Overview

overview

10

Static

static

10

2025-04-04...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 01:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_beb2a76a21bcce89f9103428a3386aae_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    beb2a76a21bcce89f9103428a3386aae

  • SHA1

    80c58aba9026cebc9293c22ee217bd7ca5918768

  • SHA256

    e5e6f9a3a9f5f771b82b8b5614428ee4b2e9baced2c2c74ca1a5c43ae440dbdd

  • SHA512

    7896819052175352ab3ed4a39f1f3c419861616580b33009e5209542234b91ce80dac7bd24c49f9514c6900bb0de22217e641c4b466c77f66ca1f1dd136c4964

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4H:ieF+iIAEl1JPz212IhzL+Bzz3dw/VZ

Score
10/10
gofingcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    ransomwaregofing
  • Gofing family
    gofing
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_beb2a76a21bcce89f9103428a3386aae_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_beb2a76a21bcce89f9103428a3386aae_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1908
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5964
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:5988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll
    Filesize

    4.2MB

    MD5

    3e562111dfd37fc527f2a7594929cd0e

    SHA1

    78ed4e50454a329436f8d5ea143b393bf1380ab8

    SHA256

    c0d3c9631fd9b164428f4cfbf67e755c7184d12d7511dc5394cf4257d011b85a

    SHA512

    6f79febc31d6cac6a553bc79562f1dbb605c37d2e61d8c27922527501f65eac8d9c2b1b7b9332ecc14582a1f90ea5f3a9071e2b73ab93a422775a74de7e5d1ef

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
    Filesize

    4.4MB

    MD5

    9a4c9679b1147f4faf22ac0f76c37374

    SHA1

    86156cbc5f447cfe0a033b86c384ffa0cfd20972

    SHA256

    0dcdbe8f62283ebc2b322b03f3b0115070e44f3b674709dad8ae147e774dbe31

    SHA512

    9de780547800c8c6e2650de3f8e6b7b7ba55ca821272f3c668d3ad172d563dccd7d95547b5c50626b05f9f304c344915d4230a357d0d455def47b5120141995f

    Download Submit

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
    Filesize

    5.8MB

    MD5

    5d3bcd6f274b4a2626a8003666f4b9f3

    SHA1

    76c2a860d5bf5ea6b2f23ba6fbcce31b1055fda5

    SHA256

    32705bb60ff6bfbf4cbc29e4f22d2193b9d82b0c01db41f343072a9b00472770

    SHA512

    45d8a43179b0b4a3b864bfb7c528f7cd862ce8f47cbc38155c619133705eacf5a9a4d467941414c2e85e197631a77b1cef8f69fe004097e8659a3e4638726d1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\917WYNDL\microsoft.windows[1].xml
    Filesize

    96B

    MD5

    0bccf88002dbaf9d7ff27c5706158033

    SHA1

    30f3409624231e3d1e27c0f24aced365b595c681

    SHA256

    5d59f5cea2cb9465ad8c664279d7489e26f3f88982f0f6bc055f74a93b8648cc

    SHA512

    3a0f6ae86a3dcfc17d0cb8c57249440db852564e3e9f7c73911abea52de4375bd2f9ec4832b9a42e081b8420df2d6b0572aa2a57601d3faaa812351f9d86fdce

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f6b73e85-40f1-453c-b543-1340edc23564}\0.1.filtertrie.intermediate.txt
    Filesize

    5B

    MD5

    34bd1dfb9f72cf4f86e6df6da0a9e49a

    SHA1

    5f96d66f33c81c0b10df2128d3860e3cb7e89563

    SHA256

    8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

    SHA512

    e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f6b73e85-40f1-453c-b543-1340edc23564}\0.2.filtertrie.intermediate.txt
    Filesize

    5B

    MD5

    c204e9faaf8565ad333828beff2d786e

    SHA1

    7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

    SHA256

    d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

    SHA512

    e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f6b73e85-40f1-453c-b543-1340edc23564}\Apps.index
    Filesize

    891KB

    MD5

    b719722a8376bc8fc3c7d312ca6bb9fa

    SHA1

    ff86296879663e9c7d0edd3dee4cc988073ca9db

    SHA256

    bd1019a3a3c536fc1585c34115f0979494944d8a720121f99521d846bacfd88b

    SHA512

    10885b1ac3e5a7f67763b79d5630335a3ac513c6deaf6a2075cc487b85069630791f18b752cef6d44b756a3aff335c4419e4ad67cc4afdfd4760c58976015479

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a9e5790b-c267-47c3-acd8-3989d45642ca}\apps.csg
    Filesize

    444B

    MD5

    5475132f1c603298967f332dc9ffb864

    SHA1

    4749174f29f34c7d75979c25f31d79774a49ea46

    SHA256

    0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

    SHA512

    54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a9e5790b-c267-47c3-acd8-3989d45642ca}\apps.schema
    Filesize

    150B

    MD5

    1659677c45c49a78f33551da43494005

    SHA1

    ae588ef3c9ea7839be032ab4323e04bc260d9387

    SHA256

    5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

    SHA512

    740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a9e5790b-c267-47c3-acd8-3989d45642ca}\appsconversions.txt
    Filesize

    1.4MB

    MD5

    2bef0e21ceb249ffb5f123c1e5bd0292

    SHA1

    86877a464a0739114e45242b9d427e368ebcc02c

    SHA256

    8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

    SHA512

    f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a9e5790b-c267-47c3-acd8-3989d45642ca}\appsglobals.txt
    Filesize

    343KB

    MD5

    931b27b3ec2c5e9f29439fba87ec0dc9

    SHA1

    dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

    SHA256

    541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

    SHA512

    4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{a9e5790b-c267-47c3-acd8-3989d45642ca}\appssynonyms.txt
    Filesize

    237KB

    MD5

    06a69ad411292eca66697dc17898e653

    SHA1

    fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

    SHA256

    2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

    SHA512

    ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882051052533008.txt
    Filesize

    27KB

    MD5

    4e540f21bb2365ff851b6e8271652846

    SHA1

    2cd355c237319dedc2d287615eab9713143da4b5

    SHA256

    43c36bcd355f4e0a2070e40343a382873ed70acd5b5395957f2709126cfcaf79

    SHA512

    23583de76067d3840d965f4848d12ee06714cebe9511f6b2ccde5df8a1f0347906500c4c93eab77b515cb5b31c576ddb9b75124d44ede965aebc972465e07d60

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882051155071778.txt
    Filesize

    14KB

    MD5

    b9a3570135c6cdac61e23a655424bb81

    SHA1

    b25c823b867b820fa34e0d61892c99af1b3db241

    SHA256

    e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

    SHA512

    73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
    Filesize

    277KB

    MD5

    41e45ecf4dfc8fa3fdefdf1eba23c2a4

    SHA1

    f9e53d2b3673dce3995b7f2f6a77047dfdd0b130

    SHA256

    206cd4e2c89cf8f1a2eb9a4382a057a87b98ff5158e011ca4abd016157a5ad85

    SHA512

    42b8c313f9d022bf6235c05ae7af289a5849388c0dcdbeeb05114beb02cfc9e736ff26e784e339bb496fec73fa36820b3b3834464feddafad461eae3ed645aae

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    13KB

    MD5

    6095c9a6ec329f64131a9f613a7e127f

    SHA1

    4ce1b58a6ecb1b8e72b75cf413233c96fc9f9dc9

    SHA256

    2610ba21293b51998766de89cd66f10f083071bd4ea7ec84d05aadbcd27b4f5b

    SHA512

    7fc83ab4f8fcfd1b3c24b5197c7925de39dd67fcb565b5c63d180027cebfa5ad9bed540610b423c308a22d22f3cadb50f4a960cba68bac7f1963fceb49400f46

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    12KB

    MD5

    62024721ac05029f657e8a601d86e862

    SHA1

    c0aae5b99b7fb2cf3c099b4131d67c1e07a40afd

    SHA256

    d7cfacdf6b14956b6c667f8618f1dbbe0b2e36494045cfde90df1c9cfe461c7a

    SHA512

    8fff07bbe315ef351a1968aa4bebdaf05311f1f4a3324ac1a36f0ace450ccdcc701e2d24f61f84e1b576ba8fa8bb7b84bb57d9899ad4c0a94f0647e3868a9a66

    Download Submit

  • memory/5964-5696-0x0000024A4BDC0000-0x0000024A4BDE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5964-5688-0x0000024A4BA00000-0x0000024A4BA20000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5964-5695-0x0000024A4B7B0000-0x0000024A4B7D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5988-5772-0x0000023E95040000-0x0000023E95140000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5988-5776-0x0000023E961D0000-0x0000023E961F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5988-5771-0x0000023E95040000-0x0000023E95140000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5988-5773-0x0000023E95040000-0x0000023E95140000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5988-5797-0x0000023E96190000-0x0000023E961B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5988-5798-0x0000023E96530000-0x0000023E96550000-memory.dmp

    Filesize

    128KB

    Download