Overview

overview

7

Static

static

4

Coffalyser.Net.zip

windows10-2004-x64

7

Coffalyser.Net.msi

windows10-2004-x64

6

setup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    457s
  • max time network
    644s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Coffalyser.Net.zip

  • Size

    6.6MB

  • MD5

    bdf2133ed0094dc3bef1c1ad2b8b3fd9

  • SHA1

    e564a09e8f6c6a8ad515cd63f1fe76e92be7f43f

  • SHA256

    cf012ec8f7bc81f97692912b4962914d941f25cff2358674bd52a8ddd03b22bc

  • SHA512

    9590952005cdd1123eed8e790fd7a78d039e0c282ad53a8d5038ced10007d353d9bbf714b73ce2f08af807b55307a5fc5765a93b1f71ecacb4763bf566db5f09

  • SSDEEP

    196608:PUHo8U517s/uN9db+QmoBHywxhMQum4bb39e8wv:PUq517XN9BRMQuRRc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 17 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 29 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Coffalyser.Net.zip
    1⤵
      PID:4528
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2440
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Coffalyser.Net\" -ad -an -ai#7zMap15776:86:7zEvent17378
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1252
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\Coffalyser.Net\Coffalyser.Net.msi"
        1⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe
          "C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2636
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 4190D846D0516B9CBD4E8AA8E648EB54 C
          2⤵
          • Loads dropped DLL
          PID:4048
        • C:\Windows\system32\srtasks.exe
          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
          2⤵
            PID:4888
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 4A057A31BA090B5E44D58494638411C2
            2⤵
            • Loads dropped DLL
            PID:2280
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding FCAE5939019ED4DBEAC6A04A58E80667 E Global\MSI0000
            2⤵
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Modifies data under HKEY_USERS
            PID:4000
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:2912

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e58876c.rbs
          Filesize

          22KB

          MD5

          f7f10d5d801a559fe2b55fd1217d6e81

          SHA1

          2864a5b093be8e95ef8782437ff3862087b8e03e

          SHA256

          bb1e72c42cf20d7635fac1b51fadeb46250eaf9b36b0b91f22b26464fe61efa7

          SHA512

          883151f1fe6ec64e2bdc62c3cf6a81cbae7e6c1198cbf32a07358fe7e584d4682efa27b4772262c359c63614acf6744f7cd425f7b79db9dc7672e401070c7c2d

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\BITSFramework.dll
          Filesize

          159KB

          MD5

          238c7b857e27d2d717fe672ec5d283a9

          SHA1

          0f9d171de653546263210996977676d252053e2e

          SHA256

          864aba86f52e48c71a958a50a28b2aecdec06906b8ef98d65eee56ac564b0b40

          SHA512

          6e77ef662031ec5e9d48ca997ec1a40600c05c18c10e9306575bb0aca21a1c6e0e1352f2acbc8bc08e16368922675aecb5b329e8643007f9217a60a53d1c97c5

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\Coffalyser.InstallDate
          Filesize

          19B

          MD5

          5f5b7e190f95f769191727521d026793

          SHA1

          83e375463b377c10de3fcf5952d3dcad8f57e13e

          SHA256

          60c6c0c07f6b84b63b16592cfe951109d56e6573aef320774705d07cda609ace

          SHA512

          c534a48201487c66c61c55c834f89a0041b2a7a7260b47d16b60586b6622923a0c45805dafd3c5f10b9fafa003c3b07391cf35688b376588e5a0a64193a37214

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserApplicationObjects.dll
          Filesize

          356KB

          MD5

          58010d303187b31564f4e048fe64e610

          SHA1

          aea484024d3d740095c50a74042c454be9704a0e

          SHA256

          6b559516aba465ec6254834d5ad4cddf9b95f33008162b04dd1d88b5309fd26f

          SHA512

          60897547b6459cb99d7726147671eebb95460cea6b7840a54d6aa59ce6b91d06c50e97a7a208eca12e33bde5d252cd26629ffc3d618f12a14659621bf3ac1691

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe
          Filesize

          3.9MB

          MD5

          d9d90d2914b6ac9073e28e22c6119219

          SHA1

          2f3622f206c202dc3f6b4133b61b3b88675cf1e6

          SHA256

          a1f3ac52b3d66c741015b74cb8c49c646de62021479dc1922e70a17339a7e418

          SHA512

          26a9ad10d35ba5e632e886d82b932e88c13829be61c7dbb73862ad4d5ff2f4008b1b4a9f9ea23686debbe8673009471bf909dae4966f6c77818fe9ee3703f08a

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe.config
          Filesize

          199B

          MD5

          267b7a371595c8c91005509e226a5e27

          SHA1

          e172c821a3dd91be05d25f51ec3f17ebab31b2bc

          SHA256

          d66d55f22821a4e245cccd8d4467ce49a122cff129c92ff02bb04a7bdf1a75c6

          SHA512

          232dcc8588804cbafac415695b8bff3c5f785b766684c58c5aff81429bc3c9ef82dfcd34d81f41827e882bbfe8363be5d66d4ed52f01b64f59b2b8960474103a

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserClientEngine.dll
          Filesize

          293KB

          MD5

          d7cf4ab2c8efb5a2f30fcab19a67fe85

          SHA1

          2843a9275a2bbde4b46554656fff503a8512c0df

          SHA256

          093371c074b76e22e422535ca84bc619c2853b595c60349d509144f31db1ca3d

          SHA512

          96e992e23970e247fbc225cce07c1c60d4702f34ba2ca9c5aa49f1f991bdf0d6271204bbc7c7d9fe6e4f3b48ac81de4b08ceb3fd02b77a99bb35e85d5822b67b

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserServer.exe
          Filesize

          100KB

          MD5

          58aa16a4f61682334d49f6085686185d

          SHA1

          57eaaf4c7375e18a51e899e0599366566cff85aa

          SHA256

          931c5d997bbe1af14276fe31514cff903e902634b0c11e0a7252fc8cde3b045f

          SHA512

          e0a37ca0ddd99bd2dbc3ab6a43db99c01df0bad72b0343d9f1d54260ff41555393650767cf22f7835217df6d2a58919b550e3dc31c1ab7f83f6c64c1d2331ef9

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\CoffalyserSharedLibrary.dll
          Filesize

          1.1MB

          MD5

          d4f86795260b451b6ac01d30c28924f4

          SHA1

          95964a45369e2bb7d6f815095025867de8ab6899

          SHA256

          969a14cd40ce93be9ba003675ba04c458153ded04b04e17bcf9a56ad2995cc1e

          SHA512

          db73276ed672c0d9f1ab7a7734fbcd8fa898993cbf321b87af87a2c42afbce5483f9813a0b0117d35bfcf0b203cfde2dbecf9ad34e17cd620f3d2258528aeee1

          Download Submit
        • C:\Program Files (x86)\MRC-Holland\Coffalyser.Net\MRCEnumeratedTypes.dll
          Filesize

          13KB

          MD5

          b8e67abf1c7467448b934434648404fc

          SHA1

          f9967ca0e7a468679fd71edb06837396af990f86

          SHA256

          a3bc6631aa7d764585456efc0c02b345d1cc7097d6b8c9722271b50d625f051e

          SHA512

          652345426d754d2a89d11ab2a1dc73ab8e46df9a916ea6dce764c7784b87beef432777abaeddfdb7e38e60e25a124edc088911b4c180076a18af6b3ecd6847ac

          Download Submit
        • C:\Users\Admin\AppData\Local\MRC-Holland___Berg_IT_Sol\CoffalyserClient.exe_Url_dwibwj4knjutmvrayd4igqq404y4z2z1\1.1.8794.35975\user.config
          Filesize

          1KB

          MD5

          586fa1d2a7d0f0bd48940f1db317915c

          SHA1

          fd528d1cfae51df175cbfed89203bf92c65f1465

          SHA256

          90bf2285e59f5091bd0c9df7852917efc46d9e126f9b9154432d8c85080317a4

          SHA512

          cb3d0842e699938203d22bd3269e0c9bc2afa53de8c5a257d27a9aa9e79334263cdc2d77997270ccfc73ce27aa110ed233f1061837ce214d2aada991f6a1290b

          Download Submit
        • C:\Users\Admin\AppData\Local\MRC-Holland___Berg_IT_Sol\CoffalyserClient.exe_Url_dwibwj4knjutmvrayd4igqq404y4z2z1\1.1.8794.35975\user.config
          Filesize

          1KB

          MD5

          434a68151e235ca1f2e651a7d93e1cfe

          SHA1

          ee03fa3fa8604b1d200d7547ca94d82ccf30f4ed

          SHA256

          b1f77fae3844d4d5b228770fa98dcef41febc88a9c3a6055a5849d351753bac1

          SHA512

          4a9c353d0e1f1dc2a1578dac395694bbee1ce9f274d47aac1291e0da5fbd020336bd2c9195fd8ff019cb73ac22336b0af3e5ac6d5aa11361ec2fb63150a99488

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\CFG87F8.tmp
          Filesize

          150B

          MD5

          2be48f533744efa173a2ede37ea8031e

          SHA1

          41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

          SHA256

          02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

          SHA512

          f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\MSI439C.tmp
          Filesize

          298KB

          MD5

          684f2d21637cb5835172edad55b6a8d9

          SHA1

          5eac3b8d0733aa11543248b769d7c30d2c53fcdb

          SHA256

          da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

          SHA512

          7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

          Download Submit
        • C:\Users\Admin\Desktop\Coffalyser.Net\Coffalyser.Net.msi
          Filesize

          3.5MB

          MD5

          addd9d4f6f554012abd98b0cfaeeefe6

          SHA1

          3c05dc5ef8f3c29d85d6c31aad5d57377660660e

          SHA256

          d15a9c675609d588840194282816c6e62446d4d7d9f581132b16018298d12c9d

          SHA512

          5fb20470cf8b9e0ca195c8d5b8180b41ed60f9b503aee9330197b5f9a8421501adf941c9c18ec8506dd8896b7f19fe3ddbd54b568c9e4e520e3c9cd1ea53dc58

          Download Submit
        • C:\Windows\Installer\MSI8B17.tmp
          Filesize

          106KB

          MD5

          77c9fc2bca8737f2de4d1d31ac0e385d

          SHA1

          4eb76332e4cfb9d217cd42b7a0a31fc1b092be98

          SHA256

          f9f945ef8cf84de18a4c2a5fabf14f425bec19225f99164684ef3f65e9eeadbd

          SHA512

          867b2d0b59c54b909076120f7a92bb7d1d3e86e098dfb0284d50592cf9ed6a03b5c9d24e6bba7d424c67a4b9c0564095a28f744af393fa276053073a7cdbb45f

          Download Submit
        • C:\Windows\Installer\{9AB1E652-E227-4B92-8D1B-41CD2393DCD9}\_13CC113B955C74DB64E6EF.exe
          Filesize

          9KB

          MD5

          ce8ee64c66e92bbb46231b1be06aba22

          SHA1

          5bb368fbcf57d92d8c83a4487fdde7e713ed3a24

          SHA256

          d4f066db44f8ec61d8ec183091bead9578022c2385d4f7552b32f1b0c53fd26b

          SHA512

          aa31399cde6457dfa727f3f21074efb8f1f5b7ff5bfee6e54231082e7e8f5d4b6d4df90d70529aaff3935bb3ab86dc86ac1a0d85429d247fdcff9720f4e2c0ec

          Download Submit
        • C:\Windows\Installer\{9AB1E652-E227-4B92-8D1B-41CD2393DCD9}\_7305611A7DA3319C7C1899.exe
          Filesize

          87KB

          MD5

          ee688eedd872255577e69efcfb3a5687

          SHA1

          4afa66759805476ac892d5f08b9610b0a8836d7d

          SHA256

          8b534b43b1e233069abaee86ac17fbef6a5bcd408ac08cf45e8e04864af761ba

          SHA512

          20900af4d98047ca08207571564d8fc5a9a2573a17c70389a0c5a8f8239817304ed82a1e9c8c855f3f11121efff0adb43ac4040efaa595b4be69090b9833e07d

          Download Submit
        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          23.7MB

          MD5

          587b7121031307d0754409d740e8f266

          SHA1

          96af0e2c11fc9f6ac1b8e68b7905305d91d6ee81

          SHA256

          a8c0e0c687c25e99fc197cabc37bf43f10c05417f579595fee3e17dc7b5999c7

          SHA512

          86911afdf29552e7f03d268fe2c9a81a822fca5c664e57ea1324e4094fafefb7484047ebd0568b423d97c542d210b11aea91df62fe2f540e3140b245a2c90863

          Download Submit
        • \??\Volume{dfbd5e8b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{34c2d1da-7b19-4906-8cdf-14beac6e0d79}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          31bc09d8fee4d8c77b9ceb6f2b6d28cf

          SHA1

          a557fb84c6d7b609abe16855745bd647c2285928

          SHA256

          f9426ec45e9bfbc2f43ec576a3593e86414731e6e8a9fb1ed74241cd7745d17e

          SHA512

          4f5ec14e236cb603105b57d5a3294d77a19e400be80662f8c4d28af4e854af52e7853019c3b2d95dc2171d50927f7ac161676c7611a661e49df7c9c2b791830c

          Download Submit
        • memory/2636-154-0x0000000006000000-0x000000000600A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2636-155-0x00000000060D0000-0x00000000060DA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2636-134-0x0000000005BE0000-0x0000000005C72000-memory.dmp
          Filesize

          584KB

          Download
        • memory/2636-133-0x0000000006260000-0x0000000006804000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2636-146-0x0000000006810000-0x000000000692E000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/2636-142-0x0000000006040000-0x0000000006090000-memory.dmp
          Filesize

          320KB

          Download
        • memory/2636-131-0x0000000074130000-0x00000000748E0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2636-132-0x0000000000F30000-0x0000000001314000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/2636-148-0x0000000006030000-0x0000000006040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2636-175-0x0000000074130000-0x00000000748E0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2636-161-0x0000000006030000-0x0000000006040000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2636-138-0x0000000005B40000-0x0000000005B6E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/2636-160-0x00000000096B0000-0x0000000009CC8000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/2636-159-0x0000000009030000-0x0000000009090000-memory.dmp
          Filesize

          384KB

          Download
        • memory/4000-110-0x0000000005490000-0x00000000054A2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/4000-111-0x0000000005520000-0x000000000555C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4000-108-0x0000000005460000-0x0000000005482000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4000-107-0x0000000005390000-0x00000000053B0000-memory.dmp
          Filesize

          128KB

          Download
        • memory/4000-102-0x00000000031F0000-0x000000000320A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4000-103-0x0000000074130000-0x00000000748E0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4000-126-0x0000000074130000-0x00000000748E0000-memory.dmp
          Filesize

          7.7MB

          Download