| File name: | Coffalyser.Net.msi |
| Full analysis: | https://app.any.run/tasks/933ae036-bf13-41be-a899-50da06e59b54 |
| Verdict: | Malicious activity |
| Analysis date: | June 23, 2024, 12:56:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {296F1FB1-689C-4183-839A-037E369E8A23}, Title: Coffalyser.Net, Author: MRC Holland, Number of Words: 2, Last Saved Time/Date: Mon Jan 29 18:59:19 2024, Last Printed: Mon Jan 29 18:59:19 2024 |
| MD5: | ADDD9D4F6F554012ABD98B0CFAEEEFE6 |
| SHA1: | 3C05DC5EF8F3C29D85D6C31AAD5D57377660660E |
| SHA256: | D15A9C675609D588840194282816C6E62446D4D7D9F581132B16018298D12C9D |
| SSDEEP: | 98304:fxOb0el1eMpCeUSJp35+MyuVWFRMe4e7XxzS4grMpPnIMAyW3Zo+nW6O+/PxlQip:5g2CoH |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 3416)
- msiexec.exe (PID: 3280)
Creates a writable file in the system directory
- CoffalyserServer.exe (PID: 2856)
SUSPICIOUS
Process drops legitimate windows executable
- msiexec.exe (PID: 3280)
- msiexec.exe (PID: 3416)
Executes as Windows Service
- VSSVC.exe (PID: 2108)
- CoffalyserServer.exe (PID: 2856)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 3280)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 2500)
- CoffalyserClient.exe (PID: 2520)
- CoffalyserClient.exe (PID: 4024)
- CoffalyserServer.exe (PID: 2856)
- CoffalyserClient.exe (PID: 1156)
Reads the Internet Settings
- CoffalyserClient.exe (PID: 2520)
- CoffalyserClient.exe (PID: 4024)
- CoffalyserClient.exe (PID: 1156)
Application launched itself
- CoffalyserClient.exe (PID: 2520)
- CoffalyserClient.exe (PID: 4024)
INFO
Reads the computer name
- msiexec.exe (PID: 3280)
- msiexec.exe (PID: 3216)
- msiexec.exe (PID: 3056)
- msiexec.exe (PID: 2500)
- CoffalyserClient.exe (PID: 2520)
- CoffalyserClient.exe (PID: 4024)
- CoffalyserClient.exe (PID: 1156)
- CoffalyserServer.exe (PID: 2856)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3416)
- msiexec.exe (PID: 3280)
Reads the machine GUID from the registry
- msiexec.exe (PID: 3280)
- msiexec.exe (PID: 3216)
- msiexec.exe (PID: 3056)
- msiexec.exe (PID: 2500)
- CoffalyserClient.exe (PID: 2520)
- CoffalyserClient.exe (PID: 4024)
- CoffalyserClient.exe (PID: 1156)
- CoffalyserServer.exe (PID: 2856)
Application launched itself
- msiexec.exe (PID: 3280)
Checks supported languages
- msiexec.exe (PID: 3280)
- msiexec.exe (PID: 3216)
- msiexec.exe (PID: 3056)
- CoffalyserClient.exe (PID: 2520)
- msiexec.exe (PID: 2500)
- CoffalyserClient.exe (PID: 4024)
- CoffalyserClient.exe (PID: 1156)
- CoffalyserServer.exe (PID: 2856)
Create files in a temporary directory
- msiexec.exe (PID: 3216)
- msiexec.exe (PID: 3280)
- msiexec.exe (PID: 3056)
Creates a software uninstall entry
- msiexec.exe (PID: 3280)
Creates files or folders in the user directory
- CoffalyserClient.exe (PID: 2520)
Reads Environment values
- CoffalyserServer.exe (PID: 2856)
- CoffalyserClient.exe (PID: 1156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (90.2) |
|---|---|---|
| .msp | | | Windows Installer Patch (8.4) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CreateDate: | 1999:06:21 07:00:00 |
|---|---|
| Software: | Windows Installer |
| Security: | Password protected |
| CodePage: | Windows Latin 1 (Western European) |
| Template: | Intel;1033 |
| Pages: | 200 |
| RevisionNumber: | {296F1FB1-689C-4183-839A-037E369E8A23} |
| Title: | Coffalyser.Net |
| Subject: | - |
| Author: | MRC Holland |
| Keywords: | - |
| Comments: | - |
| Words: | 2 |
| ModifyDate: | 2024:01:29 18:59:19 |
| LastPrinted: | 2024:01:29 18:59:19 |
Total processes
52
Monitored processes
10
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1156 | "C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe" /SERVICE_CONFIGURE | C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe | CoffalyserClient.exe | ||||||||||||
User: admin Company: MRC-Holland / Berg IT Solutions (BITS) Integrity Level: HIGH Description: CoffalyserClient Version: 1.1.8794.35975 Modules
| |||||||||||||||
| 2108 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2500 | C:\Windows\system32\MsiExec.exe -Embedding A4D9346EDE563C273324245531150075 E Global\MSI0000 | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2520 | "C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe" | C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe | msiexec.exe | ||||||||||||
User: admin Company: MRC-Holland / Berg IT Solutions (BITS) Integrity Level: MEDIUM Description: CoffalyserClient Exit code: 999 Version: 1.1.8794.35975 Modules
| |||||||||||||||
| 2856 | "C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserServer.exe" | C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserServer.exe | services.exe | ||||||||||||
User: SYSTEM Company: MRC-Holland / Berg IT Solutions (BITS) Integrity Level: SYSTEM Description: CoffalyserServerEngine Version: 1.1.8794.35974 Modules
| |||||||||||||||
| 3056 | C:\Windows\system32\MsiExec.exe -Embedding 0EA7478EA31B57B229520E9FBF51C486 | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3216 | C:\Windows\system32\MsiExec.exe -Embedding B6C1DC031827F4424E717DB64686F8AD C | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3280 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3416 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\Coffalyser.Net.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4024 | "C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe" /SERVICE_CONFIGURE | C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe | CoffalyserClient.exe | ||||||||||||
User: admin Company: MRC-Holland / Berg IT Solutions (BITS) Integrity Level: MEDIUM Description: CoffalyserClient Exit code: 999 Version: 1.1.8794.35975 Modules
| |||||||||||||||
Total events
13 508
Read events
13 161
Write events
319
Delete events
28
Modification events
| (PID) Process: | (3280) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000FCD413D56CC5DA01D00C0000BC0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3280) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000FCD413D56CC5DA01D00C0000BC0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3280) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 75 | |||
| (PID) Process: | (3280) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4000000000000000D055D7D56CC5DA01D00C0000BC0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3280) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000002AB8D9D56CC5DA01D00C000088090000E80300000100000000000000000000008D47507EE08AE24CBE5EF73EF12328460000000000000000 | |||
| (PID) Process: | (2108) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004606E8D56CC5DA013C080000900B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2108) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004606E8D56CC5DA013C080000FC080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2108) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000A068EAD56CC5DA013C08000020080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2108) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000A068EAD56CC5DA013C080000180B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2108) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000FACAECD56CC5DA013C080000FC080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
33
Suspicious files
17
Text files
28
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3280 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3280 | msiexec.exe | C:\Windows\Installer\MSI2C59.tmp | binary | |
MD5:602DCB15AFC53300FECBEA6BEABB9C4D | SHA256:FF48BC4A4CAC08BBF15AB509A3E4DF19B4E49CDFA24FE3B3076B38DB396D0CE6 | |||
| 3280 | msiexec.exe | C:\Windows\Installer\5262d.msi | executable | |
MD5:ADDD9D4F6F554012ABD98B0CFAEEEFE6 | SHA256:D15A9C675609D588840194282816C6E62446D4D7D9F581132B16018298D12C9D | |||
| 3280 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{7e50478d-8ae0-4ce2-be5e-f73ef1232846}_OnDiskSnapshotProp | binary | |
MD5:C7C6A432C7B6CB3306DF8771D5D1AB19 | SHA256:5C75923D9EF1AC5C5E780244FC62415ED2C9E76EDAE5DDBBB0B3F8F711DEBE8E | |||
| 3280 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:C7C6A432C7B6CB3306DF8771D5D1AB19 | SHA256:5C75923D9EF1AC5C5E780244FC62415ED2C9E76EDAE5DDBBB0B3F8F711DEBE8E | |||
| 3056 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\CFG2998.tmp | xml | |
MD5:2BE48F533744EFA173A2EDE37EA8031E | SHA256:02375FA63B79648ED6BB419C08F78BA9032EE22BA7170250E24427F47FDDFA4E | |||
| 3280 | msiexec.exe | C:\Windows\Installer\MSI291B.tmp | executable | |
MD5:684F2D21637CB5835172EDAD55B6A8D9 | SHA256:DA1FE86141C446921021BB26B6FE2BD2D1BB51E3E614F46F8103FFAD8042F2C0 | |||
| 3280 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFC8B874E28244A52F.TMP | binary | |
MD5:ABA8922058628525F877038B1AB2E5C7 | SHA256:AD93C4EA30218C67822EB66CB2FA8AB8B0A05310300335EEED4FF46E755AD9C6 | |||
| 3280 | msiexec.exe | C:\Windows\Installer\MSI2999.tmp | executable | |
MD5:684F2D21637CB5835172EDAD55B6A8D9 | SHA256:DA1FE86141C446921021BB26B6FE2BD2D1BB51E3E614F46F8103FFAD8042F2C0 | |||
| 3280 | msiexec.exe | C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserAnalysis.dll | executable | |
MD5:815379B9535DB5FF06F77E90725CDF0B | SHA256:3984AFC4AF6FCEF4392EBF8F88E583D2DD782E08CB166C345E443746E0F2EBD6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 23.52.1.232:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.218.107.179:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 23.52.1.232:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 92.122.89.124:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1372 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2564 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1372 | svchost.exe | 23.52.1.232:80 | ctldl.windowsupdate.com | Akamai International B.V. | US | unknown |
1372 | svchost.exe | 23.218.107.179:80 | crl.microsoft.com | Akamai International B.V. | US | unknown |
1372 | svchost.exe | 92.122.89.124:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
1060 | svchost.exe | 23.52.1.232:80 | ctldl.windowsupdate.com | Akamai International B.V. | US | unknown |
— | — | 255.255.255.255:1231 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
CoffalyserClient.exe | CoffalyserClient.exe Information: 0 : |
CoffalyserClient.exe | skipped the text trace listener
|
CoffalyserClient.exe | CoffalyserClient.exe Warning: 0 : |
CoffalyserClient.exe | trying to restart the application (file name: C:\Program Files\MRC-Holland\Coffalyser.Net\CoffalyserClient.exe, verb: , arguments: /SERVICE_CONFIGURE)
|
CoffalyserClient.exe | CoffalyserClient.exe Information: 0 : |
CoffalyserClient.exe | skipped the text trace listener
|
CoffalyserClient.exe | CoffalyserClient.exe Warning: 0 : |
CoffalyserClient.exe | user requested the service configuration (with argument)
|
CoffalyserClient.exe | CoffalyserClient.exe Error: 0 : |
CoffalyserClient.exe | the service config requires administrative privileges which are not available
|