b061cb8de4e144dc40a98d8754e8cc0377c80ebfb35fceb7190ff76d63f5a173

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 02:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/coopen_setup_100030.exe
Size

1.2MB
MD5

86417458dc5b33ed2d64ec7ca79be209
SHA1

4786aef18d2409c6e5aa255c4663d455196292ad
SHA256

4b2b035586333f7c16e6035e67bed9f4120b43933e74e8a29f64d04775e86328
SHA512

6b2153538d758b35ebb46cb0ff8485c3f8213c36d6a995329a439826225174333a068dfb08d6755e2fe19f2aa0bd752f962a2bcb80fd9a294f878586ee6e9da3
SSDEEP

24576:kLBUwTKA2P9U/cDeCiFwM9hmYYvNKt6n5duze92xK/zftXhp/:kLqsPihZieBYYvNKt65j2W7tXhF

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Coopen²¥·ÅÆ÷.lnk	coopen_setup_100030.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	Coopen.exe
1168	CoopenAir.exe

Loads dropped DLL 20 IoCs

pid	Process
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Coopen.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Coopen.scr	Coopen.exe
File opened for modification	C:\Windows\SysWOW64\Coopen.scr	Coopen.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Coopen\Coopen.exe	coopen_setup_100030.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CoopenOldWallPaper.jpg	Coopen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoopenAir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coopen_setup_100030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coopen.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop	coopen_setup_100030.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Users\\Public\\Coopen\\Coopen.scr"	coopen_setup_100030.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0\win32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\1\ = "131473"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\ = "CoopenControl Class"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\VersionIndependentProgID\ = "CoopenActiveControl.CoopenControl"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\TypeLib	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ = "ICoopenControl"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\Version = "1.0"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\ = "CoopenControl Class"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ToolboxBitmap32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl110.dll, 101"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\Version = "1.0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CLSID	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ProgID\ = "CoopenActiveControl.CoopenControl.1"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ToolboxBitmap32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\FLAGS	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Version\ = "1.0"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\MiscStatus\ = "0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\CLSID	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CurVer	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ = "CoopenControl Class"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Control	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\ = "CoopenActiveControl 1.0 Type Library"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl110.dll"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Insertable	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Version	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ = "_ICoopenControlEvents"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\HELPDIR\ = "C:\\Users\\Public\\Coopen"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\Version = "1.0"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\VersionIndependentProgID	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\Programmable	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0\win32\ = "C:\\Users\\Public\\Coopen\\CoopenActiveControl110.dll"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\HELPDIR	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\ = "_ICoopenControlEvents"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\FLAGS\ = "0"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A6C03BB-F95D-4845-B571-A4EBFA48F77F}\TypeLib\Version = "1.0"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl.1\CLSID\ = "{51D33728-411D-423D-B1C3-92717AB6970A}"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoopenActiveControl.CoopenControl\CLSID\ = "{51D33728-411D-423D-B1C3-92717AB6970A}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\ProgID	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51D33728-411D-423D-B1C3-92717AB6970A}\InprocServer32\ThreadingModel = "Apartment"	Coopen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0C95278-1A3D-4AEA-AC49-3296B8D699DA}\TypeLib\ = "{D3ECD831-4859-4374-A7B4-46A7E4D016F7}"	Coopen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3ECD831-4859-4374-A7B4-46A7E4D016F7}\1.0\0	Coopen.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
2364	coopen_setup_100030.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe
1168	CoopenAir.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	Coopen.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe
2988	Coopen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1168	CoopenAir.exe
1168	CoopenAir.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2364 wrote to memory of 2988	2364	coopen_setup_100030.exe	30
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31
PID 2988 wrote to memory of 1168	2988	Coopen.exe	31

C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\coopen_setup_100030.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Coopen\Coopen.exe
  "C:\Program Files (x86)\Coopen\Coopen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Public\Coopen\CoopenAir.exe
    "C:\Users\Public\Coopen\CoopenAir.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1168

Network

DNS

conf.coopen.cn

Coopen.exe

Remote address:

8.8.8.8:53

Request

conf.coopen.cn

IN A

Response
DNS

piclist.conf.coopen.cn

Coopen.exe

Remote address:

8.8.8.8:53

Request

piclist.conf.coopen.cn

IN A

Response

No results found

8.8.8.8:53

conf.coopen.cn

dns

Coopen.exe

60 B
118 B
1
1

DNS Request

conf.coopen.cn
8.8.8.8:53

piclist.conf.coopen.cn

dns

Coopen.exe

68 B
126 B
1
1

DNS Request

piclist.conf.coopen.cn

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Coopen\Coopen.exe

Filesize
90KB

MD5
f9193966e62c1956bf3c9a716e958a0e

SHA1
87401d4a6cb2f023537398fdbf6fc721cacbd93b

SHA256
b6f9170d208cfb347ab0095b811a65a1a717ea1246ca25796923b45d2f986e41

SHA512
25d9a1b5c7702ebccbfdbcbdd81f6dc5d0aeb5bb6df4a8e8e05ba7cf5840e92b7e64d448d923775345e860ee5939bb34228de81e4b3044f750bab1b5b44ca3bd

Download Submit
C:\Users\Public\Coopen\Coopen.scr

Filesize
44KB

MD5
3238b5035688cc6949293247b08c015e

SHA1
076d1a4467981297fa6d26278a798711639df02f

SHA256
7c5500ef23b0fedffb0155cf00130f8b2b1e66932e2a0cdbadaae355fd6f8b03

SHA512
18aba14c669c17825c0a428f9f2ea3f8f9b42afe584b89a3c6dc6b249aacaf517c179349242bb950161d3889c7e5c16ed9f03f580dcc377143b220709ff045e9

Download Submit
C:\Users\Public\Coopen\CoopenAir.exe

Filesize
238KB

MD5
81caf14643c2fe71ee456f99a4ebbd87

SHA1
cc6fc467ee8b05dd12080fa1e8f1725e07e180cb

SHA256
d94657d062b2abdcbf5b8fa9dd8974ad2218abca7426fdc7534a6d4aeaed523c

SHA512
69a15ecd6df384f648789bfe2cb1401b210d45a1c939c19ab6ad17c6271e0acf527d439a488d55f365757324a4aef1337e20ba044647c11606c424e1de86f059

Download Submit
C:\Users\Public\Coopen\CoopenMainManager.dll

Filesize
868KB

MD5
60aee0a9b29f56e333093d237fb20f6b

SHA1
a3023dab4d74a0e9803382e20b64ce780c9c2ff3

SHA256
4675621564a482c0d242e86d0da3ce818e60143672155570a3a14ec09f6afa26

SHA512
9f7224e38056fe18bc34730496faa739fb245a70fb429365b1044c606ca22d2bb5338323013c436dbda63bf863683eb2bfc3a0364777c8df2149a8691c4ffdda

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Background.png

Filesize
5KB

MD5
af3fc561248514b757b1e1ca3ed933ac

SHA1
6f65624a45a267ec0ff48f323be99b100f79db9f

SHA256
a441f330499453a3ecb20b7ac00f086dfae1fcf8c523cc4d2535c52723ce9a40

SHA512
05cd63672031d5469d735923ea26ec9b459cb07078af46d107e390906927999c8572b6d2c44383ab3419644b476131fae762ac8b8d08e1d113f2de8c00c915dc

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Channel.png

Filesize
2KB

MD5
4dd7916a2eadda37420721628143f823

SHA1
a00187f9fd16b59ac23272292363bfa6a1860630

SHA256
07a4013a51c36fa265ab621fe673c2e2c5dd1af480f51ecc54b7b2c919242477

SHA512
f8058f209a24eb99da466b866024e04bc627086976b9733493e5e67b10b6a0df3db9c5b3fb050f8f458d6656e72e00306bde2457b7e171907b684bf7262328b6

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Close.png

Filesize
1KB

MD5
3866af8e64c640812c954641ba87d8d7

SHA1
e602a7934f74d9d59ee8923ec37113041be54e79

SHA256
c2fff663bcdf180985f6b45fba7fd0e526ffd11d8b27eae6eb1eb302fd9cd767

SHA512
8afe1e59424759f1c336bcfc5229a14c626d4c92a173a64bd8354823411a7a9ad066d4e9a9e42820d73ca052b4a97009ac8b1356c339722742ef93384474f43d

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Commit.png

Filesize
3KB

MD5
dc09fdd540cbffd051bce8a3403212bd

SHA1
fdbfa319d99e426ec06d3401418221305220a7df

SHA256
6987ad414741684bde8472c1aa252cb0066311c01a1dd27a70b5a51c524551ff

SHA512
3f37e41d842b77f6704ba53b7f16d4ed747c69e8797d305451dc54b6519a88996be3d85c982cceca01675db0d6efa9c46be468b0516bfaba364413bd18f2ca5e

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Next.png

Filesize
3KB

MD5
2917cad3e39ac06e082780f167fa0f44

SHA1
df07535366f50c5a0b00205bbb868eae9623094d

SHA256
eb522f713ffdac54d5029243700ea142dfa0b1e4dc11a88257ac19148be6642d

SHA512
75baa151fce8ee5c7b4317a92822612d6dd0d5052b560252831e06a5de05ac7c01dc8700be2b6c72e9831e796951df3859689ed44377162662e51298f74172bc

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Pause.png

Filesize
2KB

MD5
faaaaf227d4eb429f8b69fc4e0e1b16c

SHA1
6816313798ef3ea247621bb440bcff3440c6c446

SHA256
eedc79110acc5dddcc4cc57c62961f141120359ed20a6c9de40a9f9e78476c2e

SHA512
94af7615b0b39fb9a969bc324a24b29bffa08bbf8907fbc897179fc3885ca3510b6c3ddcc06ecff880165c05cead9f681dade263d52cc1247472d13796e3be93

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Prev.png

Filesize
3KB

MD5
e74c72f68eb70580e2a1cbd4e78d571a

SHA1
1be39fff6e7988718233632aa2be59acce14a285

SHA256
ba0a735ccc5aaa30ecc0454f2d1465c0a313e7e45a1a7b8cfecf169944c6d351

SHA512
51259aed26144bf1ffbefea7421352606ae708093d7e5fea3f068718fe70a7840204944297fba225ee645244f4f41fc989d3244507ad931a5051f50a0ae0ff27

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Button_Widget.png

Filesize
3KB

MD5
7381c99fabae123b943046adffb95ac8

SHA1
ce905f92de5db8eab537cba9015ceb4739d41b92

SHA256
b6b8d9f590e46d3f8ea11bd4ec578e6f12d45143af4554fd14cc9a13869c35e6

SHA512
2f9f2f73c615a6398ec1efb6190a8d89dc2a0933612ea3759033bbb1722767cd5c855d2c6e85b02a2b2b31c57464ea154db03f7f9e6c31b90610e670a0351624

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\MainIcon.png

Filesize
1KB

MD5
47ad98e1168aac8e6e58a0b20304391d

SHA1
3e153de12d65b417cb80c7d357c782453a6cbea0

SHA256
dccd8b4ab98dd10f226f450fe6d9626fd4be91679542f088a6bb2444d75eb70b

SHA512
c1cb2860c0edc2ca1ae15075c563f073a9bd3a6b7653439f05a99c0b2e8732cc8432d1a3ba2a43c2171e869e56928afd4b773c4c111eeca1d9fe8593895a9c93

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\Progress.png

Filesize
1KB

MD5
a3c16f92de8cc28ef8c96df2e40f6ced

SHA1
4f1f8fedd6f93be9e06105e0723d5d441cd37762

SHA256
1879cd50d901d9be4a7f6dcfbb38ba98fb7ff6e4001798dae66415479eef8f9b

SHA512
78b89745d755101b59d6e89ba0c3c54e312d1145de8c9b2994042b69e7a49bd4755a50e96071728908352289fb0c2e10d6d9b9b78b55f00cf5222efad62c71ba

Download Submit
C:\Users\Public\Coopen\Resource\SkinFormal\SkinClient.ini

Filesize
1KB

MD5
f1c1c686020403197cbebaee1d4097dd

SHA1
6f114e31b221aba01f60d839ceed1f057b939835

SHA256
2b84849d7be3dfc1d6ca56cfddfe1234fae14369bcec05fb1a200eb0dd676e0c

SHA512
c9894ca952fb99de4a042301ff136515ad97d0be798aa15e201401853d61c5344fd4a4201b986c200d0f27fb1bfd9ddbf0b35a848a0acce20665491b8416e4f5

Download Submit
C:\Users\Public\Coopen\Templete\Default.tpl

Filesize
141B

MD5
de31224a9c1c0f0c1e7fbffe02620ee7

SHA1
9b89c6ebbc3470f9d390278be1f9abc9d5aab2a2

SHA256
0897cb821974d1b47d882e37d99c1037097c2ceffa7a639a81d853d1f7f056cd

SHA512
53e5258871ecc99bfed109e7f576f9c5463923061674269720d7f78d1f28835531bf446d1ba32986728aa9ce026a7fd860942971dab36caa00a27897fe81515b

Download Submit
C:\Users\Public\Coopen\Templete\DefaultCoopenWallpaper.jpg

Filesize
75KB

MD5
3a1aef530244c5246688ada270ca479e

SHA1
49fb60b890a2ace02641d7d4774ada8c1abd356f

SHA256
f2df1c5aaf11b57af873a82237a08abfb685fe23371aafe73b7927da9075d711

SHA512
b8cd7b8ce830655d65ff366a0ee8af80b6ba8365a8a0bf2ea5c50a50630995a3a816eb6925be5599c94cddfb8ffd74ddde5f4854d4c5f2e54dc1775092d21c29

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
261B

MD5
d181759cae430432c70ded919fcffb56

SHA1
0a72d60baa90147a34f1f6ba17a8c3775eab2da4

SHA256
33b5600d00015b0e0b9a8a1135e1431bf1561bc87bcc54e2c4491981257048c5

SHA512
db24623677ed12b6896cc8a7bfc8b29cf9373f80b65817aea04d6fea9415321f3ebfa9fabae869584e46df1a16d040c8ab50c4f9d723ec910a09c897b92497a1

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
341B

MD5
5db7efe3a7e33e2afa0fe8f846e4ebba

SHA1
ace91a021ac988cf0e7aa53f8d66b9f3430da482

SHA256
7a86168e4d101fa11dd56a23459c6ad0b3f8ff52b1246153e50fdebd9c3b584f

SHA512
aa842c96ad931c04c7473cd0923c17a07d24ca98b776c19e58bf2e0ec139109d81e66071ad10ed6ed2fe96f99e70add13d4b4ffbe32df8c7bc89fdbb05c2ea94

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
374B

MD5
4b679440cd54d2ff389720dd1753f802

SHA1
72739b6ad78a7fdc5d96692b4a01f3aa835b2270

SHA256
98ca6b075ab2e43f159db1a3903e5881addf0096932bcd79bdda0f4243bb2251

SHA512
90c58ca4e72567301bd844dd734d9cb405b03bcd0b5d67b17ab3636c56923855d7810a992ee5b9afe11b5c35f55fcebead3ad428e626f0be5cb9ab82d7e9cca7

Download Submit
C:\Users\Public\Coopen\conf\Admin.ini

Filesize
579B

MD5
5f3b9238c657e46bf9ba87bf00f539a2

SHA1
47006bcfc7880ee345fca0dcd067ad6f47fc6b8a

SHA256
a43171d739ebdce724027a48e6b24cb28b78943d4bb5acb4c0ed7d8169290082

SHA512
87f4d87e845dc389d47f4471f1e0a0de247d079afd85b66487ec6a986da31bce4432475c40fe46d184e296ff5f25001f1cc9a3f066cc67cb19f37b18755c0db2

Download Submit
C:\Users\Public\Coopen\conf\All Users.ini

Filesize
44B

MD5
dabdab4a8e77f088505be65c7182105b

SHA1
9c898a294ef6c675b0da09e68b79bc6ce973f715

SHA256
318e64e6e9b17c6d072792aef74ef1ccce2ad95c3b4fdb13c8446a29d922a979

SHA512
0b0a897b92a266bcd4f924805e7c88d953b93e724ebad8e540d9c00768d973bc3b7b3527e24bafaf3aaa4e856b9511bae4ff78cb745681dfd43c0235b193fd5d

Download Submit
C:\Users\Public\Coopen\conf\ChannelListReal.txt

Filesize
370B

MD5
429c106d3337f9e4a606f663e8e92bb9

SHA1
e7d11f453d9a8eeb2bd67c97723956d63714d57e

SHA256
78ea53fb5305c65f7e78f1a331f60f09ef0ee8f3f54d47f202ce4c84dec62ddc

SHA512
69be1e8fb5eabf24522325a9c44f1e59f4fa8c1c40ad109f0bdc8535487b6025e2dd5a6238dfd75e7cb70f0d02bd0c8209232fe709108a4e5091be221766b761

Download Submit
C:\Users\Public\Coopen\conf\PluginConfig.ini

Filesize
3KB

MD5
cf305214622c5d2234854c71e021ae74

SHA1
b885a1bb8dca458ed3acf1b9aa2c143251428dfd

SHA256
b72997d6aea481af28fbacf9463d9de324a74096d81aa51b239fdd5c46fc55d5

SHA512
6a746494bdb0450b2e8f259b16e55feb85285470eab6289ba7493695d71fdbd5d29fdeb64b5b8fdffabfe2414e401df406a611f204699f5000bc3ff7833a01af

Download Submit
C:\Users\Public\Coopen\image\Wallpaper\coopen wallpaper\109785\PicList.ini

Filesize
24B

MD5
0cc02f833ad4bb8b01765646fa882b71

SHA1
b7938ee092b156c8b4d95ffaffceecd1cd6e1090

SHA256
592422227a3d5ec17244d6281e822f5ab69f7c3b7f2d8ea82ab3ec0aa26dddfa

SHA512
3108dd6959dbc9d55575d7bc108c56973ef3e27dadb9896dd4ccad5ea23043ddf00188d9f074e962f95c5d9f065316e303930b5ef76eb03cc6543b2a01420d86

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9178.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9178.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Public\Coopen\CoopenActiveControl110.dll

Filesize
56KB

MD5
78e522aa4f7dc6ca322eabe916dd7190

SHA1
e7f40650e3de52e26f5d07dd8a4dc53f935ea97c

SHA256
a929ac8a08eeb966441646549a9e925a306aaea374ccba9996225ea0e14852f5

SHA512
9ec165d5acf2b1e5aa0bf79986a2458f5db910e7d2c739cfd0b092e392b3acc94f9df9c871b9d6484986dda5f5652ff60bb555c5d43e5f659df35adc12a667cd

Download Submit
memory/2364-155-0x0000000000390000-0x0000000000393000-memory.dmp

Filesize
12KB

Download
memory/2364-120-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/2364-10-0x0000000000390000-0x0000000000393000-memory.dmp

Filesize
12KB

Download
memory/2988-165-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.