Overview
overview
8Static
static
32dd35c7ea7...18.exe
windows7-x64
32dd35c7ea7...18.exe
windows10-2004-x64
3$TEMP/PCOp...TD.exe
windows7-x64
7$TEMP/PCOp...TD.exe
windows10-2004-x64
7$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...RL.dll
windows7-x64
3$PLUGINSDI...RL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3PCOptProCtxMenu.dll
windows7-x64
3PCOptProCtxMenu.dll
windows10-2004-x64
3PCOptProTrays.exe
windows7-x64
3PCOptProTrays.exe
windows10-2004-x64
3PCOptimizerPro.exe
windows7-x64
7PCOptimizerPro.exe
windows10-2004-x64
7StartApps.exe
windows7-x64
3StartApps.exe
windows10-2004-x64
7UpdatesDll_s.dll
windows7-x64
8UpdatesDll_s.dll
windows10-2004-x64
8xmllite.dll
windows7-x64
3xmllite.dll
windows10-2004-x64
3$TEMP/PCOp...64.exe
windows7-x64
3$TEMP/PCOp...64.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
2dd35c7ea76ee3b940fdcaebff7e3bc6_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
2dd35c7ea76ee3b940fdcaebff7e3bc6_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$TEMP/PCOptimizerProSetup_STD.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$TEMP/PCOptimizerProSetup_STD.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/NSISCallURL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/NSISCallURL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
PCOptProCtxMenu.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
PCOptProCtxMenu.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
PCOptProTrays.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
PCOptProTrays.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PCOptimizerPro.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
PCOptimizerPro.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
StartApps.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
StartApps.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
UpdatesDll_s.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
UpdatesDll_s.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
xmllite.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
xmllite.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$TEMP/PCOptimizerProSetup_STD64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
$TEMP/PCOptimizerProSetup_STD64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
PCOptProCtxMenu.dll
-
Size
568KB
-
MD5
0775125f37a1e0892cb2cb3bfee4c42f
-
SHA1
93ae71882a3219fad3d289eec6b75f7757c92579
-
SHA256
d68e56372d74257f2738ecc171105fd55b1016ab1d0368ac3ea32784137c9d7a
-
SHA512
1da2fb185489a9e335ed17e488e1999521960d62fa9f2297f4fd15961af9a92296211c07ff46362271ae71e208a018f3deed7a3e28b2201d04f7caaa9fe3266d
-
SSDEEP
12288:m4IDeNZtX4dPM02ZYG3g3NnHj2Oq9ou3QTXGejj+:3tX4dPRG3g3JHj2b3RQ+
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\ = "PCOptProCtxMenu 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\ = "PCProCtxMenu Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PCOptProCtxMenu.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PCProCtxMenu\ = "{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ = "IPCProCtxMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib\ = "{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PCOptProCtxMenu.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib\ = "{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\ = "IPCProCtxMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PCProCtxMenu regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{003B9C22-6FE0-4BCA-A73F-9AA99B9BBDAA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PCProCtxMenu regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2176 wrote to memory of 4060 2176 regsvr32.exe 84 PID 2176 wrote to memory of 4060 2176 regsvr32.exe 84 PID 2176 wrote to memory of 4060 2176 regsvr32.exe 84
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\PCOptProCtxMenu.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\PCOptProCtxMenu.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4060
-