Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 18:13

General

  • Target

    2025-03-30_4cb16c963d08669290fb79ab1b68f329_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    4cb16c963d08669290fb79ab1b68f329

  • SHA1

    89dd1db2b16b58f5113bc8fe1b9d3711f7466dae

  • SHA256

    b5c989499aef0953dd2c2678f390f7bc41cf84c16baad785f684a67898e9aa7c

  • SHA512

    bb3ef34528ce0dfbd6ad28856e6382a420d4c959328d096d20820afc1077d0450ea80c617a6272cec4c61f03a972670cad801fef064844e97d45aa3de3767214

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4r:ieF+iIAEl1JPz212IhzL+Bzz3dw/V5

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 4 IoCs
  • Renames multiple (51) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_4cb16c963d08669290fb79ab1b68f329_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_4cb16c963d08669290fb79ab1b68f329_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2716
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:544
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7z.dll

    Filesize

    5.9MB

    MD5

    48f916bf02a3413da02cce3d23a26893

    SHA1

    93aa05143950f17cc389aa81fa3a0693c6e15655

    SHA256

    a13e5ab3e2032eab478239947bf317b0ca63a4764298a65d0a090b20d67eab30

    SHA512

    f3f2f33cf02f0bc7888cbd27cccb97071cc1701a37b869da86f1fd38df354cde633e79f31064823e733bda1586eebc3c38a175622b83ccec8b78c2c1dfb87c31

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

    Filesize

    4.4MB

    MD5

    fb4d55c9bc119fd1c2b701646e7ea94f

    SHA1

    569b3bbbaf9d77ba70deb144b16fb951531af6da

    SHA256

    3f2f142dd9b6ce1f9c78f9a0c17cf152c7976e955ef4487d57bb996b3bcbcef4

    SHA512

    108090539d54a8274105d5fe458e59537fc65335869ee0842525a23f94d777fdca6f96f39dd2d28005f49100a81b9a43c64fb3494d53497f96e2750805ed64cb

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

    Filesize

    5.8MB

    MD5

    8c17fb520843cd891c5ae31d774a2fe2

    SHA1

    b38307f50569423bcb6d3049216da12cd46be87d

    SHA256

    ddc4acd8a76daf6659295ed9ecf318441fa493cb203026006a2fa6d3ca607301

    SHA512

    bb18985ef7c3b49daa91ebf143cf32aab8e835d70db580920163916ba7050af9923c92a2e9c2d4a9fc0cf84195dbee09b6a0b3f4e8b58e98d0801376a84ab68a

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DE8CY514\microsoft.windows[1].xml

    Filesize

    97B

    MD5

    486d48c9c22611fddec58fa1d1269490

    SHA1

    e178d26baba8017a1cdec967ba0f580422d49063

    SHA256

    8574ca1caf9544f0d15b922723c39ed1954f436879927f6413208b2ee2c3e306

    SHA512

    e6e41a39725ecb0b98c8faf134e24a4a891d1982b30be8a31b3cee642dafc12f00c2018d701b535f8ab904264f023a718e2e7b5d927e3d8871c3dce032fdc00c

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878320946884924.txt

    Filesize

    14KB

    MD5

    b9a3570135c6cdac61e23a655424bb81

    SHA1

    b25c823b867b820fa34e0d61892c99af1b3db241

    SHA256

    e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

    SHA512

    73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

    Filesize

    13KB

    MD5

    2e6fd628c9c496e5a702e53c921d702d

    SHA1

    d2e806d3c5efa09c633719b6392ffc840e1efaa5

    SHA256

    1a2ebe3c42b2478c9d62a17a0dadaac16cee414eb25c7d8b3befeee6b200a8f7

    SHA512

    7287547f4e75c1e6307cf817d127d6cab5e6e4a51d2219f04e9020e67b586d7d759410cfde201b3d690d132218916b0b5f5a05acc8f4fcf72655fbb530ebe90b

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

    Filesize

    12KB

    MD5

    1e3bcae962f769dc414086518f6cd813

    SHA1

    7ecd07c3fda50cecce9cfc719d5ef2a10604ccfb

    SHA256

    26fff0760d9971df18b776e4a621aaca560f35f569625af3b51fb4b82733e15b

    SHA512

    05b1d0e50360b0523f02579c78613aa76b09858b09d1dbef2ac8dfe64ae9051c66b11a950f906a3d3d541786e543edaeb7457de556c5f9693bba011fd63f057a

  • C:\WINDOWS\FONTS\ANTQUAB.TTF

    Filesize

    4.3MB

    MD5

    22c1a98b319b9aefdf61a8fcaa4864f1

    SHA1

    c35ccbb88cdc9c9747a0c37a46dccbfe3ba0cfde

    SHA256

    66d775f33ad571292766b8b9cc9a002b806842f21f68db20d705e5164c18be78

    SHA512

    b19332b91c774ce2257b3af3159fab8e7f02133b809f23006a9547906a883b52093c0c8618a9d5c5a3e5948fc3004c4a172eda4a486d0c80d082335cdda84f93

  • memory/544-5800-0x00000243E74F0000-0x00000243E7510000-memory.dmp

    Filesize

    128KB

  • memory/544-5799-0x00000243E7160000-0x00000243E7180000-memory.dmp

    Filesize

    128KB

  • memory/544-5791-0x00000243E71A0000-0x00000243E71C0000-memory.dmp

    Filesize

    128KB

  • memory/1340-5914-0x0000028714F00000-0x0000028715000000-memory.dmp

    Filesize

    1024KB

  • memory/1340-5919-0x0000028F17060000-0x0000028F17080000-memory.dmp

    Filesize

    128KB

  • memory/1340-5941-0x0000028F17020000-0x0000028F17040000-memory.dmp

    Filesize

    128KB

  • memory/1340-5970-0x0000028F17440000-0x0000028F17460000-memory.dmp

    Filesize

    128KB