Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 15:04

General

  • Target

    2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    b312be4969f3de211b46bb28fefc55bb

  • SHA1

    331f1918240478d9aab9b0c528926f9bb4f1fffe

  • SHA256

    f032af7f19f6f8271d9ebfbd15c5dcaebc93ec5f2b155c30429363e1c887dcae

  • SHA512

    5ec6d029dbe536e48918d38f1bf90c7c06a4dc755859593f2ba2a59c621dcce732be08f48d69761291ec49018588d8895449aa1444946eb65dccef9c341f4285

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4w:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vy

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3676
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2216
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2276

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.dll

          Filesize

          5.9MB

          MD5

          f17a96f168083d667df08f23f394bc94

          SHA1

          777c7850027948dfb03609ffe20aadc699bbe2bb

          SHA256

          fc4dd24357a3a7f5005812d238507db89bb30a57d9434911d9dbd71bccaa23f1

          SHA512

          a85a7af3435731571482a19a1c552eeadff72361e03e99e8d63ddab735939685f2e9d76894ada1313a324594628d2a215396a1888ca2768d4e2804e2d25aca5f

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          97aad85a9d4b8f339e00729d977640ee

          SHA1

          69861e79676800bb0ce299846f06674095a5b7ee

          SHA256

          9ac4f688229f323c1dfa77bf5ee54dfad1c7c5236a06580f0feba4ea1d045c17

          SHA512

          b4aec15e47f88bc56ccb4e44bc19f5ffc8c771c81ed762dab914feca21c14ea6972a711a9b606e1e99aa4e901b427bf4983f9dfbd78ad5402574f036e316ad25

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3FESS8ZQ\microsoft.windows[1].xml

          Filesize

          97B

          MD5

          85bdbabc7b95040643d10928ec751042

          SHA1

          1729eb81300828f45121282bd78e7d8edb60806d

          SHA256

          e82b2adb9d4a506a15db5a5e124fee0a74c9eacd3d92421afb0ab8a141ed928e

          SHA512

          6dd5a984d367d979909a430b64a8031c75ee27ac69b63ac13f4f5c311030b52a6ad7f49b997812d8c049f8275d25d214979c3fd907f738b46dbe239f966e4e31

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3FESS8ZQ\microsoft.windows[1].xml

          Filesize

          97B

          MD5

          9d878c5b559e2a15ec6ab81004c9d4a9

          SHA1

          93376927b9b2ec0dd922cc07df9a8292449c29cd

          SHA256

          a2ba68b4e9c61181288bb42d19bbfe68abd2966ced20bd1dcc8db80a28e570e5

          SHA512

          8e078f7c43026138dcd94ad93e809cd3d5b35457ffec212ee2d576af81450ed0b3de18bfb1e00d5b0bb3890eadf861d8afb82b2c0fc42ada1f226788038c9f5f

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\0.0.filtertrie.intermediate.txt

          Filesize

          12KB

          MD5

          936b0a778aa1be7e3034258367c98689

          SHA1

          1f488a47008c9ffe3643e1473208b30c6c8849b1

          SHA256

          5403748cacc0090701bb9a3982a3059ebe25d2be35e7a8ff93fccbee66a7e408

          SHA512

          13b8c495f05c15809a1de5ab37f583f1813b299e609518e1b2d78986436d945de1c0595ae8e1c839ca7f8db8404eb7efb817f8532e86c8f62884534a1921ca56

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\0.1.filtertrie.intermediate.txt

          Filesize

          5B

          MD5

          34bd1dfb9f72cf4f86e6df6da0a9e49a

          SHA1

          5f96d66f33c81c0b10df2128d3860e3cb7e89563

          SHA256

          8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

          SHA512

          e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\0.2.filtertrie.intermediate.txt

          Filesize

          5B

          MD5

          c204e9faaf8565ad333828beff2d786e

          SHA1

          7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

          SHA256

          d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

          SHA512

          e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\Apps.ft

          Filesize

          16KB

          MD5

          77aaf7085b78aabccf5b1bae1da22bbb

          SHA1

          9d4785556cfa5ca1e232a88894eed1c66f348501

          SHA256

          c37e3d096fb087e56f22c35b08334be89d5708456c570d65c11cba99a27e3c59

          SHA512

          ab83ca6db7f529709b3327ccb49ae6f2a2ad65f1e7ca9ee09824ad0017c4cc8cd57c6effbcbbc83225ddfbde7ee4bafe226d2344b3b670a6723457b75cbf0c1a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\Apps.index

          Filesize

          947KB

          MD5

          0dbe9680d1e2119057acaf423cac748a

          SHA1

          ee99936909d9c339cba0c9f515f855d1bc9b318f

          SHA256

          4368c307c6e0a3b5fef53ad12b841d599f26f9c7f26ca1e21e0dbc439a238ff9

          SHA512

          fb9afdadfd63649132d052e28f1daee9e3ae56fa00d898754278ef7d9d7c447ec33f3668780b220553528551a179afb20aee84549205c379d75fab8d6b6210da

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{52d8ec9e-3dba-488b-9bec-7dbb3a1b12ba}\apps.csg

          Filesize

          444B

          MD5

          5475132f1c603298967f332dc9ffb864

          SHA1

          4749174f29f34c7d75979c25f31d79774a49ea46

          SHA256

          0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

          SHA512

          54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{52d8ec9e-3dba-488b-9bec-7dbb3a1b12ba}\apps.schema

          Filesize

          150B

          MD5

          1659677c45c49a78f33551da43494005

          SHA1

          ae588ef3c9ea7839be032ab4323e04bc260d9387

          SHA256

          5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

          SHA512

          740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{52d8ec9e-3dba-488b-9bec-7dbb3a1b12ba}\appsconversions.txt

          Filesize

          479KB

          MD5

          bd80c5bdf003b5858da6e9f8dd956da6

          SHA1

          a5ca3cb203224f8eea4de4519c5e35deb9294f0f

          SHA256

          c855aa25cd1ec3c957d2c695752808adfbddf8ff3f98efc6162e1c04336e84d0

          SHA512

          b735baff690e16b0cf1d2aba46e47bb490651313956e9379f124e04db426f6c01eb63e1122836a76d4abd805e8b2a82d11eb9026774eadba4b543c1aa8b69dc3

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133907583940398478.txt

          Filesize

          26KB

          MD5

          8f8b6431df6661fb9dab8a89c7f8140e

          SHA1

          c08e03666e8097fe5fd53aba0543c5ad0f5e902d

          SHA256

          73c0bde22714885c7b5d8097c39236ed99c4f7d52ef5d48772819f859b1e6bf0

          SHA512

          d8854599c951460100584caa01968bcc1b7b23bba50e17c619f47167a4b4b683170f68c72743a38130ef2597b84f688d3e8462f5c5a48b4aca4fa7331c855b26

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133907584000315718.txt

          Filesize

          13KB

          MD5

          aaabd569f8458096c85f02092eece5aa

          SHA1

          ad838436d0250be0c7520a1cbc7c72ac9365fe5b

          SHA256

          d1e73bf1854ebd1a75ac8267c868fc124b3fab9b500596e6ddc784d60eaa2b79

          SHA512

          70909a99c225efccc030c5f76176e2efe071518fc6a1317bdb2da6732609e6eef08a3ad9cc9b0daf42d5ce678f3ac2584ec4162c7afe019ea7aef158a184ecdc

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

          Filesize

          286KB

          MD5

          edb28f6a770ce465924c1b00161bb778

          SHA1

          6e847491e183a8c32242e47baf41d1299ffd115a

          SHA256

          cbb02e12ee5a1a4a6edaa847ee9b27a6519b4cd49166f4f22c8791a5e50922b9

          SHA512

          f43d354f5c7c4f87572485485e4e2bec9e89e86c38382841e40ff328b02110ba419227170605b3bf5480ddcb4b33aa99a511a5887381c060185e17bdc49e1061

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          11KB

          MD5

          2e2818d813637ed7f3c5b476d9d96856

          SHA1

          07c8ec4eba6c7b2cbac7338179ebbbbd4f1abb7f

          SHA256

          310947b352ad904a52a9f77a6f85badb8a893352ba81c66ef735dcadde163616

          SHA512

          9472b6d26b5a342b05d5e92220f6a488b26433a02439c89d53032ce10ec7b20ba9bac2184bb5a2154f5b52f7c43ed0ac67fe0ffae0868efc000d7c18a3ed82dc

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          11KB

          MD5

          394eee57a915956e69aaa3924ec4a53a

          SHA1

          d3f15274f0f9bc5c407e9216b920e5e3d3fd634a

          SHA256

          772c41e3c193e9be30336afdecf3a786d204e3e5f2e11ce30111943ab2fc0678

          SHA512

          584ed5d6ac53f06a9acb67705810739292b337ae819fe92657c355429621e87782eccf74c592b1a8a8fa88954431ddc6c5d1fc28c22836c02ac6fe7781ed7101

        • memory/2216-5738-0x0000016FDEA10000-0x0000016FDEA30000-memory.dmp

          Filesize

          128KB

        • memory/2216-5732-0x0000016FDEA50000-0x0000016FDEA70000-memory.dmp

          Filesize

          128KB

        • memory/2216-5739-0x0000016FDF020000-0x0000016FDF040000-memory.dmp

          Filesize

          128KB

        • memory/2276-5876-0x00000247FCE00000-0x00000247FCE20000-memory.dmp

          Filesize

          128KB

        • memory/2276-5858-0x00000247FCA70000-0x00000247FCA90000-memory.dmp

          Filesize

          128KB

        • memory/2276-5843-0x00000247FCAB0000-0x00000247FCAD0000-memory.dmp

          Filesize

          128KB