Analysis

  • max time kernel
    99s
  • max time network
    133s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 18:13

General

  • Target

    LegacyUpdate-1.111.exe

  • Size

    601KB

  • MD5

    65cf19fe7e1491409f95cc280f744fec

  • SHA1

    75f8a05ff04f725521f7f46ad9c50c454ea39d20

  • SHA256

    b826a873c50c9cbf6cb52f6bfbf7efad03dbf56cf0928504e1b2b7100aab29ac

  • SHA512

    1f3503e0de4c74eb93a4f09d3952d2db10315629d8bc073ef69604e90f2a582021d77d5174e462cf2aec0f6620f386578c14791732610b615cf84b503682aebd

  • SSDEEP

    12288:dBKdu4egRoStQ21qW9w7/RSX2wSqwRGIvccEq694AYTeen4OkZWnonzDkIBvP:Wdu4/R31qW9G5SX2JqwRGIvccE79w4xh

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe
    "C:\Users\Admin\AppData\Local\Temp\LegacyUpdate-1.111.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Program Files\Legacy Update\LegacyUpdate.exe
      "C:\Program Files\Legacy Update\LegacyUpdate.exe" /regserver 328220
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:4728
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\SysWOW64\regsvr32.exe
          /s "C:\Program Files\Legacy Update\LegacyUpdate32.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:4968
    • C:\Program Files\Legacy Update\LegacyUpdate.exe
      "C:\Program Files\Legacy Update\LegacyUpdate.exe" /launch /firstrun
      2⤵
      • Executes dropped EXE
      PID:1240
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2104
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3368 CREDAT:17410 /prefetch:2
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:5040

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Legacy Update\LegacyUpdate.dll

          Filesize

          419KB

          MD5

          74350e57247d8e2ca48f296167749f6b

          SHA1

          4c6a29a11b3238896c635159475ee75726191974

          SHA256

          b98d511ed5039d3b8c9bf02eb25155b3917f38234d4e38113209276cea46bce3

          SHA512

          4fcc7d146a169b95e8839c92a79993a83203e47d8a293a96795b2b497d6cb39e0f702922d55514773d0992b7e11c63cfa7cccf755ae3becdbdfd4323f1f14054

        • C:\Program Files\Legacy Update\LegacyUpdate.exe

          Filesize

          127KB

          MD5

          a658cd3da26882d5cafc03cb04f28828

          SHA1

          952c0dd7b9a0a4fdaaf5a6bfd92649d76cec97f5

          SHA256

          e27c064ebb7c99ec65494d9371165f2b207e35cf2a5cd660e74223c0013e98c1

          SHA512

          23ad1e341dae59e5edadc92d56b0da0a5729228b079e0e57a4232c7ba83789d77ce7daf713b219811692327a1507b6bce0ccbc5dc99c2e253bf78216df63230e

        • C:\Program Files\Legacy Update\LegacyUpdate32.dll

          Filesize

          295KB

          MD5

          a16b3a0f15a907da1a868b8e9842f1a4

          SHA1

          afd21759cfd0f68b765f3cd9365280094c8a618e

          SHA256

          9eb6498716330a0e1019316fc21261e1e81ccd319ed1a9c8d2555ecaeb0229ec

          SHA512

          f95a1b2ffabf3795a1b77eb67506603d213391efc04ec4a1592f24af4297777763518bb9c0c7e4be975591125cec587e33e48ec39f2c2fd641abd33a83687015

        • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

          Filesize

          4KB

          MD5

          da597791be3b6e732f0bc8b20e38ee62

          SHA1

          1125c45d285c360542027d7554a5c442288974de

          SHA256

          5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

          SHA512

          d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\amur9j7\imagestore.dat

          Filesize

          15KB

          MD5

          b8bfd4f0b46a40ef47592936a1ff8671

          SHA1

          d5d743ac3f2bbd43c95733ba49b5e34c9e675db2

          SHA256

          8c969228feaa34c8e0efcc6e0f3ab21961755f208e8676e2e7c871fe07117d4c

          SHA512

          ff8fb95c910afa2f69da2ec0803bbe92bf4c24aa05a77eb73af21ec76dda18391c674b6f70451e395244efe1c266e9061eaf67b21360114758e7b3966a27b6af

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2FPEI6B1\PIE_IE9[1].js

          Filesize

          24KB

          MD5

          c6d00873371110fdf87b3c2d85493610

          SHA1

          9be47c02adf06a4befc040751cea7016ba5f5dc0

          SHA256

          868c8cb616b608c4f82c10e979279f23c94773c100399e40e0238223d36a3927

          SHA512

          00aaa7a3b2b6b3d1d38789f228a280001b7287930e14c7dc6f1133ba524c5323aaead566e6a84bcf2ff429155f15d60b607898bbb10fafd63839f0487d9a6672

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CVT3CZ05\global[1].js

          Filesize

          10KB

          MD5

          47223f34276f4bab4bfcbab937038e40

          SHA1

          a6a19505ba73acb1b65ff5e70a59d8fa7ca94286

          SHA256

          7d48e1ffb5354d10a3b00f15efa6a73aa3a9618a1e837cf44c1fad1fb0d204c8

          SHA512

          6d03319746851fd2f47141d44f05c54d0edc37fd67005982ac875a91445fd197a9b98da1544603a0ba0fc79a4bfe5f2d21d9f05337d4910e57dc158cc2406e30

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\activex[1].js

          Filesize

          1KB

          MD5

          144e34b4f44464ccf7d396bed3a8d8ce

          SHA1

          aa60249c50b936e6a1c16c8c2fe87461c09150f5

          SHA256

          66c4353831b336853b4726c98585f73ab10189f4e47433f0fe25db48657d8902

          SHA512

          703455aab0a8720a423c1285f8d18845e48c5521cb2a4eed6951e980b76a34d30724f2e2a27b34a040bc1f2708ca349baaed5922bc77996fd73cdb86028bbd32

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\jquery[1].js

          Filesize

          70KB

          MD5

          10092eee563dec2dca82b77d2cf5a1ae

          SHA1

          65cbff4e9d95d47a6f31d96ab4ea361c1f538a7b

          SHA256

          e23a2a4e2d7c2b41ebcdd8ffc0679df7140eb7f52e1eebabf827a88182643c59

          SHA512

          cc92cf5a9b3a62a18af432fdffb81b76da84e2f43ce3c7800a919c10809118d0611e29a47f103ff3df18a54d5331bc5f06ef4771dc406cc763b30ff2a66a3e81

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J37ACQEP\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1JN9WZ6\favicon[1].ico

          Filesize

          14KB

          MD5

          234bff2200db4dd16e96bcb6ae5da9f0

          SHA1

          d348cd7dd3ab3b86cbd2548203186d0db6d4884e

          SHA256

          48282bd4c2ef47c6c51bab7011c8cef46395138d05ab83ac55b0415d64bcd277

          SHA512

          3bf1867fba4d0b0d9e1f30d0fadd71cdc3de964da7743d0ad2129aa0a7e96f6c057070bb8a122dab8fefdfa72324c4149db97e5fd622fd018fbb08ce17d9edfe

        • C:\Users\Admin\AppData\Local\Temp\Kno9E1D.tmp

          Filesize

          88KB

          MD5

          002d5646771d31d1e7c57990cc020150

          SHA1

          a28ec731f9106c252f313cca349a68ef94ee3de9

          SHA256

          1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

          SHA512

          689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

        • C:\Users\Admin\AppData\Local\Temp\nsc6220.tmp\LegacyUpdateNSIS.dll

          Filesize

          45KB

          MD5

          9faba20acb994499221c4066aa5bc043

          SHA1

          d19d76e98d0e433166d4c8f1f2b6ffbc9443548a

          SHA256

          afaa11c241ad99d31fe29dc07a0d2190dc0490f21d3bd6399b87498ad1055ec4

          SHA512

          3a8028e53259e193360b6fb7f49ac4f4ef9d8cf29b0681026ddfb4d5dc62cf35feea8184e05fccf212abf8e37da5b31c80e77ac323aab360ddd5fe827ca49224

        • C:\Users\Admin\AppData\Local\Temp\nsc6220.tmp\System.dll

          Filesize

          32KB

          MD5

          617f4e0a6c8782cfca9aee923fc7f8e4

          SHA1

          c907a6310e450f1ff9fd14c4afd10b70add8f2ee

          SHA256

          43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e

          SHA512

          ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a

        • memory/1240-43-0x00007FF75CCB0000-0x00007FF75CCD0000-memory.dmp

          Filesize

          128KB

        • memory/1404-41-0x0000000000400000-0x0000000000487000-memory.dmp

          Filesize

          540KB

        • memory/1404-0-0x0000000000400000-0x0000000000487000-memory.dmp

          Filesize

          540KB

        • memory/1492-26-0x00007FF75CCB0000-0x00007FF75CCD0000-memory.dmp

          Filesize

          128KB