Overview
overview
5Static
static
5LegacyUpda...11.exe
windows10-2004-x64
5LegacyUpda...11.exe
windows11-21h2-x64
5$PLUGINSDI...IS.dll
windows10-2004-x64
3$PLUGINSDI...IS.dll
windows11-21h2-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LegacyUpdate.dll
windows10-2004-x64
3LegacyUpdate.dll
windows11-21h2-x64
3Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 18:13
Behavioral task
behavioral1
Sample
LegacyUpdate-1.111.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
LegacyUpdate-1.111.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LegacyUpdateNSIS.dll
Resource
win11-20250619-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSxfer.dll
Resource
win11-20250502-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
Behavioral task
behavioral9
Sample
LegacyUpdate.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral10
Sample
LegacyUpdate.dll
Resource
win11-20250619-en
General
-
Target
$PLUGINSDIR/System.dll
-
Size
32KB
-
MD5
617f4e0a6c8782cfca9aee923fc7f8e4
-
SHA1
c907a6310e450f1ff9fd14c4afd10b70add8f2ee
-
SHA256
43a5e3313332eb6835290e99f37dc84de6991d62cd8cb285f1dea32f66d1507e
-
SHA512
ef3fae21758358042a471b4c898bcda491b9e48edbe2f9f68c02c5f4d1e50313282323134916e5ad0b3b721f4c802d9aee77902831a580e5e54a1c2e36bbed2a
-
SSDEEP
768:9aeiijipAWhs95hysSoQuSmhs9BJiCXysSoQuSD:4e9iSWm31L7Smm7ii1L7SD
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2112 3576 WerFault.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 680 wrote to memory of 3576 680 rundll32.exe 79 PID 680 wrote to memory of 3576 680 rundll32.exe 79 PID 680 wrote to memory of 3576 680 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 4603⤵
- Program crash
PID:2112
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 35761⤵PID:2756