Overview
overview
5Static
static
5LegacyUpda...11.exe
windows10-2004-x64
5LegacyUpda...11.exe
windows11-21h2-x64
5$PLUGINSDI...IS.dll
windows10-2004-x64
3$PLUGINSDI...IS.dll
windows11-21h2-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LegacyUpdate.dll
windows10-2004-x64
3LegacyUpdate.dll
windows11-21h2-x64
3Analysis
-
max time kernel
103s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:13
Behavioral task
behavioral1
Sample
LegacyUpdate-1.111.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
LegacyUpdate-1.111.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win11-20250619-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win11-20250502-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
Behavioral task
behavioral9
Sample
LegacyUpdate.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral10
Sample
LegacyUpdate.dll
Resource
win11-20250619-en
General
-
Target
$PLUGINSDIR/System.dll
-
Size
32KB
-
MD5
617f4e0a6c8782cfca9aee923fc7f8e4
-
SHA1
c907a6310e450f1ff9fd14c4afd10b70add8f2ee
-
SHA256
43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e
-
SHA512
ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a
-
SSDEEP
768:9aeiijipAWhs95hysSoQuSmhs9BJiCXysSoQuSD:4e9iSWm31L7Smm7ii1L7SD
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4964 3208 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4240 wrote to memory of 3208 4240 rundll32.exe 84 PID 4240 wrote to memory of 3208 4240 rundll32.exe 84 PID 4240 wrote to memory of 3208 4240 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 6123⤵
- Program crash
PID:4964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3208 -ip 32081⤵PID:4928