Overview

overview

7

Static

static

3

caffeine32.exe

windows10-2004-x64

1

caffeine64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2023 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caffeine64.exe

  • Size

    423KB

  • MD5

    94eb3de6900dfa5c1165cfe416096a72

  • SHA1

    a098e25990ad1f0e8bedb0764ab63f6ba5fc5926

  • SHA256

    c0593b4b65bb264a982d61a7b84f38b10a41972b49a217ef3a80a906a0c4ee08

  • SHA512

    01c1ecddd30af98488668ed53cff9afb02ebe6262e88ccef34353baff133ed06ac395609a6194c1b9b2b42bafe8707fe6494c8ef88bd574472c643aebe211a24

  • SSDEEP

    6144:E41JKq9T+/k5AgVHDljl5g/dObY34CkfSy5rJUgj2TpgdEhpNACHXivi5:ja0+/i9Tl5gmYrMSy5uuEzHXv5

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\caffeine64.exe
    "C:\Users\Admin\AppData\Local\Temp\caffeine64.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3536
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4812
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.0.1518180570\27952747" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a35d1a54-ebcd-4c7b-8da5-1c49715a4874} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 1960 19d0f6cf358 gpu
          3⤵
            PID:3280
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.1.1347805441\1527648166" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d30fd5b-e77b-48ff-81ee-94351e32eb32} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2364 19d0ee3c858 socket
            3⤵
              PID:4280
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.2.1750572108\2057893350" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b499a579-0e5c-4aa5-b232-8b5e5c6b0a88} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3188 19d0f661d58 tab
              3⤵
                PID:3616
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.3.1932861998\91263000" -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a466547-abfd-4ba7-afea-d09ae98b70ef} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3640 19d02ae8858 tab
                3⤵
                  PID:4480
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.4.362458738\156349037" -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4136 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0361c949-9871-4114-b597-1e98d4e698fe} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4156 19d1473b358 tab
                  3⤵
                    PID:3848
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.5.2041091466\1521219999" -childID 4 -isForBrowser -prefsHandle 2760 -prefMapHandle 5284 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae8826ae-6fad-4260-a63d-d96992481847} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5308 19d158d7258 tab
                    3⤵
                      PID:1676
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.7.1360418677\1514015958" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 2888 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1536d821-1f34-4fbb-affe-202032c207a9} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5544 19d16299b58 tab
                      3⤵
                        PID:5072
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.6.1691424716\1155765974" -childID 5 -isForBrowser -prefsHandle 2844 -prefMapHandle 2840 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3808a3ef-930d-49a1-9b16-059ecf7d6142} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5456 19d158d7e58 tab
                        3⤵
                          PID:4484
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.8.201669343\416831688" -childID 7 -isForBrowser -prefsHandle 4196 -prefMapHandle 4492 -prefsLen 26656 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a9ee021-8f8f-4ea9-820b-e13efe9afcc8} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5964 19d154fcc58 tab
                          3⤵
                            PID:5560
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.9.1076520935\1546795559" -childID 8 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 26831 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e592c9b-44e0-4505-9f09-db9af3aca7d8} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5408 19d12595a58 tab
                            3⤵
                              PID:1856
                        • C:\Users\Admin\AppData\Local\Temp\Temp1_caffeine.zip\caffeine64.exe
                          "C:\Users\Admin\AppData\Local\Temp\Temp1_caffeine.zip\caffeine64.exe"
                          1⤵
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of SetWindowsHookEx
                          PID:5952
                        • C:\Program Files\7-Zip\7zG.exe
                          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17724:78:7zEvent29716
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:4472
                        • C:\Users\Admin\Downloads\caffeine64.exe
                          "C:\Users\Admin\Downloads\caffeine64.exe"
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of SetWindowsHookEx
                          PID:3492
                        • C:\Windows\system32\taskmgr.exe
                          "C:\Windows\system32\taskmgr.exe" /0
                          1⤵
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:4920

                        Network

                        MITRE ATT&CK Matrix ATT&CK v13

                        Initial Access

                        Execution

                        Persistence

                        Privilege Escalation

                        Defense Evasion

                        Credential Access

                        Discovery

                        Query Registry

                        3
                        T1012

                        Peripheral Device Discovery

                        1
                        T1120

                        System Information Discovery

                        2
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Resource Development

                        Reconnaissance

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzw33i5d.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          21KB

                          MD5

                          c2ac8c7207fad0a92c2b7fe4f0bdda79

                          SHA1

                          65aed18753e131025ccf189b9e2342b8e97059fc

                          SHA256

                          7e0550ad8dacc57489f59b41e101d7ad3031d446d166bca8584ded9ce9f27d73

                          SHA512

                          99ffbfca99a1dc15830b6d0b3297406c40fdfeebc0e703e8b7d5e0dad69f512468e40dd2b9e0d41e93eb098a02ecc1fc97a3682720c2b7b6e25f538844d4e0d4

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzw33i5d.default-release\cache2\doomed\10487
                          Filesize

                          10KB

                          MD5

                          af61959d9a24b114d6c2edbb90059027

                          SHA1

                          67b89b5717a64fd591c748cc8c8e74b206723359

                          SHA256

                          0d91affa1b01e163e3c901df05a82fa10250d6efad8a5ddccd608755bc4bd990

                          SHA512

                          1c9cc3a4c563438fdad0f51a3e5ef3d33fe7eae292116bee4b7287229a4088a65f2ea204a098e2e864fac3a272db28cd538372f6a5f7d49c3bff897573efcba6

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          8698d9e9b60fa462cb3cdfc1483d4961

                          SHA1

                          eafbbd2ffceae161c16a46ca9dee3b67dee29524

                          SHA256

                          be4fa75ce271b641eff7f6a46569f6903d406887ba5d5698257eca9264c16056

                          SHA512

                          1df66a47069b52e9ebe06f5d6169cd3e717ec104228d3af9acf83c9cc7d81cc7e4b847f0ced2f8c612650d70ac0556e635cc063fc01af2a3fbc93e85b5a554a4

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          34bad21f0e2f2b30120a3356fd7eded1

                          SHA1

                          3e804ec03a8d2595dbd6fc9803a428328a55192c

                          SHA256

                          fee0a4a2f0aedae6f7175af62c7954d01dc8403044103f7857dab0ab65804542

                          SHA512

                          1a0966b12f53c28508417fc281edb99007bfb12e3170bcaaf597fada3478eb3c2e48070cf505c09caeedab4b8e5279702c33639dac462f7e4370a976311be385

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          29a55ebeb2f8a1ce1bca1b840022bb5b

                          SHA1

                          79e6f69f14c3b473e17e55c0a80c586dc75c3585

                          SHA256

                          b110e87ae37ddf5399ce41865ac736d201b908c684a7827d92a9b624a0a0e61f

                          SHA512

                          9368fbcb5bf6cdcc1aa69b9359670ec77c7d14f67f6959a946868a05d9ecbc501c002e48bd5f169ac2f30bedaa31da084b68cea70205d7a78d1ed6a57627eb3b

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          5KB

                          MD5

                          e6790de500f0d66521e0472af6ed40d9

                          SHA1

                          177fc6c3c19b819797d3ea089aed6336cbdbc7cb

                          SHA256

                          3e019aeda99cea5aac5e9bf79a190ca826026cabc0ef2c8d11562e1687d29cc0

                          SHA512

                          1153575d577737dd879b7ffe4c20004fb02228ac23873026388b00eaf38a7778d3ad66354bcc7569dfa91a0d53fb74bbc7649b9e6e0a5fffd8d5b302ac6dbdee

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          5KB

                          MD5

                          958817724801c2c06235908bf7418ef1

                          SHA1

                          cb3d6e28a01170156192b7561ef8d0d140295eb7

                          SHA256

                          1d6784fe46931481a52846ddff2f508b89ad923fffc8230ede4671b091bc0518

                          SHA512

                          5eae339f24bf9ee551a04874cd467ac70186b3e526b2011cf564309e3d263c872e9c6e5ed1c4e2f1516d520515af401794b272bc3f30e0f0d6e3d0071d1cde76

                          Download Submit
                        • C:\Users\Admin\Downloads\caffeine.j8O3s6GN.zip.part
                          Filesize

                          196KB

                          MD5

                          aa5c088be84af8fa529c6411d1ea9577

                          SHA1

                          3766ebd806d5564bb7f5a4589775db2746be734c

                          SHA256

                          d364f7080de27c18e04795cc29b41e9c303b391eb325e06fab332e7ce2d47350

                          SHA512

                          3cad7f0321b4b94712eae89967d71c1f95ffe02a5baccbd7e6c229d388c262dc38d853e422ec9a995e3323c8e517b23a4bba8b7ba29a5bef84612d44d1703de0

                          Download Submit
                        • C:\Users\Admin\Downloads\caffeine.zip
                          Filesize

                          305KB

                          MD5

                          18df4682a1c0a6a7f1c53160dc0b27ae

                          SHA1

                          90b5ada06055ca06d8a66a18f6cf05380076c79d

                          SHA256

                          083b16e4100e7a59f8ac5094938a88da47b2547f5b9eac21cc55c96ad9200585

                          SHA512

                          9ba2fd4d1e2336e396b97b4259240d0b6fe3fd576a1197a1897ecc1e5efcd2f3cc7b346d6afc00ff29a4d9138d8b189226963b3a4e05038324605b134156e47e

                          Download Submit
                        • C:\Users\Admin\Downloads\caffeine64.exe
                          Filesize

                          423KB

                          MD5

                          94eb3de6900dfa5c1165cfe416096a72

                          SHA1

                          a098e25990ad1f0e8bedb0764ab63f6ba5fc5926

                          SHA256

                          c0593b4b65bb264a982d61a7b84f38b10a41972b49a217ef3a80a906a0c4ee08

                          SHA512

                          01c1ecddd30af98488668ed53cff9afb02ebe6262e88ccef34353baff133ed06ac395609a6194c1b9b2b42bafe8707fe6494c8ef88bd574472c643aebe211a24

                          Download Submit
                        • C:\Users\Admin\Downloads\caffeine64.exe
                          Filesize

                          423KB

                          MD5

                          94eb3de6900dfa5c1165cfe416096a72

                          SHA1

                          a098e25990ad1f0e8bedb0764ab63f6ba5fc5926

                          SHA256

                          c0593b4b65bb264a982d61a7b84f38b10a41972b49a217ef3a80a906a0c4ee08

                          SHA512

                          01c1ecddd30af98488668ed53cff9afb02ebe6262e88ccef34353baff133ed06ac395609a6194c1b9b2b42bafe8707fe6494c8ef88bd574472c643aebe211a24

                          Download Submit
                        • memory/4920-308-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-309-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-310-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-314-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-316-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-318-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-319-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-320-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-317-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4920-315-0x00000281834E0000-0x00000281834E1000-memory.dmp
                          Filesize

                          4KB

                          Download