Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 19:00

General

  • Target

    2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    aa627512df8f39f8522ce27a1b9721dd

  • SHA1

    23ddc0cc55e3eb4717f6e9f12b8c01e0c7cf036c

  • SHA256

    b86000a8e36f69a5767bab47f4a77c42ec1cedbb066ef685a0c0e828cb570981

  • SHA512

    5798ada28d270397210fa1ee0e759d65584afc89d0a19c3eccd9bcb64fe0f882165c9d4ba8e8baa335b4c6f9040b9bcb1d49d43615e9188e66b5e8e81b7d1360

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4R:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vb

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1376
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4972
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2396
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll

    Filesize

    4.2MB

    MD5

    15c19275212f30393f4ad70bb124949c

    SHA1

    3ebb69edbf29051d3feaf5a1a840e3407b66cbc7

    SHA256

    2c2f4105530b068e7cbc57aca18edce7282502e8d60b22b7f4f58abee15859b1

    SHA512

    5413d24524d30a959ba002f613226011deaf9febd3f358455560a873576f90fc0c6d2ed0c39b4cfd4723d8dc026b93bcf78babe198ff9605bb1f282f187275f3

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

    Filesize

    4.4MB

    MD5

    020460534c8c874a99b6492a7c5f675f

    SHA1

    be6408f26d4a4c9d2961478dade7e4f3fe083031

    SHA256

    13b300b8d224620cab9fa85ab817302354e15ab0645e612bd9760b22f225ad97

    SHA512

    581fbb85dfc260e388b021f782c11b29d37cd135dcf03f40cbc70d545151493ce378309d9a31bad46458cfd7084a2bbaae2540eaeac16f231afe702df0a975fc

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

    Filesize

    5.8MB

    MD5

    fd02ad853e59441d7995fc6ffcf01093

    SHA1

    d1cd7104422325f26778b56fc04f20d1eef84cc6

    SHA256

    229a25dc79780b371097c097107fbc182b8ae7cc58d43c7e2e5a5a53793dff10

    SHA512

    481051510dfe19ee6288ca6434b039ea6f42b679934b0c50b2a73405ef8fad61a5bfbed6e92fe44b5ae4563b7cbc3cea246681ef7b0bfa874f6a72ab5407faa2

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7V6S7ER6\microsoft.windows[1].xml

    Filesize

    96B

    MD5

    b8166526c84ccfb1ad9551c5859d6f46

    SHA1

    0e6e5ad925ecb18b53bbc50f49739383fccaeeba

    SHA256

    45c3d89194c930caaf8c9eb3e731f965f66d4da43f5ea09e75d2d5af56a66a2e

    SHA512

    bfee9ad267a80233fff1d3cca395d4d91ae86a972344d2a84b95d3d4704d39a4e00bc6dedac123252aa6bd7b6cc136c5aeda7fc644a2b30fa430c9ae473cca7c

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{48c0d5ed-aec9-4acf-ba5f-9baf4a856dc2}\0.1.filtertrie.intermediate.txt

    Filesize

    5B

    MD5

    34bd1dfb9f72cf4f86e6df6da0a9e49a

    SHA1

    5f96d66f33c81c0b10df2128d3860e3cb7e89563

    SHA256

    8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

    SHA512

    e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{48c0d5ed-aec9-4acf-ba5f-9baf4a856dc2}\0.2.filtertrie.intermediate.txt

    Filesize

    5B

    MD5

    c204e9faaf8565ad333828beff2d786e

    SHA1

    7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

    SHA256

    d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

    SHA512

    e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878349256190901.txt

    Filesize

    27KB

    MD5

    1d146d16b2c54677eaac87f56b692019

    SHA1

    4fbe0314b9716d9293abffe4037703089c8c4ce7

    SHA256

    84816b23a781f3d0dd4e9c0cb1524b63ba4a4f0bdf4f2d30d74998e2a8986ae4

    SHA512

    11fa32b19a62c2295047fbb8ba1785d01d82c5153d2b11b9cb72b1d02270eaaa6ac9a5e866b5267a1a276f0ec3b123cfc2c48f8af8151c90947abe0a9d721557

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878349264788926.txt

    Filesize

    15KB

    MD5

    18bee33d1ae7e7ed4cff2dc793879d78

    SHA1

    dc48c4398fe220905c35a93b1bb1bb4235cae00f

    SHA256

    42031724f1ba0695be437e59142d6055b64543cfe3d86ea722736f575a840811

    SHA512

    7cba6d996376a7ebe347447ce43910a33cb124a9100bc7d745de24db1d277e0f3ad5ea2e89d8c9a30080079ccec9701e35c8fce579c108842ebe2eb14811309b

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

    Filesize

    277KB

    MD5

    cc1c9a63234fbb410468defdc66fcb24

    SHA1

    ddea4bb122734c56d95c3e9e69d551978eaf45d5

    SHA256

    174b129f3db14ba6b43e7b7b9d3bf816e2f15bd69c89b4da26841ed9971986a4

    SHA512

    65070892e0426186e408ad506f89aee76008d78c52e57472a94415f981a9b3ba5914285234258ad278df4b633c2d3d9d3cb7fcff6c75c43e4adb93586be95d6f

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

    Filesize

    276KB

    MD5

    a28f00b8ee65d75ff4f24f97fc445429

    SHA1

    8349d6f941c8a54fea1dd4e09e35c3a211a90c74

    SHA256

    bc831d0c0b1bd312af0fd7d14014daac3af4da7dbf66433d4bfd9c83b2669ba8

    SHA512

    794af2866cdfb4b8203dc6c511a4a28067b01791752b6f59679982fdf2b51395bed5c3dcd29f2b78ef6be7e748ec2e102b10172858a22b8cd72283f3aa361769

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

    Filesize

    13KB

    MD5

    380c22089e2e14f9bbdadcb701523447

    SHA1

    2fa63eb6773b190c2bcd1c4d4fae59c2c939c896

    SHA256

    e83633de231ffa57fab8df348883698ebd6550a687692178d09468f0ef3e9310

    SHA512

    a85bfbbdfc74e0faf2ea92131e81cd263769c60ec9389fe6c8e4f594598144dcc57595755c2f20ecd4170624915c8655991444756d57ed8dc94f00b14fd4116b

  • memory/396-6088-0x000001F8D6000000-0x000001F8D6100000-memory.dmp

    Filesize

    1024KB

  • memory/396-6106-0x000001F8D69E0000-0x000001F8D6A00000-memory.dmp

    Filesize

    128KB

  • memory/396-6127-0x000001F8D70F0000-0x000001F8D7110000-memory.dmp

    Filesize

    128KB

  • memory/396-6093-0x000001F8D6D20000-0x000001F8D6D40000-memory.dmp

    Filesize

    128KB

  • memory/2396-5861-0x000001F53FDE0000-0x000001F53FE00000-memory.dmp

    Filesize

    128KB

  • memory/2396-5891-0x000001F53FDA0000-0x000001F53FDC0000-memory.dmp

    Filesize

    128KB

  • memory/2396-5892-0x000001F5401B0000-0x000001F5401D0000-memory.dmp

    Filesize

    128KB

  • memory/4972-5791-0x000002238BAB0000-0x000002238BAD0000-memory.dmp

    Filesize

    128KB

  • memory/4972-5799-0x000002238BA70000-0x000002238BA90000-memory.dmp

    Filesize

    128KB

  • memory/4972-5800-0x000002238BE00000-0x000002238BE20000-memory.dmp

    Filesize

    128KB