Overview

overview

10

Static

static

10

2025-04-03...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-03_444c646c911e16567fbbf1aac31755d9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.1MB

  • MD5

    444c646c911e16567fbbf1aac31755d9

  • SHA1

    f319c261ffac3fc3a46d6aee320bb267d0053ffe

  • SHA256

    db6d9a256bd4fab0f04c5cda37ea8d85edb1cd468e3793ceaf8d833afb6d587d

  • SHA512

    396e591a0c54452067083899aa0cb16017e160494cea8790ce427eddf5ebb558b5b44f2984ef0b866bbe2de6462ac05a9e2878ef018c815da9c347caa915ecca

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4W:ieF+iIAEl1JPz212IhzL+Bzz3dw/VE

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-03_444c646c911e16567fbbf1aac31755d9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_444c646c911e16567fbbf1aac31755d9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2152
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4700
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2464
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip32.dll
    Filesize

    4.2MB

    MD5

    c68d26ea463def21e2a8e23d69f40484

    SHA1

    ee5dbefba9eef9ef7c0f7ee9e309821d719aca05

    SHA256

    b788b4f95b6762b95e842c1cb74508ced2008f315d9de0a2fb1244627499e32a

    SHA512

    84402859ffaa60755abdd355a8663f3798f77e13347fdb91e850cbaf6a2cb8cab11ed66150bd265c2810accab4e83c3f71841c709984014ea430fee89e02f429

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
    Filesize

    4.4MB

    MD5

    914c6fb0a46e49a896b0d6a1de96ba28

    SHA1

    3b45a25daefa204392c47a312a706b99c24ef388

    SHA256

    e0dd0009ff4ba3ccb72413780c12c65ce8bd83c5e67a78dafe39a71f0e033e46

    SHA512

    a075fc48980d0fec61a58a36e35fd508e02c6c659f31437915043480e9639b521950086123a3648976aa28e262464bd6c5e5f992b9f76a039281e5f24b8063cd

    Download Submit

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
    Filesize

    5.8MB

    MD5

    8546c2eba1d5990f20e1c72e525900e8

    SHA1

    9b806a021f59717a079d8ac6fa0901bdf11dd4a2

    SHA256

    98dc5f975e9bc82c6e95e98c2e9c825f56db79c0ee5dd84000bc62d06179c1ca

    SHA512

    30f16684207fd901c154e35f978155c1163639dfa28ede81d66d2d2de358ac40b730181ee0d2d0f6c02b3ab6318e9a7f0464a10e929ba44e3a953a18ddfcff6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\353G37J3\microsoft.windows[1].xml
    Filesize

    96B

    MD5

    b8361799c7a501083382a30696ed05a0

    SHA1

    c19845028499d17465236b074556433f9386501c

    SHA256

    52c0838b289c8bde85be5bb076ddf32d539ff231ba6fc37c5bb19b642e7a5449

    SHA512

    2070bef8fd332942fbb1e1f762b04d0bb602d8b54b37e337b306569966f60e42ec4d927b9c1bd0f6557a14a252aaa80ff11b794a18790a4fbadb5e40d372dce0

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133881900999024600.txt
    Filesize

    14KB

    MD5

    b9a3570135c6cdac61e23a655424bb81

    SHA1

    b25c823b867b820fa34e0d61892c99af1b3db241

    SHA256

    e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

    SHA512

    73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
    Filesize

    267KB

    MD5

    f76586075bc61d238cd15f1c0aefeb2c

    SHA1

    24569215ceb84b22cc69bbcf8336bbef24b2510f

    SHA256

    0ee3259f735b6fedd55fdba6c4cace30ee5a0661d57642900795e79cab76b5d1

    SHA512

    74e98401659f0b61088a1edb9a33890454219b48494daddd686919bd1bc450c8fc3b9006f6b7d3d7b3ec1fdaab7078d2f1c80e426dd9bef1b0f2bc503fcd47b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
    Filesize

    272KB

    MD5

    3942def28470bbdade0a87406970f2f5

    SHA1

    842edea1648ed55e5716786d84d7b9f43c97f095

    SHA256

    582c7de97c1ae85410a10d42d45797dab124c327ebd4b5b835e2259419df9a6a

    SHA512

    f0f394bf4bb62b31dcfdf1fef602d04304e324e84864f9baa10ca2f33ffdcc3f1d07048260aab75f065ba7fe8598ca7e7e8e14d14f3d60ae83334e12ba97fb0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    12KB

    MD5

    d76168e433ebd36255f447103fdd6d59

    SHA1

    21fba4b1044cd48007ffcfdced6e479ca9e3da79

    SHA256

    a7b54e0050250e9e15879f76944a879c11590e602ec2513bef3bfe1298a43b33

    SHA512

    99bc1dd1240abb35a807ebb6c3b2edb29c9e23290250ee7a8a7ff008fd450cf8651bf1793b1c56b9ed9775a2626f38faf08d07c72e892dc9bb393167a55185a1

    Download Submit

  • memory/2464-5833-0x00000260C8390000-0x00000260C83B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-5823-0x00000260C83D0000-0x00000260C83F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2464-5854-0x00000260C89A0000-0x00000260C89C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3468-6054-0x000002AD3C050000-0x000002AD3C150000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3468-6059-0x000002AD3CFB0000-0x000002AD3CFD0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3468-6072-0x000002AD3CF70000-0x000002AD3CF90000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3468-6085-0x000002AD3D580000-0x000002AD3D5A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4700-5786-0x000001EF15660000-0x000001EF15680000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4700-5785-0x000001E713FD0000-0x000001E713FF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4700-5777-0x000001EF15320000-0x000001EF15340000-memory.dmp

    Filesize

    128KB

    Download