Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 15:04

General

  • Target

    2025-05-03_2aa6a01aacb78594f27a081de95ffd2d_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

  • Size

    5.6MB

  • MD5

    2aa6a01aacb78594f27a081de95ffd2d

  • SHA1

    4c44a6b1bd1f62e34f2fa228f78b1344ef5ba6b5

  • SHA256

    e6a7987298df48a175d3c2358b4227c5f44d075cde23d5e419ca961bb62890b5

  • SHA512

    c759a81a43c43d05e3161e35d6cd90102f9c09e022ce773689be685f251979bef1f3a92c22e95f701e6c54688a086899bcf72281675864e7f644f432810b0614

  • SSDEEP

    98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/V1rY7UGwwjPY5V1+d:pWvSDzaxztQVeICjAYd

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 9 IoCs
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 42 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_2aa6a01aacb78594f27a081de95ffd2d_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_2aa6a01aacb78594f27a081de95ffd2d_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:2016
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3120
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4300

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.dll

          Filesize

          5.9MB

          MD5

          843b4a8a2ea71680486a8a0cc0b0246b

          SHA1

          46ffefd5c934418e53535a9185fbecfeabaacebc

          SHA256

          cb31b96a6ed836843496c61165d66523b511469776d30d0fb213c818ac28c1be

          SHA512

          b7a6d5ad6239951e7cd824c32cd97e50c0e341771497e6386f0c6883f1f79f00a5b2553adda26253b567d71ef1f053af2335d0dfda2f12e45512caa5f7501e0f

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          b1e352f8e51bd97e8a9c5056a668f85d

          SHA1

          564cc8f14dcc5abc1ef108f3eea32b74cb408764

          SHA256

          00e4e4e0f75f4ad3dd38c20d76f0b9b77a14302fbaa99aab353a3e256ea6dd5a

          SHA512

          d0c2702a61c90b6e22c57f0095211ebeb004764658a1e90a2779aedc7f8cfc066b9d37e29567c17815d36cae66965af25a9aa6a9677a77403cd7feeeb8783e94

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          9c3863c29215bfbdb6c03ede328de430

          SHA1

          65cebc36b8280d19db97fe5d96a461e98a8beb90

          SHA256

          fb9356214ec3d127f31da2540a3262c5df106a0aad17f3618fd8b68880fd9b13

          SHA512

          73ffd3090dd15944de6b0cf4a6c9636fc3e34fc622c059e27d93893e2d7caa1251e4c87d8ad039b519abbd53d31c737c1059dafe454ea802f1f6e281135ab0d7

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b2d0c4ac-2283-4504-b721-a737a711420d}\apps.csg

          Filesize

          444B

          MD5

          5475132f1c603298967f332dc9ffb864

          SHA1

          4749174f29f34c7d75979c25f31d79774a49ea46

          SHA256

          0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

          SHA512

          54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{b2d0c4ac-2283-4504-b721-a737a711420d}\apps.schema

          Filesize

          150B

          MD5

          1659677c45c49a78f33551da43494005

          SHA1

          ae588ef3c9ea7839be032ab4323e04bc260d9387

          SHA256

          5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

          SHA512

          740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133907583938810782.txt

          Filesize

          25KB

          MD5

          0a76974129193d00227730f435b97075

          SHA1

          7709b89673808cce19cead6cbefa4ba6f032ca74

          SHA256

          e7a085f54174b4b38b61835c90ca9afa0f618c2c9030b4c3f5f540d5c69e23af

          SHA512

          b08c0da848421e384f77c039259cc8288d900bf2610a27c55d0c15af09ef5f9dec5582b2b8ace18cc83abb32c9231de2ba4334a73b04c77ef1ee2a7adc1b76d4

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133907583967356263.txt

          Filesize

          13KB

          MD5

          aaabd569f8458096c85f02092eece5aa

          SHA1

          ad838436d0250be0c7520a1cbc7c72ac9365fe5b

          SHA256

          d1e73bf1854ebd1a75ac8267c868fc124b3fab9b500596e6ddc784d60eaa2b79

          SHA512

          70909a99c225efccc030c5f76176e2efe071518fc6a1317bdb2da6732609e6eef08a3ad9cc9b0daf42d5ce678f3ac2584ec4162c7afe019ea7aef158a184ecdc

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

          Filesize

          284KB

          MD5

          a7e94ea256980afae0f7f79556a1a363

          SHA1

          b1bb784216975892b917f907a826ffa2c2efc280

          SHA256

          630979529234fb316f48dbada720ce17d017a4c3996bb0bb866989261f4cc39b

          SHA512

          87dbddd7d50716405252b5cebf05470ea518fcd9718d38bda49d565cdf9dace3fc4a62762e692f8a390c25aff8580aa4d1ccaa1fb97f790a8ef663619e92e4f9

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          11KB

          MD5

          394eee57a915956e69aaa3924ec4a53a

          SHA1

          d3f15274f0f9bc5c407e9216b920e5e3d3fd634a

          SHA256

          772c41e3c193e9be30336afdecf3a786d204e3e5f2e11ce30111943ab2fc0678

          SHA512

          584ed5d6ac53f06a9acb67705810739292b337ae819fe92657c355429621e87782eccf74c592b1a8a8fa88954431ddc6c5d1fc28c22836c02ac6fe7781ed7101

        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3FESS8ZQ\microsoft.windows[1].xml

          Filesize

          13B

          MD5

          c1ddea3ef6bbef3e7060a1a9ad89e4c5

          SHA1

          35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

          SHA256

          b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

          SHA512

          6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

        • C:\WINDOWS\FONTS\ANTQUAB.TTF

          Filesize

          4.3MB

          MD5

          bb2ac23d27b96c339395a4cef4f03eb4

          SHA1

          0ef69f6b3ca1a365094161a8b5f5ccdb4f93bc7e

          SHA256

          b06fa4f610244e657e17de4ec73b57a0f0bf5fe0a2779753a7c893d161de9cad

          SHA512

          edb3faca66330abb7a2d36b231aa3e8890993c60a33ee54e59e692689c2acb74ce0a1a0cddcbcd071bc92d0f9dc82167727c63f9b5fb15452a7e35f5b23ac3b6

        • C:\WINDOWS\FONTS\ANTQUABI.TTF

          Filesize

          4.3MB

          MD5

          6a149a60838bc98d302a20c79b28bff3

          SHA1

          0bb0f1a42ce679db07218339e3bfdb55c7a04b3a

          SHA256

          b721ecb5dd802f8494af9695eea465da496f99d67f356604ea29aaf283526c45

          SHA512

          9041cb4edfe6a2027aba2f882b0329adca2b832a9097638f082032a371241ec6f8c5787f6b0b56338c21f5b416dae12a40deee1142835b9285c4f1d2a4a76ac3

        • C:\WINDOWS\FONTS\ANTQUAI.TTF

          Filesize

          4.2MB

          MD5

          632df92d62e55b968804cc4e3ef8c562

          SHA1

          f3fd7d14610e4d77b674c713f84e20e4deaa8483

          SHA256

          136c12603fa82f5a26f6548b7c77422581717703508e1938810b2b5138e5ac33

          SHA512

          fb689bc32909663aa121b7b87822b9ca7618c59d5772aceddbcf70107e7be2f007491c27aef1febbceb2b310ca159fc5a0bb925ed4f555c47d2abf9d62522892

        • C:\WINDOWS\FONTS\ARIALN.TTF

          Filesize

          4.3MB

          MD5

          a03738cde963398009a5c7ff80fcc518

          SHA1

          5c93b8fc0ccbd8e97a8eaa262cc58c52a19a5958

          SHA256

          0c24a128f310a8e5dcaad7e496e9765b2638e6da03e3af1a5ab6a345335641f6

          SHA512

          0b53e8b6df24be6a757bbf907c804ef4b5f57cf7bbe455f6c4cb9eec36e11a2d5ded5d7bb663db9237809f91666c6d373b7b06fffee550b482bd8ec7e914225f

        • C:\WINDOWS\FONTS\ARIALNB.TTF

          Filesize

          4.3MB

          MD5

          b0d588160eef96618868dc05a98cd438

          SHA1

          b12b5bb43a08832fa29287d863ea980fd568e9eb

          SHA256

          316909fb9b2ed8760f06bac6f5f854f973f9113f86cabbfdb67a4df085868066

          SHA512

          0e0285e746a90d09438525f3c3cea16ac40647608a9370b55835a45c7804f36b70ff45a861689e21f7c47f19253e4243fe115afa329997d1bc7bd8b4b6d64727

        • C:\WINDOWS\FONTS\CENTURY.TTF

          Filesize

          4.3MB

          MD5

          596f7361b40aed19cbf694caedf50c39

          SHA1

          bbac7f6396a36ff3475b1deb8aa2bd13c2e2cc3e

          SHA256

          90628dcd60fdc3e21d0b0fac070af0bf670797a9f5be73be345280243159f512

          SHA512

          0723c2f32f5d0cb374e4711de70a29cb96fda962f18306d090c88dcd6d900f10effcb8e8826a8a7545e85f271ca0e54473e821abdece04af6736c30cfd15d325

        • memory/3120-5745-0x000002289D760000-0x000002289D860000-memory.dmp

          Filesize

          1024KB

        • memory/3120-5746-0x000002289D760000-0x000002289D860000-memory.dmp

          Filesize

          1024KB

        • memory/3120-5747-0x000002289D760000-0x000002289D860000-memory.dmp

          Filesize

          1024KB

        • memory/4300-5826-0x000001AB37C00000-0x000001AB37D00000-memory.dmp

          Filesize

          1024KB

        • memory/4300-5832-0x000001AB38BD0000-0x000001AB38BF0000-memory.dmp

          Filesize

          128KB

        • memory/4300-5828-0x000001AB37C00000-0x000001AB37D00000-memory.dmp

          Filesize

          1024KB

        • memory/4300-5827-0x000001AB37C00000-0x000001AB37D00000-memory.dmp

          Filesize

          1024KB

        • memory/4300-5863-0x000001AB38B90000-0x000001AB38BB0000-memory.dmp

          Filesize

          128KB

        • memory/4300-5864-0x000001AB39120000-0x000001AB39140000-memory.dmp

          Filesize

          128KB