Analysis

  • max time kernel
    142s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2024, 22:52

General

  • Target

    $TEMP/coopen_setup_100030.exe

  • Size

    1.0MB

  • MD5

    749ee29ff4b3e34ee9c7b1fb8575a126

  • SHA1

    3ec56a9167f4e9e0724f106c03513ed498f7ca70

  • SHA256

    f241a7da464510479bda1b1314d70e32b8e907efa15f71dea183810502d27af7

  • SHA512

    461410a6960063acd7294de760b161c73c0370a88f7198ecfe6169cdbe1ba809c4388940ebb154cd1e6cb628c0ef3615e83476ea4cc9fcf54991dea89227de67

  • SSDEEP

    24576:l160aJVJgAyGBdOE+m3u84uQhzRsSFIpjaL8UzhIM39uyKkb2iDvPXLiU:l12ciwEd/4n5RsSyjalhP8PijPXLT

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 15 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Program Files (x86)\Coopen\Coopen.exe
      "C:\Program Files (x86)\Coopen\Coopen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2472

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Coopen\Coopen.exe

          Filesize

          89KB

          MD5

          78723c8e15f9bbe8aa1e9b6cab6ef556

          SHA1

          c028ea500d5c3db6993685125638ce2f8e9e722b

          SHA256

          20609e1fc26bed1dc7efdb9887f4c66162e37a5efc1df7fdc0741b0a6e9eb7ba

          SHA512

          0af5a854efff332c284537bd342a8d0943705f5a43d77ed274bba78a84b6f0e344443112d9a4291e6e7865910460213f24445418e6eac25c50ae42b0be77a19f

        • C:\Program Files (x86)\Coopen\conf\Admin.ini

          Filesize

          275B

          MD5

          45615761fcdc2306e492801f6e5572eb

          SHA1

          1537e9241fabe9570c271c3e223ca26bcebd6ecf

          SHA256

          7b85376e33ade41a59d93312938703c1a5f78cc40cd57637fa2f668ab269fdb1

          SHA512

          4a2f2fbb10d58be90ce3e293d44f62054eb376e2056285cc6bf823d537c91b6478bb63213d7a8facf1db25c3c75010eed4756723c2ecdec7af4bea5a59efd30c

        • C:\Program Files (x86)\Coopen\image\Photo\local Photo\ModeBList.ini

          Filesize

          221B

          MD5

          be5d6be6c04055fa7bdf6f4bd116ada0

          SHA1

          3c775702a7c5796bda82ef931c749ed1acc63764

          SHA256

          38f4b305820feae6925d9fb63545409ff258c265fb68cb2d9431659ce0d6a7a7

          SHA512

          09f241dbe45dff0ff10bdf383ebb9bf98b6f3ca5e1cd8fcbe902d4051dd8170ee5109dbba4c824de38187219fcd8a0b9e16fcea03f9baa0b60a9e4fd495639d2

        • C:\Users\Admin\AppData\Local\Temp\nscD7D4.tmp\KillProcDLL.dll

          Filesize

          4KB

          MD5

          99f345cf51b6c3c317d20a81acb11012

          SHA1

          b3d0355f527c536ea14a8ff51741c8739d66f727

          SHA256

          c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

          SHA512

          937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

        • C:\Users\Admin\AppData\Local\Temp\nscD7D4.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • memory/2216-15-0x0000000002171000-0x0000000002172000-memory.dmp

          Filesize

          4KB

        • memory/2216-14-0x0000000002170000-0x0000000002173000-memory.dmp

          Filesize

          12KB

        • memory/2216-21-0x0000000002170000-0x0000000002173000-memory.dmp

          Filesize

          12KB

        • memory/2216-48-0x0000000002171000-0x0000000002172000-memory.dmp

          Filesize

          4KB

        • memory/2216-46-0x0000000002170000-0x0000000002173000-memory.dmp

          Filesize

          12KB

        • memory/2216-138-0x0000000002170000-0x0000000002173000-memory.dmp

          Filesize

          12KB

        • memory/2216-137-0x0000000002170000-0x0000000002173000-memory.dmp

          Filesize

          12KB