Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 14:52

General

  • Target

    2025-05-19_b4c01a7bb82133671d1de6aa357bc1d7_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    b4c01a7bb82133671d1de6aa357bc1d7

  • SHA1

    6be490181cacc3fa25a245008e70003f25c0a0b8

  • SHA256

    f246897aa86b4318d9bf6c9fd3436e7716eddca951ba8d5afb2eb3439dcb0010

  • SHA512

    d4b4dfb07f434c4e6eca19cbc915d60437183917840a7b47dce78dd11e22a168d444bc3c628b58aa9b1dd60cea17cac153bbac8f29b60a563ef9111c15a215b7

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4M:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vy

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (51) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_b4c01a7bb82133671d1de6aa357bc1d7_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b4c01a7bb82133671d1de6aa357bc1d7_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:5620
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4276
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4436

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip.dll

          Filesize

          4.2MB

          MD5

          57a9f125caf50f45ba532e4d22fdb782

          SHA1

          668533a65e76bd8935d56f7ea6ae54acb01bb774

          SHA256

          8046e47b4f194da4a0f22fc47d7de9c510dfceab1331edc1c3a2eaf32abc8b03

          SHA512

          9b827204a6fa466ec1c70679935c5ebe8578c660117a968eb7f601f795632367c28953e6e605a4b9f272c17a774430b803c7bc7d8e830e46a618a9fa70443be2

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          4ab26c8c08abb6f9d0432c43e399445e

          SHA1

          e68783c6d2df50921546aafa942015d9a55ce93c

          SHA256

          8a6f1de137698436c1a97222fcd1419cfa657afb30ec076039060def173da565

          SHA512

          dd6496710afb68706bdc8068e841e7f1d349dec1464f901f94c7dca8740871036abba900c5d49d1be3f5bb5eaec8754e76d6a6b49832c1d65d5257b5ecd20e41

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          aee308c5c8a23b8cc29a29c8ee969d0f

          SHA1

          4f0d7747457fa2d70a3919923fe128354a484871

          SHA256

          998768313ab9e74e7c70562ab478410a3dee5962ba212da66cbaad50c253d1d0

          SHA512

          db8fe4cc238535a3225791be71111948a57e9694fc20a6a6e72cbbf4e8a7f89d60088c07a99cd25f4d2e979bb2a2fc00f15354fb00af55e3dc238f85ae4f7a88

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml

          Filesize

          97B

          MD5

          787b3c95630301459f8d71bbac80e4b2

          SHA1

          252dbc30db2cc1afc80ef4e337fa4a4b30ec2cda

          SHA256

          e24f3c093527089a278865505cb1f69832c3dde4d28938a54069c7f65374c4ed

          SHA512

          3c170d8b1d94d0cf6ba83d012adc82a5833fd2f81fb538db40ccfb93eb7ba43d6e70f6f6db8b18215f155b84302bdfee9bcd01c2c557429d2c688c0723d9093a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921400487801703.txt

          Filesize

          14KB

          MD5

          b9a3570135c6cdac61e23a655424bb81

          SHA1

          b25c823b867b820fa34e0d61892c99af1b3db241

          SHA256

          e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

          SHA512

          73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          12KB

          MD5

          29fa0440701e32f34724262a36dfbc2a

          SHA1

          5d9b06fc83fe45f5e8d27caf8718c490b549fa26

          SHA256

          6c60961da4504c91a65321318be0b1879cb3fbe3f19c67a2ecf5a8dbe407a147

          SHA512

          b643004efd21b27b3d806b3d8fa05ca4abb0a6acea3c5785f0eb50a1cf3c17db3f0c5821e9526bcfcc1a34786ba7cce7dc285b7456e65f710e2cee5fcf73b96c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          12KB

          MD5

          749a4f23b19c9d52a06ddc0e4dc8f204

          SHA1

          7a23723ac2aeac82bd9b3d52eba4fdb998e73963

          SHA256

          1d9a34766e71d8bb4e94938347120e91989cccb16da49de653dfa27869e45270

          SHA512

          7ecac3d6d112a3b3abcdcf71305af70dcf238c68404c6dc9cb95ee0ddce26d53b61bb66588bf4c9817b1be955a1e2dc41bd2ff7865a4f6b0155f9ec30231ea78

        • memory/4276-5835-0x0000029195E00000-0x0000029195E20000-memory.dmp

          Filesize

          128KB

        • memory/4276-5834-0x00000291959F0000-0x0000029195A10000-memory.dmp

          Filesize

          128KB

        • memory/4276-5826-0x0000029195A10000-0x0000029195A30000-memory.dmp

          Filesize

          128KB

        • memory/4436-5865-0x000001D399000000-0x000001D399100000-memory.dmp

          Filesize

          1024KB

        • memory/4436-5864-0x000001D399000000-0x000001D399100000-memory.dmp

          Filesize

          1024KB

        • memory/4436-5868-0x000001DB9B4C0000-0x000001DB9B4E0000-memory.dmp

          Filesize

          128KB

        • memory/4436-5885-0x000001DB9B890000-0x000001DB9B8B0000-memory.dmp

          Filesize

          128KB

        • memory/4436-5876-0x000001DB9B480000-0x000001DB9B4A0000-memory.dmp

          Filesize

          128KB