Analysis
-
max time kernel
68s -
max time network
21s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-09-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
HotCoffeeRansomware.exe
Resource
win7-en-20210920
General
-
Target
HotCoffeeRansomware.exe
-
Size
776KB
-
MD5
c054c0f03277f7f0bdad9350fa3d5c2d
-
SHA1
752071b548bb3a4c45c91174fcf5cf95ce99638a
-
SHA256
546f3a70ab029ad78105f1b7cf581038362cfbb3c7120326075552d72656ec98
-
SHA512
783a02a18f15c80c21cb08b9822ab02c0f62a11340edbbc44a364db9d820bda795db086f843ed3c2597d86c2933dc531ebdaa2ab3fc97e3f5e18aa3c437f6576
Malware Config
Extracted
C:\Users\Admin\Desktop\HOT_COFFEE_README.hta
EMAIL@protonmail.com
Signatures
-
Drops startup file 1 IoCs
Processes:
HotCoffeeRansomware.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOT_COFFEE_README.hta HotCoffeeRansomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
HotCoffeeRansomware.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Windows Media Player\en-US\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.hotcoffee HotCoffeeRansomware.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt.hotcoffee HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Common Files\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\or\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt.hotcoffee HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.hotcoffee HotCoffeeRansomware.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt.hotcoffee HotCoffeeRansomware.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\br\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\MSBuild\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Windows Media Player\de-DE\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Games\Hearts\de-DE\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jre7\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HOT_COFFEE_README.hta HotCoffeeRansomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 712 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
mshta.exepid process 1372 mshta.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 560 wrote to memory of 712 560 rundll32.exe NOTEPAD.EXE PID 560 wrote to memory of 712 560 rundll32.exe NOTEPAD.EXE PID 560 wrote to memory of 712 560 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\HotCoffeeRansomware.exe"C:\Users\Admin\AppData\Local\Temp\HotCoffeeRansomware.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\EnableRedo.txt.hotcoffee1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EnableRedo.txt.hotcoffee2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\HOT_COFFEE_README.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HOT_COFFEE_README.htaMD5
6e7b27b7aefb0b372b672ca6c4105d6c
SHA1690ac02d79345d25b9d68315429c82089e284ceb
SHA2566648a5494ef3ab26252c30c4f63ef76667c718126839ed8ac7bc3496fde8f64a
SHA512f81fd765119651631d439a945cc8ee26f9e3bb80a24e8dbd5ad91d5073b2611cd163a540f9b96b562fed87bc9601811f8d4e3fecca7fc9c016cd18e4a012662a
-
C:\Users\Admin\Downloads\EnableRedo.txt.hotcoffeeMD5
d3df5dd4cbf65a5df65f21ce6d6aadea
SHA1e80730a97d593416acf3b7141e3a2983c7166fc1
SHA256d5d8fd3e321160d915f3203f9426010e21a5ced67c5c208575bc8084e547e846
SHA512534fb29104fe7238a350094a710ca06ab4c32d87fda29b3e8c7b433c24e8463ecbd207a7c297e0cdb7e2aa15add2b60fda26fac8be161133a4b161ec03ab07ea
-
memory/712-56-0x0000000000000000-mapping.dmp
-
memory/1652-53-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmpFilesize
8KB