Resubmissions

05-10-2021 19:56

211005-yn32hsacd9 10

27-09-2021 13:20

210927-qlaceshagr 10

Analysis

  • max time kernel
    68s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    27-09-2021 13:20

General

  • Target

    HotCoffeeRansomware.exe

  • Size

    776KB

  • MD5

    c054c0f03277f7f0bdad9350fa3d5c2d

  • SHA1

    752071b548bb3a4c45c91174fcf5cf95ce99638a

  • SHA256

    546f3a70ab029ad78105f1b7cf581038362cfbb3c7120326075552d72656ec98

  • SHA512

    783a02a18f15c80c21cb08b9822ab02c0f62a11340edbbc44a364db9d820bda795db086f843ed3c2597d86c2933dc531ebdaa2ab3fc97e3f5e18aa3c437f6576

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOT_COFFEE_README.hta

Ransom Note
GIVE ME HOT COFFEE You have been bamboozled by the hot coffee ransomware. Your files have been encrypted using military grade encryption and only we have the decryption key. If you want to get your files back you need to pay a ransom of 1 large long black with an extra espresso shot. Email EMAIL@protonmail.com for further instructions. You have 7 days to pay or else.
Emails

EMAIL@protonmail.com

Signatures

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HotCoffeeRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\HotCoffeeRansomware.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    PID:968
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1652
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1604
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\EnableRedo.txt.hotcoffee
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EnableRedo.txt.hotcoffee
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:712
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\HOT_COFFEE_README.hta"
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1372

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Collection

      Data from Local System

      1
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\HOT_COFFEE_README.hta
        MD5

        6e7b27b7aefb0b372b672ca6c4105d6c

        SHA1

        690ac02d79345d25b9d68315429c82089e284ceb

        SHA256

        6648a5494ef3ab26252c30c4f63ef76667c718126839ed8ac7bc3496fde8f64a

        SHA512

        f81fd765119651631d439a945cc8ee26f9e3bb80a24e8dbd5ad91d5073b2611cd163a540f9b96b562fed87bc9601811f8d4e3fecca7fc9c016cd18e4a012662a

      • C:\Users\Admin\Downloads\EnableRedo.txt.hotcoffee
        MD5

        d3df5dd4cbf65a5df65f21ce6d6aadea

        SHA1

        e80730a97d593416acf3b7141e3a2983c7166fc1

        SHA256

        d5d8fd3e321160d915f3203f9426010e21a5ced67c5c208575bc8084e547e846

        SHA512

        534fb29104fe7238a350094a710ca06ab4c32d87fda29b3e8c7b433c24e8463ecbd207a7c297e0cdb7e2aa15add2b60fda26fac8be161133a4b161ec03ab07ea

      • memory/712-56-0x0000000000000000-mapping.dmp
      • memory/1652-53-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp
        Filesize

        8KB