Analysis Report Coopera.exe

Overview

General Information

Sample Name: Coopera.exe
Analysis ID: 338151
MD5: e6ed395de0f1e8a1ce346506452609f1
SHA1: 0029721036587ca7aa3657749e63e94e47ed76d4
SHA256: 78789f0a216d91b67b3dc6a2d0c3da7219f6eb30968c3761437367a143ab0a81

Most interesting Screenshot:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008915E0 CertOpenStore,CertFindCertificateInStore,CryptBinaryToStringA,CryptBinaryToStringA,CertFreeCertificateContext,CertCloseStore, 0_2_008915E0

Compliance:

barindex
Uses 32bit PE files
Source: Coopera.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Coopera.exe Static PE information: certificate valid
Source: Coopera.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: I:\buildagent\workspace\2771\_tmp\ffcertmanager\msvc-12.0\production\address-model-32\debug-symbols-on\link-static\runtime-link-static\threadapi-win32\threading-multi\user-interface-gui\ffcertmanager.pdb source: Coopera.exe
Source: Coopera.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Coopera.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Coopera.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: Coopera.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Coopera.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: Coopera.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Coopera.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Coopera.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Coopera.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: Coopera.exe String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: Coopera.exe String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: Coopera.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Coopera.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Coopera.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Coopera.exe String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: Coopera.exe String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: Coopera.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Coopera.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Coopera.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: Coopera.exe String found in binary or memory: http://ocsp.digicert.com0P
Source: Coopera.exe String found in binary or memory: http://ocsp.digicert.com0R
Source: Coopera.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Coopera.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008DB1BD 0_2_008DB1BD
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C510D 0_2_008C510D
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C6342 0_2_008C6342
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008DC449 0_2_008DC449
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008D45AC 0_2_008D45AC
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C86E6 0_2_008C86E6
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008AB7E1 0_2_008AB7E1
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008DB72F 0_2_008DB72F
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_00891770 0_2_00891770
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C6777 0_2_008C6777
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C0870 0_2_008C0870
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C5A36 0_2_008C5A36
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008ABA34 0_2_008ABA34
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C6BAC 0_2_008C6BAC
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C4BE2 0_2_008C4BE2
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008DBCA1 0_2_008DBCA1
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008DDC6E 0_2_008DDC6E
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008CAEC0 0_2_008CAEC0
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008D2ED5 0_2_008D2ED5
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C7F10 0_2_008C7F10
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C5F2A 0_2_008C5F2A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Coopera.exe Code function: String function: 008BED53 appears 34 times
Source: C:\Users\user\Desktop\Coopera.exe Code function: String function: 008C1E90 appears 51 times
Source: C:\Users\user\Desktop\Coopera.exe Code function: String function: 008A9BFA appears 43 times
Source: C:\Users\user\Desktop\Coopera.exe Code function: String function: 008C7EB0 appears 47 times
Source: C:\Users\user\Desktop\Coopera.exe Code function: String function: 008C1E5D appears 84 times
Source: C:\Users\user\Desktop\Coopera.exe Code function: String function: 008C0981 appears 39 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Coopera.exe Section loaded: nss3.dll Jump to behavior
Uses 32bit PE files
Source: Coopera.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: clean6.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008A6AA0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_008A6AA0
Source: C:\Users\user\Desktop\Coopera.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Coopera.exe Static PE information: certificate valid
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Coopera.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Coopera.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: I:\buildagent\workspace\2771\_tmp\ffcertmanager\msvc-12.0\production\address-model-32\debug-symbols-on\link-static\runtime-link-static\threadapi-win32\threading-multi\user-interface-gui\ffcertmanager.pdb source: Coopera.exe
Source: Coopera.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Coopera.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Coopera.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Coopera.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Coopera.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: Coopera.exe Static PE information: section name: .dbld0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008B60C8 push 8BFFFFFFh; iretd 0_2_008B60CD
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008F75F5 pushfd ; ret 0_2_008F7608
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008F7B05 pushfd ; retf 0_2_008F7B04
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008B5B63 push 8BFFFFFFh; iretd 0_2_008B5B68
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C7EF5 push ecx; ret 0_2_008C7F08
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C1E2B push ecx; ret 0_2_008C1E3E
Source: initial sample Static PE information: section name: .dbld0 entropy: 7.10695931514

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008D075F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_008D075F
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008D075F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_008D075F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008DD864 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_008DD864
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C4116 SetUnhandledExceptionFilter, 0_2_008C4116
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008C4147 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008C4147

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Coopera.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 0_2_008D82CF
Source: C:\Users\user\Desktop\Coopera.exe Code function: GetLocaleInfoW, 0_2_008C76A4
Source: C:\Users\user\Desktop\Coopera.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_008D96E2
Source: C:\Users\user\Desktop\Coopera.exe Code function: EnumSystemLocalesW, 0_2_008C761E
Source: C:\Users\user\Desktop\Coopera.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_008C78AB
Source: C:\Users\user\Desktop\Coopera.exe Code function: _LcidFromHexString,GetLocaleInfoW, 0_2_008D98A6
Source: C:\Users\user\Desktop\Coopera.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_008D88D1
Source: C:\Users\user\Desktop\Coopera.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_008C183C
Source: C:\Users\user\Desktop\Coopera.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_008D9996
Source: C:\Users\user\Desktop\Coopera.exe Code function: EnumSystemLocalesW, 0_2_008D9956
Source: C:\Users\user\Desktop\Coopera.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_008D9A96
Source: C:\Users\user\Desktop\Coopera.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_008D9A13
Source: C:\Users\user\Desktop\Coopera.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_008D9C8B
Source: C:\Users\user\Desktop\Coopera.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_008D9DB5
Source: C:\Users\user\Desktop\Coopera.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_008CFD49
Source: C:\Users\user\Desktop\Coopera.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 0_2_008D7EC7
Source: C:\Users\user\Desktop\Coopera.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_008D9E62
Source: C:\Users\user\Desktop\Coopera.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 0_2_008D9F38
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008CA742 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_008CA742
Source: C:\Users\user\Desktop\Coopera.exe Code function: 0_2_008CF822 ____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_008CF822
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 338151 Sample: Coopera.exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 6 4 Coopera.exe 2->4         started       
No contacted IP infos