Overview

overview

10

Static

static

10

2025-04-03...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-03_67d439a5c81949a330d8ecaf6ef8ab5e_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    67d439a5c81949a330d8ecaf6ef8ab5e

  • SHA1

    0d2abb9c5132c7bb22207db881e50872044bfbc1

  • SHA256

    3678d0e292b4947f6578864508b365ffb887dd50ae416cc9c939c80fa7a6ca93

  • SHA512

    3ef1f0dcce534adb1b5a6d36b854b93194e512ab13e441e740bddc012e77b43b9050affb3d09d7ea152dcaa3049b07355e6420135342b990d5c1d981b43854bb

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4Q:ieF+iIAEl1JPz212IhzL+Bzz3dw/VS

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 4 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-03_67d439a5c81949a330d8ecaf6ef8ab5e_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_67d439a5c81949a330d8ecaf6ef8ab5e_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1684
  • C:\Windows\system32\werfault.exe
    werfault.exe /hc /shared Global\c5cfd1f3bee346b28205534e54786b92 /t 3604 /p 4088
    1⤵
      PID:3700
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7-zip.dll
      Filesize

      4.2MB

      MD5

      41b3f3f976f6be6e5cd851ab8d51b1dc

      SHA1

      434bcb52d0839045a5133122838f8e8be10276eb

      SHA256

      591230f6de1d05572eaea2a0b7d63375d20535c6bbe9aa84d7df533ebf3b9d56

      SHA512

      86c564483df7914189163aeb311e21d57161edb95e4e76881f8951b5e3f308ce0885926209805943330bbd4e134b18b206a3fe71ba327f9cc8376c31f817dc0e

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
      Filesize

      4.4MB

      MD5

      a31f1a9101a329b62da4a2b78a5ca1b7

      SHA1

      00ab776368a7199763b424f320d0dcab8a61b4c9

      SHA256

      c4399ff9325638f6d3a086eccb9eb70317ac4fe984818eeff373176e59bd3c63

      SHA512

      783966ea983bd45f2d452c91bb5250edd6be6bdd7362a2ca80cdd60bceffd0fcbb72bad09fda356e7661961aa8bdda314e438ca5fd2994c9949d2abce3a24468

      Download Submit

    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
      Filesize

      5.8MB

      MD5

      f8319b1ff136f98a8b6dd2bcd294b1bc

      SHA1

      f9f16ccc5f62e6abd6e1b13eee1d922c864a13c4

      SHA256

      8c8637726e8f199d16c6100930ca6e6f1716181c42dc3932a0b4b0f6c7a7f715

      SHA512

      578ac95cec0bb8370de34e39749e7f79c040ad730818d34557fb5e61d284ca4369cacf993e679738d236fe29aa31f8cca86fecaf3856ec9d788c2c16df57c0cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\64MR4AY0\microsoft.windows[1].xml
      Filesize

      97B

      MD5

      2a22cf120508bcffb6c0d2760f47fbd7

      SHA1

      dd2650c16ba451333f45172bb3d4da4568752942

      SHA256

      07c918e3f9b4e166c5e7f61b19998f97286c05aa6acd4248524fef02fbd7e657

      SHA512

      991304782c0a5b8e5b0017fc22041e5fa25711463aee78d631c449c76946343270eb881c60c09798b8989c5ceed04495b1d06363e7a1aec37267d5aad2434a8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
      Filesize

      2KB

      MD5

      e5cf3607b1d2c761038f60210253847b

      SHA1

      2d030593ab7f127121bba71b857d469f56b140f1

      SHA256

      6c38497cf0932aaef0d8ba2c6bd4ded640d85aa995b02d8c032e91a81655597c

      SHA512

      20d61a9c4a5fcbb2f5f5fbde86e87811f0bbbd013bc25887e471657fe33ca1eee5bfb355440d3fe48b80307d3ab617c07f054a8d0492101fc2eb77bec980991f

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{02fc1530-c446-406e-b930-fa815f08d088}\0.0.filtertrie.intermediate.txt
      Filesize

      12KB

      MD5

      cd1dc8945fc53af5a1567f0bd0ecbf82

      SHA1

      a6c2c79f365f5e5c49e18a196db8fa983404ab52

      SHA256

      bd4f27e2890ccf9c780df138a3da9792bd978aa03a3282a62a2951f31114151c

      SHA512

      86211a8643e36466a47d44ab7880e065e128aa88ef5a05e635bddac89dcce82b604b1528bf78578d9abd5bdd074ffa356578de235ea69a00a056c876d943f161

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{02fc1530-c446-406e-b930-fa815f08d088}\0.1.filtertrie.intermediate.txt
      Filesize

      5B

      MD5

      34bd1dfb9f72cf4f86e6df6da0a9e49a

      SHA1

      5f96d66f33c81c0b10df2128d3860e3cb7e89563

      SHA256

      8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

      SHA512

      e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{02fc1530-c446-406e-b930-fa815f08d088}\0.2.filtertrie.intermediate.txt
      Filesize

      5B

      MD5

      c204e9faaf8565ad333828beff2d786e

      SHA1

      7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

      SHA256

      d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

      SHA512

      e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{02fc1530-c446-406e-b930-fa815f08d088}\Apps.ft
      Filesize

      17KB

      MD5

      176b9511edb3f4592a7511512ba34119

      SHA1

      07f3c7062422eef5d33718ba7f332696a80746f9

      SHA256

      9c94e84132b62bd67b7a0b1f2a313666a80d746112c51b0c297779201a4bd6fb

      SHA512

      cc13456d49b9962a7ac7ed223def769424e097278f87b9e56d713577830bb7c392ac510916d074e8fae034eaa168720e6b1dc289649654bcb965b25628a7f2a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b2b710cf-be42-44e8-b376-4d1f6cc270fb}\AppsGlobals.txt
      Filesize

      4.4MB

      MD5

      3af7c099623b0225766e5a0e2c8d30b2

      SHA1

      2cea8c5554e536ff0be79721e0c200dec9aad0ac

      SHA256

      72fa24f085a7e4255ceb40f2a7eddc093519b316e471a26a754ab2850acc09b4

      SHA512

      7c8b949e9e6a260e7a362799b696203a3a7c876f06f9e8db6e5eae451017257d8ba0fa75870717c7c32ed10a9789246afcef91281dc0c9b8a86a2a4eb67cd84c

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133881751232251347.txt
      Filesize

      27KB

      MD5

      4e540f21bb2365ff851b6e8271652846

      SHA1

      2cd355c237319dedc2d287615eab9713143da4b5

      SHA256

      43c36bcd355f4e0a2070e40343a382873ed70acd5b5395957f2709126cfcaf79

      SHA512

      23583de76067d3840d965f4848d12ee06714cebe9511f6b2ccde5df8a1f0347906500c4c93eab77b515cb5b31c576ddb9b75124d44ede965aebc972465e07d60

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133881751361228667.txt
      Filesize

      14KB

      MD5

      b9a3570135c6cdac61e23a655424bb81

      SHA1

      b25c823b867b820fa34e0d61892c99af1b3db241

      SHA256

      e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

      SHA512

      73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
      Filesize

      12KB

      MD5

      6add2002a94b55a7a446de23183c6f7f

      SHA1

      771f652f5c21b776d8efd12c9ecdd36e7cf097ad

      SHA256

      a3721afb8c05a4d0fc805bd8f82cf490231efe038e79e2806af93179dce15ad0

      SHA512

      5ba706729222e99c18c54f9fe0244e0830afc57317d87baf1aff6ae8070a01dfb7f3a297cbd511e4b2d588fe65d61656ac15600c4c88e30c24567918d96b270b

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      af40a0d111c19d7b286a0a330a43d783

      SHA1

      b0483ca86d122ff0f9ad560e32fa39b0d63cc8b5

      SHA256

      25c0ce6932cf594b43963ae2fb5ab85b6f09435d332f5c6d4d916a589b0e34d1

      SHA512

      18860e3fd323f52f707532b9cb9fed9608623a374c2dc0f505cb1465e3827365672027077dbd29784b876cd5ec68ce90c82bd4816b8df46f0283be1dde85f0e1

      Download Submit

    • memory/4536-5758-0x000002275D070000-0x000002275D090000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4536-5790-0x000002275D030000-0x000002275D050000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4536-5791-0x000002275D420000-0x000002275D440000-memory.dmp

      Filesize

      128KB

      Download