Overview
overview
5Static
static
5LegacyUpda...11.exe
windows10-2004-x64
5LegacyUpda...11.exe
windows11-21h2-x64
5$PLUGINSDI...IS.dll
windows10-2004-x64
3$PLUGINSDI...IS.dll
windows11-21h2-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LegacyUpdate.dll
windows10-2004-x64
3LegacyUpdate.dll
windows11-21h2-x64
3Analysis
-
max time kernel
99s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 18:13
Behavioral task
behavioral1
Sample
LegacyUpdate-1.111.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
LegacyUpdate-1.111.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win11-20250619-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win11-20250502-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
Behavioral task
behavioral9
Sample
LegacyUpdate.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral10
Sample
LegacyUpdate.dll
Resource
win11-20250619-en
General
-
Target
LegacyUpdate.dll
-
Size
295KB
-
MD5
a16b3a0f15a907da1a868b8e9842f1a4
-
SHA1
afd21759cfd0f68b765f3cd9365280094c8a618e
-
SHA256
9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec
-
SHA512
f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015
-
SSDEEP
6144:YjuBxS2+s6QHNQ1uM7PqD9cHzJAoLqmZkEA4IACvkldwr7+xMT0Jaj0aeru:YuxS2R6QC1uM7PqD9cHUj0Xy
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer\ = "LegacyUpdate.ProgressBar.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ = "IElevationHelper" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\VersionIndependentProgID\ = "LegacyUpdate.ElevationHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LegacyUpdate.dll\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\ = "Legacy Update Elevation Helper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\Enabled = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Elevation\IconReference = "@C:\\Program Files\\Legacy Update\\LegacyUpdate.exe,-100" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1\CLSID\ = "{84F517AD-6438-478F-BEA8-F0B808DC257F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ = "Legacy Update Elevation Helper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}\DllSurrogate regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\ProgID\ = "LegacyUpdate.Control.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ = "IProgressBarControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper\CurVer\ = "LegacyUpdate.ElevationHelper.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}\AppID = "{D0A82CD0-B6F0-4101-83ED-DA47D0D04830}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\ = "Legacy Update Progress Bar Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\ProxyStubClsid32\ = "{3236E684-0E4B-4780-9F31-F1983F5AB78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3236E684-0E4B-4780-9F31-F1983F5AB78D}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\ProgID\ = "LegacyUpdate.ElevationHelper.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B875A2F-2DFB-4D38-91F5-5C0BFB74C377}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LegacyUpdate.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\ = "ILegacyUpdateCtrl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ElevationHelper regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.Control.1\CLSID\ = "{AD28E0DF-5F5A-40B5-9432-85EFD97D1F9F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C33085BB-C3E1-4D27-A214-AF01953DF5E5}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4524BFBF-70BD-4EAC-AD33-6BADA4FB0638}\TypeLib\ = "{05D22F33-C7C3-4C90-BDD9-CEDC86EA8FBE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84F517AD-6438-478F-BEA8-F0B808DC257F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LegacyUpdate.ProgressBar.1\ = "ProgressBarControl Class" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3476 wrote to memory of 2036 3476 regsvr32.exe 78 PID 3476 wrote to memory of 2036 3476 regsvr32.exe 78 PID 3476 wrote to memory of 2036 3476 regsvr32.exe 78
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\LegacyUpdate.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036
-