Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 16:36

General

  • Target

    2025-03-30_cf71eaad3c0e73f7fd474158996a89fe_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    5.1MB

  • MD5

    cf71eaad3c0e73f7fd474158996a89fe

  • SHA1

    c827f7716cf3624923ff604742af94f64a0bfff5

  • SHA256

    4320e9b474354a1ef0fb775139015f4b3840d67de52e3bd8b37081a8fc8cdb78

  • SHA512

    dd7e905f9f65b1312f2e74c4e0a723beeeeb52ae2d8002023167d05813ccc358e060521644ac685bba584221abf9add247d08e86593ff5c39f9909b3ee8cbbf5

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q46:ieF+iIAEl1JPz212IhzL+Bzz3dw/V4

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 8 IoCs
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 3 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_cf71eaad3c0e73f7fd474158996a89fe_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_cf71eaad3c0e73f7fd474158996a89fe_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3972
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3736
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll

    Filesize

    4.2MB

    MD5

    e72c8d3065605950a0a5630daa6f78d6

    SHA1

    6a7e1ed0c363212e80d18a4606298fa851e91721

    SHA256

    9de2e59bd626ddedc7cac14703a0f8b8a662c98034b28f9dcbe5cc19461b639e

    SHA512

    900f2802538ec9b800ed1e002cef0c456b67f06c4444eebecd0ef86d260c27e8c4344080d4561d9247a9e2af905f48209fa6712cb60e2915dae2b80f4f5d871e

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OCW8WCW9\microsoft.windows[1].xml

    Filesize

    96B

    MD5

    fb9a29645d1a3cf05647fd840205508f

    SHA1

    6bfc1c6c221a4aea1db757464d6fd5a67a2413f0

    SHA256

    6a30ace2e8df5f229da7a971aa3f4bf510c2524182794bcf7c01f2aa87868e64

    SHA512

    107f334cc55d28cc7cfe178ebce6f9e91793c4099eb44f11a80c5cff867b0b89619ff770e0a8cc108a409c6572ba29c5adeebd713c66d9471377a73641b14be6

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

    Filesize

    2KB

    MD5

    9c898c94b4b7c97fac50bd2f670b66cc

    SHA1

    7623ca0730e82c45bd112869debcc8da97dd8968

    SHA256

    a05522a5f6e2ef4f0e05d66ac394fe74a8c802b79efd6931e4fe74564e0ed84a

    SHA512

    e5e5ba533ff497d45f56bd17ee4aa2fc5108993b4d74bef06539b7a2484243900f2fd5cf634a6d6949afc12f85ae17134c9a4068075c4741b2118647113427a4

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878262653022665.txt

    Filesize

    14KB

    MD5

    b9a3570135c6cdac61e23a655424bb81

    SHA1

    b25c823b867b820fa34e0d61892c99af1b3db241

    SHA256

    e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

    SHA512

    73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

    Filesize

    10KB

    MD5

    8dc89ff5bab78fb446576fc0b29062ac

    SHA1

    1d77b9b6551dee804cd6cfd5b2bb56f4ca248c2b

    SHA256

    a6599ec380c347a0bac2736409ea8d831973100e950a6bd9406346e3588e9117

    SHA512

    0f4330a99c74bf03ed6ad1a37384cd359f1a7af389a9b5f77d045d16f4227fe138b24bafb97a0f7fb65fe496e532a332d067356497b550a5ea2562f056e23b84

  • C:\WINDOWS\FONTS\ANTQUAB.TTF

    Filesize

    4.3MB

    MD5

    613e1a643ffe7d4cd7e6dcf0c1ebc74c

    SHA1

    01930c40cf88c9a02651f967e7c801fd8deb6a11

    SHA256

    6fbe82b7c4d01451c47e47c05c66a254c6821b7c59654eec5f8ea0db42f82cdd

    SHA512

    23a19940e6a44e228e5cc889ab98f0a0f4d7894f834d4201f7d132c681435c439684d98a912c8cb3fd40483f292d597753383273ea36780b99dddd1a6d2fc7d6

  • C:\WINDOWS\FONTS\ANTQUABI.TTF

    Filesize

    4.3MB

    MD5

    dc5f64a2f39270cfee66c432eb2c866a

    SHA1

    ac85124614293cad531faaec5c44bca7a4a33573

    SHA256

    3396707d478dfc15022a6cb85efe0636ccf14564f258d825701ee1e90973c38a

    SHA512

    9970c81b700566d244f0edbc557618c3775fe5a59f7bf6e76133d0dcb45e2485b6e30e563826e45c2219b0f0c23684343b20d5d1fc2448b17b094626ac9da75d

  • C:\WINDOWS\FONTS\ANTQUAI.TTF

    Filesize

    4.2MB

    MD5

    7ef9919af7d4da1e52cbd2104d6f3a2e

    SHA1

    8ed6177a378ed47cb2619ff1c40216590e73ccdc

    SHA256

    d1990d04992f435ff4e66122fb440c078f5d6d19d5d4925df4c1b79b081d5f4d

    SHA512

    c1d3a3e60369d6a8a6d7bc4d8b90fdcaf4d300ac8b1aa7ff4fc951174858e0be998a1f4ee65760cdff451b64ce342b9c9edd28b3733f45f925987f8fe253f39e

  • C:\WINDOWS\FONTS\ARIALN.TTF

    Filesize

    4.3MB

    MD5

    a3b57f638f2d21929e9f4eaf8a03506b

    SHA1

    63721eb4f5e7587c76a38118c7e2bc41f93c0683

    SHA256

    8ca60240b1930b03616b7db6e4351c145df5b66c2cc35fe6b7cfca81d90725b0

    SHA512

    e744e0782c81f39eb5853815824d75d70906eae4d40bcc9fa06e17061e360ddf783e939f2584f0a4c9be64f5dc6081b785974e700304e38461edf090206c9558

  • C:\WINDOWS\FONTS\ARIALNB.TTF

    Filesize

    4.3MB

    MD5

    51baaacd56b41d8a9ff598d55fada0d0

    SHA1

    21d9e7396550ccaae05f2b9cb93e1b2e08d983ef

    SHA256

    2476195e68d57f1bebb999f308dc7fb18db2b49ce741c3a67eef693f9d923904

    SHA512

    6cbd838fc85dd6d79ba7008f34d31fe237270003c3adbbd2b7e410bc6f69ef911a1d47fe036f381972857b26bdd8befce9ff3b2fcaf107da9de39c9a38dc2b59

  • C:\WINDOWS\FONTS\BOOKOSB.TTF

    Filesize

    4.3MB

    MD5

    4805977e81e44ceae4ae92c5e16fbd73

    SHA1

    420f2665e1ef0969a6a6cff19559e307da1d7e5e

    SHA256

    bf82eaa768130e13bd01e9906a897cb640acec7ed52f2838509a381e12f813e2

    SHA512

    32ca43a4596bfc8f4977e8eae1e39384e728ed6a3c98d66ae6b3efe652bdb9a945073e5f930d5a1f3b3b2f224aeaad64be33d705dd283cc7c32180266f6aaad8

  • C:\WINDOWS\FONTS\REFSAN.TTF

    Filesize

    4.3MB

    MD5

    ba39b1bc139219c3fe55937468ef325f

    SHA1

    89c8ed8fdace9be9db204748073ca67abe0cd26f

    SHA256

    f59e2355e28ba5cd919d75c0d2fc478ce62ae27d134f236f3d3e44267f136c17

    SHA512

    a5fa0d49b9e8fcb86dc8e213ef5b95af0de4465c4563faa153f8fc1ba2b8715444c3660f1a111035170009c572f89b67d9340fe65f3af022bab87d2c47ccdc12

  • memory/1544-5867-0x000002019ECC0000-0x000002019ECE0000-memory.dmp

    Filesize

    128KB

  • memory/1544-5880-0x000002019EC80000-0x000002019ECA0000-memory.dmp

    Filesize

    128KB

  • memory/1544-5897-0x000002019F090000-0x000002019F0B0000-memory.dmp

    Filesize

    128KB

  • memory/3736-5823-0x000001B408B50000-0x000001B408B70000-memory.dmp

    Filesize

    128KB

  • memory/3736-5822-0x000001B4085C0000-0x000001B4085E0000-memory.dmp

    Filesize

    128KB

  • memory/3736-5814-0x000001B408800000-0x000001B408820000-memory.dmp

    Filesize

    128KB