e07fe9c9fe8f6064a2fb12c0f914974cc262b905985ce8cb1a00fdc0a6745464

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/coopen_setup_100030.exe
Size

1.0MB
MD5

749ee29ff4b3e34ee9c7b1fb8575a126
SHA1

3ec56a9167f4e9e0724f106c03513ed498f7ca70
SHA256

f241a7da464510479bda1b1314d70e32b8e907efa15f71dea183810502d27af7
SHA512

461410a6960063acd7294de760b161c73c0370a88f7198ecfe6169cdbe1ba809c4388940ebb154cd1e6cb628c0ef3615e83476ea4cc9fcf54991dea89227de67
SSDEEP

24576:l160aJVJgAyGBdOE+m3u84uQhzRsSFIpjaL8UzhIM39uyKkb2iDvPXLiU:l12ciwEd/4n5RsSyjalhP8PijPXLT

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Coopen²¥·ÅÆ÷.lnk	coopen_setup_100030.exe

Executes dropped EXE 2 IoCs

pid	Process
1252	Coopen.exe
2240	CoopenAir.exe

Loads dropped DLL 20 IoCs

pid	Process
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Coopen.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Coopen\Coopen.exe	coopen_setup_100030.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CoopenOldWallPaper.jpg	Coopen.exe
File opened for modification	C:\Windows\CoopenOldWallPaper.jpg	Coopen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coopen_setup_100030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coopen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoopenAir.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop	coopen_setup_100030.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Users\\Public\\Coopen\\Coopen.scr"	coopen_setup_100030.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\CLSID\ = "{51D33728-411D-423D-B1C3-92717AB6970A}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ProgID	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Control	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\1\ = "131473"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ = "CoopenControl Class"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\Version = "1.0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32\ThreadingModel = "Apartment"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\ = "CoopenActiveControl 1.0 Type Library"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CLSID\ = "{51D33728-411D-423D-B1C3-92717AB6970A}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ToolboxBitmap32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CurVer\ = "CoopenActiveControl.CoopenControl.1"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\VersionIndependentProgID	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\VersionIndependentProgID\ = "CoopenActiveControl.CoopenControl"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ = "_ICoopenControlEvents"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\FLAGS\ = "0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\HELPDIR	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ = "ICoopenControl"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ = "ICoopenControl"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\CLSID	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Programmable	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\ = "0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\1	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\TypeLib	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0\win32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl112.dll"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\ = "CoopenControl Class"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CurVer	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl112.dll"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\ = "CoopenControl Class"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CLSID	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Version	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\FLAGS	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ProgID\ = "CoopenActiveControl.CoopenControl.1"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\HELPDIR\ = "C:\\Users\\Public\\Coopen"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ = "_ICoopenControlEvents"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\Version = "1.0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Insertable	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0\win32	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\Version = "1.0"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib	Coopen.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
3036	coopen_setup_100030.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe
2240	CoopenAir.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	Coopen.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe
1252	Coopen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	CoopenAir.exe
2240	CoopenAir.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 3036 wrote to memory of 1252	3036	coopen_setup_100030.exe	30
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31
PID 1252 wrote to memory of 2240	1252	Coopen.exe	31

C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Coopen\Coopen.exe
  "C:\Program Files (x86)\Coopen\Coopen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Public\Coopen\CoopenAir.exe
    "C:\Users\Public\Coopen\CoopenAir.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Coopen\Coopen.exe

Filesize
89KB

MD5
78723c8e15f9bbe8aa1e9b6cab6ef556

SHA1
c028ea500d5c3db6993685125638ce2f8e9e722b

SHA256
20609e1fc26bed1dc7efdb9887f4c66162e37a5efc1df7fdc0741b0a6e9eb7ba

SHA512
0af5a854efff332c284537bd342a8d0943705f5a43d77ed274bba78a84b6f0e344443112d9a4291e6e7865910460213f24445418e6eac25c50ae42b0be77a19f

Download Submit
C:\Users\Public\Coopen\CoopenActiveControl112.dll

Filesize
62KB

MD5
4fc6860aa51bb2851b8cdb7e11ef06c0

SHA1
3cb9f685727e720d52d3205ba00a327105add4b5

SHA256
6e7b3436dda9615be85a9c3a199365f6f74f72f2fafd27ff17c0a169c205ae68

SHA512
592a1d3bf6606fbac30cfeda5e1069dd369087521bf74cb4e4b307ea9d844778015d984da6abc2f5b0b4e967d54ddf554b493bb1c991d35ecd1d64c4ef153e25

Download Submit
C:\Users\Public\Coopen\CoopenAir.exe

Filesize
237KB

MD5
6cd94fba79986ebec14c3beb37dd88f5

SHA1
d7a68fe23d4e57889790648615b0af300cbaa4f3

SHA256
9a60ac947beb6746c4c5b274ebc2ae3a8b012b4ce7cf8b580779d62c03920fbf

SHA512
b4331529f42e83d9169c68dca0d086c0ff3d59430dafe1124b7b25bd4b81473bb46d7930cb28cf3efa7a0cec9848150db72df26a2350652e75d9e2c5ebd56582

Download Submit
C:\Users\Public\Coopen\CoopenMainManager.dll

Filesize
864KB

MD5
c9db521bdbd95a61f7cb85d5ff289cac

SHA1
a6802145b2bf9770f1bdc65477f91d6837831b10

SHA256
12c7a69d792b5977ce02cfc48af5dbfa59f522f139f9d233c70ffb8c9dbe62db

SHA512
90ee7a69d2c925c281cfed998c19e12611689c6bf10b77f52a4badb95a904944c8dd2fc4fc04aa3025fd522c347c32ba39a763966ed2da9ed1c98914505d9a3e

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Background.png

Filesize
5KB

MD5
af3fc561248514b757b1e1ca3ed933ac

SHA1
6f65624a45a267ec0ff48f323be99b100f79db9f

SHA256
a441f330499453a3ecb20b7ac00f086dfae1fcf8c523cc4d2535c52723ce9a40

SHA512
05cd63672031d5469d735923ea26ec9b459cb07078af46d107e390906927999c8572b6d2c44383ab3419644b476131fae762ac8b8d08e1d113f2de8c00c915dc

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Channel.png

Filesize
2KB

MD5
4dd7916a2eadda37420721628143f823

SHA1
a00187f9fd16b59ac23272292363bfa6a1860630

SHA256
07a4013a51c36fa265ab621fe673c2e2c5dd1af480f51ecc54b7b2c919242477

SHA512
f8058f209a24eb99da466b866024e04bc627086976b9733493e5e67b10b6a0df3db9c5b3fb050f8f458d6656e72e00306bde2457b7e171907b684bf7262328b6

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Close.png

Filesize
1KB

MD5
3866af8e64c640812c954641ba87d8d7

SHA1
e602a7934f74d9d59ee8923ec37113041be54e79

SHA256
c2fff663bcdf180985f6b45fba7fd0e526ffd11d8b27eae6eb1eb302fd9cd767

SHA512
8afe1e59424759f1c336bcfc5229a14c626d4c92a173a64bd8354823411a7a9ad066d4e9a9e42820d73ca052b4a97009ac8b1356c339722742ef93384474f43d

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Commit.png

Filesize
3KB

MD5
dc09fdd540cbffd051bce8a3403212bd

SHA1
fdbfa319d99e426ec06d3401418221305220a7df

SHA256
6987ad414741684bde8472c1aa252cb0066311c01a1dd27a70b5a51c524551ff

SHA512
3f37e41d842b77f6704ba53b7f16d4ed747c69e8797d305451dc54b6519a88996be3d85c982cceca01675db0d6efa9c46be468b0516bfaba364413bd18f2ca5e

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Next.png

Filesize
3KB

MD5
2917cad3e39ac06e082780f167fa0f44

SHA1
df07535366f50c5a0b00205bbb868eae9623094d

SHA256
eb522f713ffdac54d5029243700ea142dfa0b1e4dc11a88257ac19148be6642d

SHA512
75baa151fce8ee5c7b4317a92822612d6dd0d5052b560252831e06a5de05ac7c01dc8700be2b6c72e9831e796951df3859689ed44377162662e51298f74172bc

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Pause.png

Filesize
2KB

MD5
faaaaf227d4eb429f8b69fc4e0e1b16c

SHA1
6816313798ef3ea247621bb440bcff3440c6c446

SHA256
eedc79110acc5dddcc4cc57c62961f141120359ed20a6c9de40a9f9e78476c2e

SHA512
94af7615b0b39fb9a969bc324a24b29bffa08bbf8907fbc897179fc3885ca3510b6c3ddcc06ecff880165c05cead9f681dade263d52cc1247472d13796e3be93

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Prev.png

Filesize
3KB

MD5
e74c72f68eb70580e2a1cbd4e78d571a

SHA1
1be39fff6e7988718233632aa2be59acce14a285

SHA256
ba0a735ccc5aaa30ecc0454f2d1465c0a313e7e45a1a7b8cfecf169944c6d351

SHA512
51259aed26144bf1ffbefea7421352606ae708093d7e5fea3f068718fe70a7840204944297fba225ee645244f4f41fc989d3244507ad931a5051f50a0ae0ff27

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Widget.png

Filesize
3KB

MD5
7381c99fabae123b943046adffb95ac8

SHA1
ce905f92de5db8eab537cba9015ceb4739d41b92

SHA256
b6b8d9f590e46d3f8ea11bd4ec578e6f12d45143af4554fd14cc9a13869c35e6

SHA512
2f9f2f73c615a6398ec1efb6190a8d89dc2a0933612ea3759033bbb1722767cd5c855d2c6e85b02a2b2b31c57464ea154db03f7f9e6c31b90610e670a0351624

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\MainIcon.png

Filesize
1KB

MD5
47ad98e1168aac8e6e58a0b20304391d

SHA1
3e153de12d65b417cb80c7d357c782453a6cbea0

SHA256
dccd8b4ab98dd10f226f450fe6d9626fd4be91679542f088a6bb2444d75eb70b

SHA512
c1cb2860c0edc2ca1ae15075c563f073a9bd3a6b7653439f05a99c0b2e8732cc8432d1a3ba2a43c2171e869e56928afd4b773c4c111eeca1d9fe8593895a9c93

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Progress.png

Filesize
1KB

MD5
a3c16f92de8cc28ef8c96df2e40f6ced

SHA1
4f1f8fedd6f93be9e06105e0723d5d441cd37762

SHA256
1879cd50d901d9be4a7f6dcfbb38ba98fb7ff6e4001798dae66415479eef8f9b

SHA512
78b89745d755101b59d6e89ba0c3c54e312d1145de8c9b2994042b69e7a49bd4755a50e96071728908352289fb0c2e10d6d9b9b78b55f00cf5222efad62c71ba

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\SkinClient.ini

Filesize
1KB

MD5
f1c1c686020403197cbebaee1d4097dd

SHA1
6f114e31b221aba01f60d839ceed1f057b939835

SHA256
2b84849d7be3dfc1d6ca56cfddfe1234fae14369bcec05fb1a200eb0dd676e0c

SHA512
c9894ca952fb99de4a042301ff136515ad97d0be798aa15e201401853d61c5344fd4a4201b986c200d0f27fb1bfd9ddbf0b35a848a0acce20665491b8416e4f5

Download Submit
C:\Users\Public\Coopen\Templete\Default.tpl

Filesize
141B

MD5
de31224a9c1c0f0c1e7fbffe02620ee7

SHA1
9b89c6ebbc3470f9d390278be1f9abc9d5aab2a2

SHA256
0897cb821974d1b47d882e37d99c1037097c2ceffa7a639a81d853d1f7f056cd

SHA512
53e5258871ecc99bfed109e7f576f9c5463923061674269720d7f78d1f28835531bf446d1ba32986728aa9ce026a7fd860942971dab36caa00a27897fe81515b

Download Submit
C:\Users\Public\Coopen\Templete\DefaultCoopenWallpaper.jpg

Filesize
75KB

MD5
3a1aef530244c5246688ada270ca479e

SHA1
49fb60b890a2ace02641d7d4774ada8c1abd356f

SHA256
f2df1c5aaf11b57af873a82237a08abfb685fe23371aafe73b7927da9075d711

SHA512
b8cd7b8ce830655d65ff366a0ee8af80b6ba8365a8a0bf2ea5c50a50630995a3a816eb6925be5599c94cddfb8ffd74ddde5f4854d4c5f2e54dc1775092d21c29

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
261B

MD5
d181759cae430432c70ded919fcffb56

SHA1
0a72d60baa90147a34f1f6ba17a8c3775eab2da4

SHA256
33b5600d00015b0e0b9a8a1135e1431bf1561bc87bcc54e2c4491981257048c5

SHA512
db24623677ed12b6896cc8a7bfc8b29cf9373f80b65817aea04d6fea9415321f3ebfa9fabae869584e46df1a16d040c8ab50c4f9d723ec910a09c897b92497a1

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
341B

MD5
5db7efe3a7e33e2afa0fe8f846e4ebba

SHA1
ace91a021ac988cf0e7aa53f8d66b9f3430da482

SHA256
7a86168e4d101fa11dd56a23459c6ad0b3f8ff52b1246153e50fdebd9c3b584f

SHA512
aa842c96ad931c04c7473cd0923c17a07d24ca98b776c19e58bf2e0ec139109d81e66071ad10ed6ed2fe96f99e70add13d4b4ffbe32df8c7bc89fdbb05c2ea94

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
384B

MD5
c85a806af010e152a0b2fe9e4a1fab54

SHA1
f9ca4c3f2218258563360344eac48441a766ad55

SHA256
01c9c8ba4f730d8596ff06ebd4250d30fc48f83064e0a886d89bd67c922256d6

SHA512
cec37224b3dad9f483a91a0ac37961a27f2d72b4ed5618e79b6ffc6b130e3acea252481adba69b99f9f186c4cde65bf1c105b19c2f18ff4a3a718cf35d52e83d

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
384B

MD5
beab51f4806792362b25ed879f453f92

SHA1
4f5f61da657fecfac2099e390f49b34a629495a0

SHA256
91c585fc8b84c8faef1889238c139a230fa73418831b767aa20fee20331a3b58

SHA512
c495a02a19ee58da070a3f5e573cdfea17789da3cbd9516d85a4f9c35bdd276e703178e962ff093316fcb1e97ad4c7f30aea3470f31d73f820c224034067631c

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
484B

MD5
823d9aa9a3ef8ddea17b8785aacbf6a7

SHA1
6b8a2a6149619c8e17764d406fdf25a73a916aac

SHA256
2a67b4fd05459a6317de744c5588bef902c0596ebbafd8ff4f9c456239159f64

SHA512
bc615659f83e7a9b893e7f2d6c367b2c9aa5c3d3d6aea7ec9b8b766c5cef06a59205bc89fe30d50e0432239e6e8a6b51ebc79b69883c1a0d08f450259d278f45

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
589B

MD5
b2c14bd1547f4eb05ad06e0e65dc3fb0

SHA1
febd0ca318a23b44d298a606dfbafb905846a8ff

SHA256
783af2802b3e571ef2d334f0e88ba6a971487dc2f87b7b4cdd12b405acd73f7a

SHA512
bccb2c79f040e922a3ece582aecabfa2b57f8487f4a1d5b009c449b7da3feed784a28560e49fc62d4f1a276bf5f3a5ea75847d028eef836e07804b10fe655684

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
589B

MD5
c8250df9278af0eca214cb9a2305f46f

SHA1
f20518eff76bd26937f6e4677e08071bd9307a4d

SHA256
52abab1e8617e6d39ee8134f29e7e24f46c2b948af2fc8a07bf8b601e4b0c921

SHA512
56d4e0fbccc43c7fc89346b96909d304ff5f4a98e084fd28f33b1931466f42ff93d2e37db128a0cf607225aa522da9cb69acdf21a1070c43970b9f76ada867ed

Download Submit
C:\Users\Public\Coopen\conf\All Users.ini

Filesize
39B

MD5
87fd7a8df180e5faf584fa4fbfc72820

SHA1
4282613de975685cb6637d2ed5e33c74e3b1f723

SHA256
13edf93888e37bb8e1be91c7a5f85d0b7f1378e14411cd5ea718dac861637e76

SHA512
57b7000741ee8f058916ceaacafa9246659b91a85e734f68e9301ace215df220b157688b9f7db64df0c27094df833045b4fb415644f8f553180eba74560e4624

Download Submit
C:\Users\Public\Coopen\conf\ChannelListReal.txt

Filesize
370B

MD5
429c106d3337f9e4a606f663e8e92bb9

SHA1
e7d11f453d9a8eeb2bd67c97723956d63714d57e

SHA256
78ea53fb5305c65f7e78f1a331f60f09ef0ee8f3f54d47f202ce4c84dec62ddc

SHA512
69be1e8fb5eabf24522325a9c44f1e59f4fa8c1c40ad109f0bdc8535487b6025e2dd5a6238dfd75e7cb70f0d02bd0c8209232fe709108a4e5091be221766b761

Download Submit
C:\Users\Public\Coopen\conf\PluginConfig.ini

Filesize
1KB

MD5
b014fb16163eef37a63cc64666ad38fe

SHA1
bc82851345ca917099b16ae8bc1e36f6e5e7aa9d

SHA256
9ebdbd1c545613e06bff2dfbbe96f8acfe6c0b9488812e3f0e5930af0268b230

SHA512
da4fcc350267ae738ac68efffadbceb1a7405a2e3e2b134d56ecf1a50cbcbd1999807e879010dfe884b5e13bd60caba1bdea73190f7bb4ee3e333df21e3a33e8

Download Submit
C:\Users\Public\Coopen\image\Wallpaper\coopen wallpaper\109785\PicList.ini

Filesize
24B

MD5
0cc02f833ad4bb8b01765646fa882b71

SHA1
b7938ee092b156c8b4d95ffaffceecd1cd6e1090

SHA256
592422227a3d5ec17244d6281e822f5ab69f7c3b7f2d8ea82ab3ec0aa26dddfa

SHA512
3108dd6959dbc9d55575d7bc108c56973ef3e27dadb9896dd4ccad5ea23043ddf00188d9f074e962f95c5d9f065316e303930b5ef76eb03cc6543b2a01420d86

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB3A8.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB3A8.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1252-167-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/3036-15-0x00000000005C0000-0x00000000005C3000-memory.dmp

Filesize
12KB

Download
memory/3036-122-0x00000000005E0000-0x00000000005E3000-memory.dmp

Filesize
12KB

Download
memory/3036-30-0x00000000005C0000-0x00000000005C3000-memory.dmp

Filesize
12KB

Download
memory/3036-157-0x00000000005C0000-0x00000000005C3000-memory.dmp

Filesize
12KB

Download
memory/3036-10-0x00000000005C0000-0x00000000005C3000-memory.dmp

Filesize
12KB

Download
memory/3036-21-0x00000000005C0000-0x00000000005C3000-memory.dmp

Filesize
12KB

Download