b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85

General

Target

b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe
Size

1.1MB
MD5

e5488589919106b60b8a4badf805438c
SHA1

ed131462cf7eaf8356b0c7fc2e31e33f2bb5ac71
SHA256

b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85
SHA512

626cee4d3ff69752e081e1c611c08e9d42a90c71d93ac4f65d71686e0998fce631e6f7aa2ffeaef04d24a9272a9f4c8895d77621d2c8df201738c718af89a157
SSDEEP

24576:qUWqistjSuJatJ13EKVWkU3GVNu9AlpjCIsHrgk84YsgspHZSwKE:qUUtgaf13EKVWz3eNsgjCIOcPNspV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1860	coopen_setup_43049.exe

Loads dropped DLL 5 IoCs

pid	Process
1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe
1860	coopen_setup_43049.exe
1860	coopen_setup_43049.exe
1860	coopen_setup_43049.exe
1860	coopen_setup_43049.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a0000000122ce-55.dat	nsis_installer_1
behavioral1/files/0x000a0000000122ce-55.dat	nsis_installer_2
behavioral1/files/0x000a0000000122ce-57.dat	nsis_installer_1
behavioral1/files/0x000a0000000122ce-57.dat	nsis_installer_2
behavioral1/files/0x000a0000000122ce-60.dat	nsis_installer_1
behavioral1/files/0x000a0000000122ce-60.dat	nsis_installer_2
behavioral1/files/0x000a0000000122ce-59.dat	nsis_installer_1
behavioral1/files/0x000a0000000122ce-59.dat	nsis_installer_2
behavioral1/files/0x000a0000000122ce-62.dat	nsis_installer_1
behavioral1/files/0x000a0000000122ce-62.dat	nsis_installer_2
behavioral1/files/0x000a0000000122ce-61.dat	nsis_installer_1
behavioral1/files/0x000a0000000122ce-61.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26
PID 1184 wrote to memory of 1860	1184	b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe	26

C:\Users\Admin\AppData\Local\Temp\b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe
"C:\Users\Admin\AppData\Local\Temp\b094a8d35cbf93e47495300066d3b55fde7d45014664d0120a94f9f039123d85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe

Filesize
1.0MB

MD5
d5558232a8d4ff392a421e1a2d0a96d3

SHA1
529696177edb773d779f5558f612e22af7879b37

SHA256
78f19ac596a6f9cfcf28c4cf6632b7723a553b18179b8ca5d74293000f88d760

SHA512
5a6d643a08f50f799091dfe9c68220bfd2d1efdebc275058b5d26f58f1a16d5855437494fa4ca15c055b8077f4ee34bfd54843991bdda7e0e28c027b798ba1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe

Filesize
1.0MB

MD5
d5558232a8d4ff392a421e1a2d0a96d3

SHA1
529696177edb773d779f5558f612e22af7879b37

SHA256
78f19ac596a6f9cfcf28c4cf6632b7723a553b18179b8ca5d74293000f88d760

SHA512
5a6d643a08f50f799091dfe9c68220bfd2d1efdebc275058b5d26f58f1a16d5855437494fa4ca15c055b8077f4ee34bfd54843991bdda7e0e28c027b798ba1fb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe

Filesize
1.0MB

MD5
d5558232a8d4ff392a421e1a2d0a96d3

SHA1
529696177edb773d779f5558f612e22af7879b37

SHA256
78f19ac596a6f9cfcf28c4cf6632b7723a553b18179b8ca5d74293000f88d760

SHA512
5a6d643a08f50f799091dfe9c68220bfd2d1efdebc275058b5d26f58f1a16d5855437494fa4ca15c055b8077f4ee34bfd54843991bdda7e0e28c027b798ba1fb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe

Filesize
1.0MB

MD5
d5558232a8d4ff392a421e1a2d0a96d3

SHA1
529696177edb773d779f5558f612e22af7879b37

SHA256
78f19ac596a6f9cfcf28c4cf6632b7723a553b18179b8ca5d74293000f88d760

SHA512
5a6d643a08f50f799091dfe9c68220bfd2d1efdebc275058b5d26f58f1a16d5855437494fa4ca15c055b8077f4ee34bfd54843991bdda7e0e28c027b798ba1fb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe

Filesize
1.0MB

MD5
d5558232a8d4ff392a421e1a2d0a96d3

SHA1
529696177edb773d779f5558f612e22af7879b37

SHA256
78f19ac596a6f9cfcf28c4cf6632b7723a553b18179b8ca5d74293000f88d760

SHA512
5a6d643a08f50f799091dfe9c68220bfd2d1efdebc275058b5d26f58f1a16d5855437494fa4ca15c055b8077f4ee34bfd54843991bdda7e0e28c027b798ba1fb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\coopen_setup_43049.exe

Filesize
1.0MB

MD5
d5558232a8d4ff392a421e1a2d0a96d3

SHA1
529696177edb773d779f5558f612e22af7879b37

SHA256
78f19ac596a6f9cfcf28c4cf6632b7723a553b18179b8ca5d74293000f88d760

SHA512
5a6d643a08f50f799091dfe9c68220bfd2d1efdebc275058b5d26f58f1a16d5855437494fa4ca15c055b8077f4ee34bfd54843991bdda7e0e28c027b798ba1fb

Download Submit
\Users\Admin\AppData\Local\Temp\nso80E6.tmp\System.dll

Filesize
10KB

MD5
4fbb4a2cd711fc1fe84f3dc30c491dc9

SHA1
888e01ae6e64e7326f88df9a30587f699eab154a

SHA256
c3b05f4faf5e8903d5b4cb4a8ce4bbf2e8144725b98d8787d51c117b6efa9bc2

SHA512
92dcf99672a5935065df6492e27abb653679f1db6dcddfde87cd14260c94a870327826b23cc2f338381b3eb53d07c1a3867806f6ff94533db5195b895a856847

Download Submit
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing