Malware Analysis Report

2025-08-06 01:38

Sample ID 241016-2tness1djr
Target 4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118
SHA256 ab5a65a1da1535fb7e6b8e40c5dafe07f4d643b596ac8e7d8e3913284fe14c5f
Tags
discovery upx bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ab5a65a1da1535fb7e6b8e40c5dafe07f4d643b596ac8e7d8e3913284fe14c5f

Threat Level: Shows suspicious behavior

The file 4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx bootkit persistence

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Drops startup file

Writes to the Master Boot Record (MBR)

Checks installed software on the system

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

NSIS installer

Modifies Control Panel

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:52

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20241010-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 4820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4504 wrote to memory of 4820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4504 wrote to memory of 4820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 236

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nseF402.tmp\nsDialogs.dll

MD5 c6284e23cd7e4d11db8298deb4541083
SHA1 e338686c7579620383ab8cc5a51bbb8d846f60cf
SHA256 79914940cbbf70a385f13a9970a9d577d7a7e07d240fe44563b45a472cd4bc3f
SHA512 72103e470d770fb402a18e975ff339526a3e4c9aeb8fac1b0977995a6eace0eca965b1915404df9b5a25b59628db1b199d2b9b10372841309c137054356a5cd7

\Users\Admin\AppData\Local\Temp\nseF402.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240729-en

Max time kernel

93s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsRandom.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsRandom.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsRandom.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 228

Network

N/A

Files

memory/1732-1-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1732-3-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1732-2-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1732-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1732-4-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2796 -ip 2796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2796-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2796-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f74a217a219fd21c416dc9ad94a820b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsnB3D1.tmp\nsDialogs.dll

MD5 c6284e23cd7e4d11db8298deb4541083
SHA1 e338686c7579620383ab8cc5a51bbb8d846f60cf
SHA256 79914940cbbf70a385f13a9970a9d577d7a7e07d240fe44563b45a472cd4bc3f
SHA512 72103e470d770fb402a18e975ff339526a3e4c9aeb8fac1b0977995a6eace0eca965b1915404df9b5a25b59628db1b199d2b9b10372841309c137054356a5cd7

C:\Users\Admin\AppData\Local\Temp\nsnB3D1.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe

"C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe

"C:\Users\Admin\AppData\Local\Temp\$_10_\$_10_\HttpDownloader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MakeDll.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4156 wrote to memory of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4156 wrote to memory of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4156 wrote to memory of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MakeDll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MakeDll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1176 -ip 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1176-0-0x0000000000400000-0x0000000000469000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20241010-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 228

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsRandom.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 3984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3960 wrote to memory of 3984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3960 wrote to memory of 3984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsRandom.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsRandom.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3984 -ip 3984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3984-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3984-1-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20241010-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Coopen²¥·ÅÆ÷.lnk C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Coopen\Coopen.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Coopen\Coopen.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CoopenOldWallPaper.jpg C:\Program Files (x86)\Coopen\Coopen.exe N/A
File opened for modification C:\Windows\CoopenOldWallPaper.jpg C:\Program Files (x86)\Coopen\Coopen.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Coopen\CoopenAir.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Users\\Public\\Coopen\\Coopen.scr" C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ = "ICoopenControl" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\Version = "1.0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\VersionIndependentProgID C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Programmable C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\ = "0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ = "_ICoopenControlEvents" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Control C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\FLAGS\ = "0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0\win32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl112.dll" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\CLSID\ = "{51D33728-411D-423D-B1C3-92717AB6970A}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ = "CoopenControl Class" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ProgID C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\HELPDIR\ = "C:\\Users\\Public\\Coopen" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ = "_ICoopenControlEvents" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ = "ICoopenControl" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\Version = "1.0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CurVer C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA} C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\CLSID C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\VersionIndependentProgID\ = "CoopenActiveControl.CoopenControl" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7} C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0\win32 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CurVer\ = "CoopenActiveControl.CoopenControl.1" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\ = "CoopenActiveControl 1.0 Type Library" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\HELPDIR C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\Version = "1.0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\ = "CoopenControl Class" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl112.dll" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A} C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\1\ = "131473" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\Version = "1.0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Insertable C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\TypeLib C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\ = "CoopenControl Class" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CLSID\ = "{51D33728-411D-423D-B1C3-92717AB6970A}" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ProgID\ = "CoopenActiveControl.CoopenControl.1" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Version C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CLSID C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ToolboxBitmap32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl112.dll, 101" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\1 C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F} C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Version\ = "1.0" C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\FLAGS C:\Program Files (x86)\Coopen\Coopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F} C:\Program Files (x86)\Coopen\Coopen.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Coopen\Coopen.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A
N/A N/A C:\Users\Public\Coopen\CoopenAir.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 1116 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe C:\Program Files (x86)\Coopen\Coopen.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe
PID 740 wrote to memory of 756 N/A C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Public\Coopen\CoopenAir.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"

C:\Program Files (x86)\Coopen\Coopen.exe

"C:\Program Files (x86)\Coopen\Coopen.exe"

C:\Users\Public\Coopen\CoopenAir.exe

"C:\Users\Public\Coopen\CoopenAir.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.coopen.cn udp
US 8.8.8.8:53 piclist.conf.coopen.cn udp

Files

\Users\Admin\AppData\Local\Temp\nsjF24D.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsjF24D.tmp\KillProcDLL.dll

MD5 99f345cf51b6c3c317d20a81acb11012
SHA1 b3d0355f527c536ea14a8ff51741c8739d66f727
SHA256 c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93
SHA512 937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

memory/1116-36-0x00000000003D0000-0x00000000003D3000-memory.dmp

memory/1116-31-0x00000000003D0000-0x00000000003D3000-memory.dmp

memory/1116-30-0x00000000003D0000-0x00000000003D3000-memory.dmp

memory/1116-28-0x00000000003D0000-0x00000000003D3000-memory.dmp

memory/1116-26-0x00000000003D0000-0x00000000003D3000-memory.dmp

memory/1116-23-0x00000000003D0000-0x00000000003D3000-memory.dmp

C:\Users\Public\Coopen\image\Wallpaper\local wallpaper\ModeAList.ini

MD5 1af26ad01b866361f3a3df509e9d3521
SHA1 6790d7dbcef59935971fc5865403e2ebd2e3fd12
SHA256 174ff2cbe7714a9d7d3511c677eb50163d9ca1bfd3a555a093152163ef3936a2
SHA512 c4170c8836d25a1b8d38d1a6dc55f65562dcba663d4d8a517023653dba7e3434e5683a5cac59bd499408240185bd338c097f99baacd95313ac3a55af76185520

C:\Users\Public\Coopen\image\Wallpaper\coopen wallpaper\PicList.ini

MD5 f414304a708ada6cd0fafb824eb360b2
SHA1 bc08189efd786a2be252c3d911f04600fc19e0b3
SHA256 2924edad8b462a47255e05d8558743e8404f1284c2f0ad995533282fce8561fc
SHA512 8354bcb32f499b7971cdfc5fdaaf897a7df4cbcf2fbcf52f791a11ea9083f1d817115642f28f996d39d1ac44efd9255cffe02ab54e14d2a8d366586017716caf

C:\Users\Public\Coopen\image\Photo\local Photo\ModeBList.ini

MD5 16ae315b66e839d1c401c96d7900131b
SHA1 00f174199d70f1365c9d44a4d1548519c249ce5b
SHA256 94964743d23c319b9c44f923fccca3df8d8f8f0dd9a5ef8ec2940c383c9d4668
SHA512 614ed03c15897d9ad9efcd6a41f1be1e86f130f48cdaa3a211fac0b00e949c4adc3539737c71f83fc208057ffd2e50a7c2b39d5679031f32a3a0e8a83eb61e46

C:\Users\Public\Coopen\conf\Admin.ini

MD5 d181759cae430432c70ded919fcffb56
SHA1 0a72d60baa90147a34f1f6ba17a8c3775eab2da4
SHA256 33b5600d00015b0e0b9a8a1135e1431bf1561bc87bcc54e2c4491981257048c5
SHA512 db24623677ed12b6896cc8a7bfc8b29cf9373f80b65817aea04d6fea9415321f3ebfa9fabae869584e46df1a16d040c8ab50c4f9d723ec910a09c897b92497a1

C:\Program Files (x86)\Coopen\Coopen.exe

MD5 78723c8e15f9bbe8aa1e9b6cab6ef556
SHA1 c028ea500d5c3db6993685125638ce2f8e9e722b
SHA256 20609e1fc26bed1dc7efdb9887f4c66162e37a5efc1df7fdc0741b0a6e9eb7ba
SHA512 0af5a854efff332c284537bd342a8d0943705f5a43d77ed274bba78a84b6f0e344443112d9a4291e6e7865910460213f24445418e6eac25c50ae42b0be77a19f

memory/1116-158-0x00000000003D0000-0x00000000003D3000-memory.dmp

C:\Users\Public\Coopen\CoopenMainManager.dll

MD5 c9db521bdbd95a61f7cb85d5ff289cac
SHA1 a6802145b2bf9770f1bdc65477f91d6837831b10
SHA256 12c7a69d792b5977ce02cfc48af5dbfa59f522f139f9d233c70ffb8c9dbe62db
SHA512 90ee7a69d2c925c281cfed998c19e12611689c6bf10b77f52a4badb95a904944c8dd2fc4fc04aa3025fd522c347c32ba39a763966ed2da9ed1c98914505d9a3e

C:\Users\Public\Coopen\conf\All Users.ini

MD5 87fd7a8df180e5faf584fa4fbfc72820
SHA1 4282613de975685cb6637d2ed5e33c74e3b1f723
SHA256 13edf93888e37bb8e1be91c7a5f85d0b7f1378e14411cd5ea718dac861637e76
SHA512 57b7000741ee8f058916ceaacafa9246659b91a85e734f68e9301ace215df220b157688b9f7db64df0c27094df833045b4fb415644f8f553180eba74560e4624

C:\Users\Public\Coopen\CoopenActiveControl112.dll

MD5 4fc6860aa51bb2851b8cdb7e11ef06c0
SHA1 3cb9f685727e720d52d3205ba00a327105add4b5
SHA256 6e7b3436dda9615be85a9c3a199365f6f74f72f2fafd27ff17c0a169c205ae68
SHA512 592a1d3bf6606fbac30cfeda5e1069dd369087521bf74cb4e4b307ea9d844778015d984da6abc2f5b0b4e967d54ddf554b493bb1c991d35ecd1d64c4ef153e25

memory/740-168-0x0000000000250000-0x000000000025E000-memory.dmp

C:\Users\Public\Coopen\conf\Admin.ini

MD5 5db7efe3a7e33e2afa0fe8f846e4ebba
SHA1 ace91a021ac988cf0e7aa53f8d66b9f3430da482
SHA256 7a86168e4d101fa11dd56a23459c6ad0b3f8ff52b1246153e50fdebd9c3b584f
SHA512 aa842c96ad931c04c7473cd0923c17a07d24ca98b776c19e58bf2e0ec139109d81e66071ad10ed6ed2fe96f99e70add13d4b4ffbe32df8c7bc89fdbb05c2ea94

C:\Users\Public\Coopen\Resource\SkinFormal\SkinClient.ini

MD5 f1c1c686020403197cbebaee1d4097dd
SHA1 6f114e31b221aba01f60d839ceed1f057b939835
SHA256 2b84849d7be3dfc1d6ca56cfddfe1234fae14369bcec05fb1a200eb0dd676e0c
SHA512 c9894ca952fb99de4a042301ff136515ad97d0be798aa15e201401853d61c5344fd4a4201b986c200d0f27fb1bfd9ddbf0b35a848a0acce20665491b8416e4f5

C:\Users\Public\Coopen\Resource\SkinFormal\Background.png

MD5 af3fc561248514b757b1e1ca3ed933ac
SHA1 6f65624a45a267ec0ff48f323be99b100f79db9f
SHA256 a441f330499453a3ecb20b7ac00f086dfae1fcf8c523cc4d2535c52723ce9a40
SHA512 05cd63672031d5469d735923ea26ec9b459cb07078af46d107e390906927999c8572b6d2c44383ab3419644b476131fae762ac8b8d08e1d113f2de8c00c915dc

C:\Users\Public\Coopen\Resource\SkinFormal\Progress.png

MD5 a3c16f92de8cc28ef8c96df2e40f6ced
SHA1 4f1f8fedd6f93be9e06105e0723d5d441cd37762
SHA256 1879cd50d901d9be4a7f6dcfbb38ba98fb7ff6e4001798dae66415479eef8f9b
SHA512 78b89745d755101b59d6e89ba0c3c54e312d1145de8c9b2994042b69e7a49bd4755a50e96071728908352289fb0c2e10d6d9b9b78b55f00cf5222efad62c71ba

C:\Users\Public\Coopen\Resource\SkinFormal\MainIcon.png

MD5 47ad98e1168aac8e6e58a0b20304391d
SHA1 3e153de12d65b417cb80c7d357c782453a6cbea0
SHA256 dccd8b4ab98dd10f226f450fe6d9626fd4be91679542f088a6bb2444d75eb70b
SHA512 c1cb2860c0edc2ca1ae15075c563f073a9bd3a6b7653439f05a99c0b2e8732cc8432d1a3ba2a43c2171e869e56928afd4b773c4c111eeca1d9fe8593895a9c93

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Close.png

MD5 3866af8e64c640812c954641ba87d8d7
SHA1 e602a7934f74d9d59ee8923ec37113041be54e79
SHA256 c2fff663bcdf180985f6b45fba7fd0e526ffd11d8b27eae6eb1eb302fd9cd767
SHA512 8afe1e59424759f1c336bcfc5229a14c626d4c92a173a64bd8354823411a7a9ad066d4e9a9e42820d73ca052b4a97009ac8b1356c339722742ef93384474f43d

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Widget.png

MD5 7381c99fabae123b943046adffb95ac8
SHA1 ce905f92de5db8eab537cba9015ceb4739d41b92
SHA256 b6b8d9f590e46d3f8ea11bd4ec578e6f12d45143af4554fd14cc9a13869c35e6
SHA512 2f9f2f73c615a6398ec1efb6190a8d89dc2a0933612ea3759033bbb1722767cd5c855d2c6e85b02a2b2b31c57464ea154db03f7f9e6c31b90610e670a0351624

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Commit.png

MD5 dc09fdd540cbffd051bce8a3403212bd
SHA1 fdbfa319d99e426ec06d3401418221305220a7df
SHA256 6987ad414741684bde8472c1aa252cb0066311c01a1dd27a70b5a51c524551ff
SHA512 3f37e41d842b77f6704ba53b7f16d4ed747c69e8797d305451dc54b6519a88996be3d85c982cceca01675db0d6efa9c46be468b0516bfaba364413bd18f2ca5e

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Next.png

MD5 2917cad3e39ac06e082780f167fa0f44
SHA1 df07535366f50c5a0b00205bbb868eae9623094d
SHA256 eb522f713ffdac54d5029243700ea142dfa0b1e4dc11a88257ac19148be6642d
SHA512 75baa151fce8ee5c7b4317a92822612d6dd0d5052b560252831e06a5de05ac7c01dc8700be2b6c72e9831e796951df3859689ed44377162662e51298f74172bc

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Pause.png

MD5 faaaaf227d4eb429f8b69fc4e0e1b16c
SHA1 6816313798ef3ea247621bb440bcff3440c6c446
SHA256 eedc79110acc5dddcc4cc57c62961f141120359ed20a6c9de40a9f9e78476c2e
SHA512 94af7615b0b39fb9a969bc324a24b29bffa08bbf8907fbc897179fc3885ca3510b6c3ddcc06ecff880165c05cead9f681dade263d52cc1247472d13796e3be93

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Prev.png

MD5 e74c72f68eb70580e2a1cbd4e78d571a
SHA1 1be39fff6e7988718233632aa2be59acce14a285
SHA256 ba0a735ccc5aaa30ecc0454f2d1465c0a313e7e45a1a7b8cfecf169944c6d351
SHA512 51259aed26144bf1ffbefea7421352606ae708093d7e5fea3f068718fe70a7840204944297fba225ee645244f4f41fc989d3244507ad931a5051f50a0ae0ff27

C:\Users\Public\Coopen\Resource\SkinFormal\Button_Channel.png

MD5 4dd7916a2eadda37420721628143f823
SHA1 a00187f9fd16b59ac23272292363bfa6a1860630
SHA256 07a4013a51c36fa265ab621fe673c2e2c5dd1af480f51ecc54b7b2c919242477
SHA512 f8058f209a24eb99da466b866024e04bc627086976b9733493e5e67b10b6a0df3db9c5b3fb050f8f458d6656e72e00306bde2457b7e171907b684bf7262328b6

C:\Users\Public\Coopen\conf\Admin.ini

MD5 beab51f4806792362b25ed879f453f92
SHA1 4f5f61da657fecfac2099e390f49b34a629495a0
SHA256 91c585fc8b84c8faef1889238c139a230fa73418831b767aa20fee20331a3b58
SHA512 c495a02a19ee58da070a3f5e573cdfea17789da3cbd9516d85a4f9c35bdd276e703178e962ff093316fcb1e97ad4c7f30aea3470f31d73f820c224034067631c

C:\Users\Public\Coopen\CoopenAir.exe

MD5 6cd94fba79986ebec14c3beb37dd88f5
SHA1 d7a68fe23d4e57889790648615b0af300cbaa4f3
SHA256 9a60ac947beb6746c4c5b274ebc2ae3a8b012b4ce7cf8b580779d62c03920fbf
SHA512 b4331529f42e83d9169c68dca0d086c0ff3d59430dafe1124b7b25bd4b81473bb46d7930cb28cf3efa7a0cec9848150db72df26a2350652e75d9e2c5ebd56582

C:\Users\Public\Coopen\conf\PluginConfig.ini

MD5 b014fb16163eef37a63cc64666ad38fe
SHA1 bc82851345ca917099b16ae8bc1e36f6e5e7aa9d
SHA256 9ebdbd1c545613e06bff2dfbbe96f8acfe6c0b9488812e3f0e5930af0268b230
SHA512 da4fcc350267ae738ac68efffadbceb1a7405a2e3e2b134d56ecf1a50cbcbd1999807e879010dfe884b5e13bd60caba1bdea73190f7bb4ee3e333df21e3a33e8

C:\Users\Public\Coopen\conf\Admin.ini

MD5 823d9aa9a3ef8ddea17b8785aacbf6a7
SHA1 6b8a2a6149619c8e17764d406fdf25a73a916aac
SHA256 2a67b4fd05459a6317de744c5588bef902c0596ebbafd8ff4f9c456239159f64
SHA512 bc615659f83e7a9b893e7f2d6c367b2c9aa5c3d3d6aea7ec9b8b766c5cef06a59205bc89fe30d50e0432239e6e8a6b51ebc79b69883c1a0d08f450259d278f45

C:\Users\Public\Coopen\conf\ChannelListReal.txt

MD5 429c106d3337f9e4a606f663e8e92bb9
SHA1 e7d11f453d9a8eeb2bd67c97723956d63714d57e
SHA256 78ea53fb5305c65f7e78f1a331f60f09ef0ee8f3f54d47f202ce4c84dec62ddc
SHA512 69be1e8fb5eabf24522325a9c44f1e59f4fa8c1c40ad109f0bdc8535487b6025e2dd5a6238dfd75e7cb70f0d02bd0c8209232fe709108a4e5091be221766b761

C:\Users\Public\Coopen\conf\Admin.ini

MD5 b2c14bd1547f4eb05ad06e0e65dc3fb0
SHA1 febd0ca318a23b44d298a606dfbafb905846a8ff
SHA256 783af2802b3e571ef2d334f0e88ba6a971487dc2f87b7b4cdd12b405acd73f7a
SHA512 bccb2c79f040e922a3ece582aecabfa2b57f8487f4a1d5b009c449b7da3feed784a28560e49fc62d4f1a276bf5f3a5ea75847d028eef836e07804b10fe655684

C:\Users\Public\Coopen\Templete\Default.tpl

MD5 de31224a9c1c0f0c1e7fbffe02620ee7
SHA1 9b89c6ebbc3470f9d390278be1f9abc9d5aab2a2
SHA256 0897cb821974d1b47d882e37d99c1037097c2ceffa7a639a81d853d1f7f056cd
SHA512 53e5258871ecc99bfed109e7f576f9c5463923061674269720d7f78d1f28835531bf446d1ba32986728aa9ce026a7fd860942971dab36caa00a27897fe81515b

C:\Users\Public\Coopen\Templete\DefaultCoopenWallpaper.jpg

MD5 3a1aef530244c5246688ada270ca479e
SHA1 49fb60b890a2ace02641d7d4774ada8c1abd356f
SHA256 f2df1c5aaf11b57af873a82237a08abfb685fe23371aafe73b7927da9075d711
SHA512 b8cd7b8ce830655d65ff366a0ee8af80b6ba8365a8a0bf2ea5c50a50630995a3a816eb6925be5599c94cddfb8ffd74ddde5f4854d4c5f2e54dc1775092d21c29

C:\Users\Public\Coopen\conf\Admin.ini

MD5 c8250df9278af0eca214cb9a2305f46f
SHA1 f20518eff76bd26937f6e4677e08071bd9307a4d
SHA256 52abab1e8617e6d39ee8134f29e7e24f46c2b948af2fc8a07bf8b601e4b0c921
SHA512 56d4e0fbccc43c7fc89346b96909d304ff5f4a98e084fd28f33b1931466f42ff93d2e37db128a0cf607225aa522da9cb69acdf21a1070c43970b9f76ada867ed

C:\Users\Public\Coopen\image\Wallpaper\coopen wallpaper\109785\PicList.ini

MD5 0cc02f833ad4bb8b01765646fa882b71
SHA1 b7938ee092b156c8b4d95ffaffceecd1cd6e1090
SHA256 592422227a3d5ec17244d6281e822f5ab69f7c3b7f2d8ea82ab3ec0aa26dddfa
SHA512 3108dd6959dbc9d55575d7bc108c56973ef3e27dadb9896dd4ccad5ea23043ddf00188d9f074e962f95c5d9f065316e303930b5ef76eb03cc6543b2a01420d86

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 224

Network

N/A

Files

memory/2332-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2332-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2332-2-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_10_\CCPMachineInfo.dll,#1

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 3420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 3420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 3420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_10_\CCPMachineInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_10_\CCPMachineInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3420 -ip 3420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 3476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 3476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 3476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3476 -ip 3476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 576

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 244

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MakeDll.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MakeDll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MakeDll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 244

Network

N/A

Files

memory/2292-0-0x0000000000250000-0x00000000002B9000-memory.dmp

memory/2292-1-0x0000000000250000-0x00000000002B9000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 948 -ip 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 244

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 4196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 4196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 4196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4196 -ip 4196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Coopen²¥·ÅÆ÷.lnk C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Coopen\Coopen.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Prev.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Push_Confirm.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\setting.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\image\Wallpaper\local wallpaper\DefaultCoopenWallpaper.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\image\Wallpaper\coopen wallpaper\DefaultCoopenWallpaper.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\CoopenWeather.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\hover.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Close.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\uparrow.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File opened for modification C:\Program Files (x86)\Coopen\image\Wallpaper\local wallpaper\ModeAList.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\image\Photo\local Photo\B_0.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\image\Photo\local Photo\B_1.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File opened for modification C:\Program Files (x86)\Coopen\conf\Admin.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Templete\ModeC.tpl C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\CoopenNotepad.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Commit.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Templete\ModeB.tpl C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\downarrow.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Coopen.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\CoopenMainManager.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\CoopenActiveControl112.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\border.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Indicator2.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Notify.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Push_Cancel.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\SkinClose.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\conf\PluginConfig.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\licence.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\CoopenSearchTool.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Background.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Pause.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Push_Folder.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Synopsis2.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\SkinClient.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Progress.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\RadioC.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Synopsis1.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Templete\CoopenPhoto.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Widget.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\MainIcon.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\hover.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\rightarrow.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File opened for modification C:\Program Files (x86)\Coopen\image\Photo\local Photo\ModeBList.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\uninst.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\conf\ChannelListReal.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\running.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Synopsis1.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\leftarrow.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Channel.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\CheckU.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\CoopenLottery.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Next.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Button_Play.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Templete\ModeB_logo.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Message.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Push_Config.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\RadioU.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\close.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File opened for modification C:\Program Files (x86)\Coopen\conf\All Users.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\Plugins\tip.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\CheckC.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Resource\SkinFormal\Indicator1.png C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\CoopenAir.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
File created C:\Program Files (x86)\Coopen\Templete\DefaultCoopenWallpaper.jpg C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Coopen\Coopen.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Program Files (x86)\\Coopen\\Coopen.scr" C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"

C:\Program Files (x86)\Coopen\Coopen.exe

"C:\Program Files (x86)\Coopen\Coopen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nscD7D4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/2216-15-0x0000000002171000-0x0000000002172000-memory.dmp

memory/2216-14-0x0000000002170000-0x0000000002173000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscD7D4.tmp\KillProcDLL.dll

MD5 99f345cf51b6c3c317d20a81acb11012
SHA1 b3d0355f527c536ea14a8ff51741c8739d66f727
SHA256 c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93
SHA512 937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

memory/2216-21-0x0000000002170000-0x0000000002173000-memory.dmp

memory/2216-48-0x0000000002171000-0x0000000002172000-memory.dmp

memory/2216-46-0x0000000002170000-0x0000000002173000-memory.dmp

C:\Program Files (x86)\Coopen\image\Photo\local Photo\ModeBList.ini

MD5 be5d6be6c04055fa7bdf6f4bd116ada0
SHA1 3c775702a7c5796bda82ef931c749ed1acc63764
SHA256 38f4b305820feae6925d9fb63545409ff258c265fb68cb2d9431659ce0d6a7a7
SHA512 09f241dbe45dff0ff10bdf383ebb9bf98b6f3ca5e1cd8fcbe902d4051dd8170ee5109dbba4c824de38187219fcd8a0b9e16fcea03f9baa0b60a9e4fd495639d2

memory/2216-138-0x0000000002170000-0x0000000002173000-memory.dmp

memory/2216-137-0x0000000002170000-0x0000000002173000-memory.dmp

C:\Program Files (x86)\Coopen\conf\Admin.ini

MD5 45615761fcdc2306e492801f6e5572eb
SHA1 1537e9241fabe9570c271c3e223ca26bcebd6ecf
SHA256 7b85376e33ade41a59d93312938703c1a5f78cc40cd57637fa2f668ab269fdb1
SHA512 4a2f2fbb10d58be90ce3e293d44f62054eb376e2056285cc6bf823d537c91b6478bb63213d7a8facf1db25c3c75010eed4756723c2ecdec7af4bea5a59efd30c

C:\Program Files (x86)\Coopen\Coopen.exe

MD5 78723c8e15f9bbe8aa1e9b6cab6ef556
SHA1 c028ea500d5c3db6993685125638ce2f8e9e722b
SHA256 20609e1fc26bed1dc7efdb9887f4c66162e37a5efc1df7fdc0741b0a6e9eb7ba
SHA512 0af5a854efff332c284537bd342a8d0943705f5a43d77ed274bba78a84b6f0e344443112d9a4291e6e7865910460213f24445418e6eac25c50ae42b0be77a19f

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_10_\CCPMachineInfo.dll,#1

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_10_\CCPMachineInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_10_\CCPMachineInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 244

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-16 22:52

Reported

2024-10-16 22:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A