Analysis

  • max time kernel
    103s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 18:13

General

  • Target

    LegacyUpdate-1.111.exe

  • Size

    601KB

  • MD5

    65cf19fe7e1491409f95cc280f744fec

  • SHA1

    75f8a05ff04f725521f7f46ad9c50c454ea39d20

  • SHA256

    b826a873c50c9cbf6cb52f6bfbf7efad03dbf56cf0928504e1b2b7100aab29ac

  • SHA512

    1f3503e0de4c74eb93a4f09d3952d2db10315629d8bc073ef69604e90f2a582021d77d5174e462cf2aec0f6620f386578c14791732610b615cf84b503682aebd

  • SSDEEP

    12288:dBKdu4egRoStQ21qW9w7/RSX2wSqwRGIvccEq694AYTeen4OkZWnonzDkIBvP:Wdu4/R31qW9G5SX2JqwRGIvccE79w4xh

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe
    "C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Program Files\Legacy Update\LegacyUpdate.exe
      "C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 655990
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:6140
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\SysWOW64\regsvr32.exe
          /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:5712
    • C:\Program Files\Legacy Update\LegacyUpdate.exe
      "C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun
      2⤵
      • Executes dropped EXE
      PID:4556
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:5172
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4128 CREDAT:17410 /prefetch:2
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3336

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Legacy Update\LegacyUpdate.dll

          Filesize

          419KB

          MD5

          74350e57247d8e2ca48f296167749f6b

          SHA1

          4c6a29a11b3238896c635159475ee75726191974

          SHA256

          b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3

          SHA512

          4fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054

        • C:\Program Files\Legacy Update\LegacyUpdate.exe

          Filesize

          127KB

          MD5

          a658cd3da26882d5cafc03cb04f28828

          SHA1

          952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5

          SHA256

          e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1

          SHA512

          23ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e

        • C:\Program Files\Legacy Update\LegacyUpdate32.dll

          Filesize

          295KB

          MD5

          a16b3a0f15a907da1a868b8e9842f1a4

          SHA1

          afd21759cfd0f68b765f3cd9365280094c8a618e

          SHA256

          9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec

          SHA512

          f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

          Filesize

          471B

          MD5

          db3f2e41632254f91f7e5e41942d8ff0

          SHA1

          7da106440ca2f41c46abf0c425b49bbce80a1cfb

          SHA256

          601e2bdca83d313ce5087a94b902e3a8237c1255e1221deeb40b3ae5c3a9d9d3

          SHA512

          0cb09d9c84a09722a83150f24caf27cd72f873f77e765b45ac00b177c895f095d9126aafbba60aa3c54b2d3acbee104aa5d0ad1942aca4038586a2242528fbfe

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

          Filesize

          400B

          MD5

          1f12e0bf0132a75fa39048ac84b34b09

          SHA1

          38c60f3cc4a2a6c0d57ffd2702e33452f329827a

          SHA256

          3a11f528a4cd6b959a784ee816170463b43fd58ac09b94c8fe4f095344a65968

          SHA512

          4f8913a522cc1cf9b9a2c69be3ba158a6a128e275c1dae96bf675bec0ab31a3181cf453d5b2a018d41bebb4b295a1d1a1c947b28a69503fa354ab8ad4a13f677

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xvqhvi3\imagestore.dat

          Filesize

          15KB

          MD5

          b8bfd4f0b46a40ef47592936a1ff8671

          SHA1

          d5d743ac3f2bbd43c95733ba49b5e34c9e675db2

          SHA256

          8c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c

          SHA512

          ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0N5ANRLW\content[1].css

          Filesize

          11KB

          MD5

          851da6986ad50596a4a737884c8a34f7

          SHA1

          57694850292dac81b60de2946adeaee7a298d567

          SHA256

          cc90dadd7bbbe71807a845d9be7004c80552f0b6ac80c807e5e59752ea4a4ade

          SHA512

          9b26a790d244b45ee5f43f7c85c92e0597d0180972a898f3b851cae18e1848db527c9487635ba26a4a8a3b671535292ccf3cc12ea6ea44e0c3c04a67e59505ac

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0N5ANRLW\content[1].js

          Filesize

          22KB

          MD5

          3f5c85e6db94d3770df4d5316d368e48

          SHA1

          62b31c769534010e8c4cd7697417a66356788993

          SHA256

          20da3eca3de93ab83a58bb5b08b9ccf8022c863049dbdd069415171f4600099c

          SHA512

          b99c2f369f32ce065878ddd69db947d2e6d351e745933a6946efa024e668692068318ef42e1623499a96a81de32c1a29557ae40c459b0cb999880db965f95013

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BEQ95AA\hcp[1].css

          Filesize

          1KB

          MD5

          9b7ff692b36f18db4aba6662aac3bccb

          SHA1

          ad579f3c5b37f4694892422436cb045d39640e8c

          SHA256

          2ba11644aa731e07ef950e9ec9649c30f76a03c660b93f69ef94f038c93eabd1

          SHA512

          c89475b95873f304d93238f6a369c81369b50b81a985c9c5e3ee085f9a362fdd6f5d9d20872ea1e00bc03b340b29197aa58db8a857b22c3fe453b9175274be0b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BEQ95AA\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UC61FFNV\favicon[1].ico

          Filesize

          14KB

          MD5

          234bff2200db4dd16e96bcb6ae5da9f0

          SHA1

          d348cd7dd3ab3b86cbd2548203186d0db6d4884e

          SHA256

          48282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277

          SHA512

          3bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe

        • C:\Users\Admin\AppData\Local\Temp\nso69C8.tmp\LegacyUpdateNSIS.dll

          Filesize

          45KB

          MD5

          9faba20acb994499221c4066aa5bc043

          SHA1

          d19d76e98d0e433166d4c8f1f2b6ffbc9443548a

          SHA256

          afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4

          SHA512

          3a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224

        • C:\Users\Admin\AppData\Local\Temp\nso69C8.tmp\System.dll

          Filesize

          32KB

          MD5

          617f4e0a6c8782cfca9aee923fc7f8e4

          SHA1

          c907a6310e450f1ff9fd14c4afd10b70add8f2ee

          SHA256

          43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e

          SHA512

          ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a

        • memory/3512-26-0x00007FF6CA530000-0x00007FF6CA550000-memory.dmp

          Filesize

          128KB

        • memory/3748-41-0x0000000000400000-0x0000000000487000-memory.dmp

          Filesize

          540KB

        • memory/3748-0-0x0000000000400000-0x0000000000487000-memory.dmp

          Filesize

          540KB

        • memory/4556-43-0x00007FF6CA530000-0x00007FF6CA550000-memory.dmp

          Filesize

          128KB