize

    618KB

    MD5

    9ff712c25312821b8aec84c4f8782a34

    SHA1

    1a7a250d92a59c3af72a9573cffec2fcfa525f33

    SHA256

    517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

    SHA512

    5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\msvcr120.dll
    Filesize

    940KB

    MD5

    9c861c079dd81762b6c54e37597b7712

    SHA1

    62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

    SHA256

    ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

    SHA512

    3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\platforms\qminimal.dll
    Filesize

    35KB

    MD5

    fe1100e7b5067be8d3466c5b60c6b206

    SHA1

    c29a7309e722a16c95496c25225862e55bd60186

    SHA256

    73ccf5a19a560ed7208eba520fb007b9472a5e8a2ef916ef884b098db67de809

    SHA512

    1184405e6662f38436cc7bccc647746193e936ae17c4b1e05af7682354738be8a574e43de98ad45c885c7f0f782580c346e43174e33fac4049bade2522b924ac

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\platforms\qoffscreen.dll
    Filesize

    635KB

    MD5

    9263668977accc5c70a1e1428f23fc8e

    SHA1

    5c85262b74a08005b7eb91a53cb9ddb6652f088d

    SHA256

    866919a87fa60acbfc99bd98a2e4cc3d69ef72d4aefca812b4f0b7a594fb2849

    SHA512

    ae3f22333c99a0e19b5bd31b1a5f9283e671ae359844918fb27e5310983d51ea00f76d8cc8da756b007253cd884833d1d88003ead597466050b9c111bd4fd693

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\platforms\qwindows.dll
    Filesize

    1.2MB

    MD5

    75c8a45f9394b13dd184c1a1a558dad9

    SHA1

    7d430444a326074ec8b79f7715fa431f3c21f99e

    SHA256

    cbc6f84cb9e538c140f070fe0af34204cd298d3a54f8802254b08fecc19a6f09

    SHA512

    5cdec843d2f780dc81db5f6609a74d043e57c0b9b817bb1e0fd03f8afd29720b813720777ca0d86e3239e81c2db78ad5b3d08b6ed282488a4e436fe789df61b2

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\ssleay32.dll
    Filesize

    345KB

    MD5

    e40a1f3e615bc296283422ac6381be4f

    SHA1

    0a644fabac31903aad24001a2899fabad6a3fb33

    SHA256

    e65a65086bde996bb78e0ee9d0d103df6dd1c6e3c3c2b6ff333f9292f7954221

    SHA512

    42107cf62454d0bb9d6f685ca4a987f78a13ef42ecb6ec88d7361cc4dd014da916c32a1001cb53f2068d0389e872db508312a26b5d4d507e215c749b7ad02347

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\translations\LegendOnline_en.qm
    Filesize

    17KB

    MD5

    a53e649962979da59c8ab27c759ff942

    SHA1

    e2a78ed1e3d752054c3053dd0b9b305193f7423e

    SHA256

    191d99a0e1f4972a37f89e43340167f8c1de7e682164ccebc9f355475f87fe4c

    SHA512

    542942fb9e5d7dc7c5fb12204115cd822d0a240193cd86d367310b5cfd023df3a1e8240a901a554c942261852b2e2611f1036352ba2e450bd19e1f009e656e12

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\translations\qt\is-TVJQN.tmp
    Filesize

    16B

    MD5

    bcebcf42735c6849bdecbb77451021dd

    SHA1

    4884fd9af6890647b7af1aefa57f38cca49ad899

    SHA256

    9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

    SHA512

    f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

    Download Submit

  • C:\Program Files\Legend Online Client by Brov (64-bit)\vcruntime140.dll
    Filesize

    85KB

    MD5

    edf9d5c18111d82cf10ec99f6afa6b47

    SHA1

    d247f5b9d4d3061e3d421e0e623595aa40d9493c

    SHA256

    d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

    SHA512

    bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-TT6UB.tmp\LegendOnline.MSVC_20230822_x64.tmp
    Filesize

    3.0MB

    MD5

    94789c654a79f61d9bcd88cc9dce5ebf

    SHA1

    88db95cf53d9d29898aecd776e99adc6cc30354c

    SHA256

    1225e5fc6c262672d5e3a00fd88149e727a3ba2347e9f4b0eeb61a189a3fc426

    SHA512

    5ba4f81587c18fc2d98de4f2367cecf07a6de1107f4110c95c173fe82cf291800b166f6278f29f4a2b3b08ae85fa7723e45822bc69f5926f8db65c80e1d4b931

    Download Submit

  • memory/244-1022-0x0000000067FC0000-0x000000006970E000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/244-1019-0x0000000067FC0000-0x000000006970E000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/244-995-0x0000000069D90000-0x000000006A2D6000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2000-2-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2000-1020-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2000-0-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2000-963-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2132-979-0x0000000068B90000-0x000000006A2DE000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/2436-977-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2436-6-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2436-1018-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

    Download