Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 14:25

General

  • Target

    2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    9683dda5462f983c35536907ab248964

  • SHA1

    183fbb7d9b518a720e4ecfc8a5870c66841997f9

  • SHA256

    de5cde8382551f355f84b439277bd0c7c929f8d60669a21de6c5346853948037

  • SHA512

    c638f7edd816ad43989e657bad82a4f5760f20cbbd954d6695788d3b269acb1ee6c8a8c74d7b26335035b0675ece909bc52a8121dbfa0e41ea2947de0de0f2a2

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q42:ieF+iIAEl1JPz212IhzL+Bzz3dw/V0

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs
  • Renames multiple (51) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:1224
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2744
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4040

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip.dll

          Filesize

          4.2MB

          MD5

          573ce27e20449e284b919c487a35526b

          SHA1

          46d596989ce94953c94b6d5c5c176af6b3ccf784

          SHA256

          3600f01f77287451e7297d4ea9b454062bf4ef0d17736357e07fe530e7baa1b6

          SHA512

          0afb779e5dc4d97cbfed4df0a26e9302c41ff32ae562bf77fea700a7d9ea461a62d004797278b07a507a624bb18621e1094a514c36a090b68a7151212efe1fcf

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          4.4MB

          MD5

          76e336ca62749eb4a3e471f170cb3017

          SHA1

          2588ef15faa7c05d60fe9bd77a066dfcd47c6722

          SHA256

          675b2b3f3ef7b84bfa272130e1fe70ec52132badb2f21ca771907bb05be494be

          SHA512

          2ae20120e106893dbec0a2c48b86602bdbb2bd928633d59e54e5075ff525404a6ed935215b54fe547f7fa80bc138bfeb051a87c15ab655ff6b5abd0cd45adc14

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          df8314eb0dae6091c41f697729a97af5

          SHA1

          3dc5a38593185bd39eb92455ba5da9488990ce6c

          SHA256

          c98b441f54c471e1437fbf5dbc2b59e130af03456048fbea7657d93999560db7

          SHA512

          8db2c7b1b4f51ad0afa982c2e1abad7efd1a208a9e14927ce66288fda58c97f150c5ae0c32f3a06e4f8ba00798ad38e0a343f5a6bcb8413700effe93c9a91e35

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml

          Filesize

          96B

          MD5

          d1fa3bb8936674b1a19634902bdfd5c8

          SHA1

          0ac11dd3a241056ea263e2a529558131da75a3bd

          SHA256

          880169ece509a987d4fe7f9f034d9fd302755704371fc2b54aa7b1e0f1f9395e

          SHA512

          2a49cebbbe0e9aff80dbc0f7ecf631054c986964132fc7d2325362d493d5ee50fb518de881f57972e8b6d21beb62c554392b7a06fd015d3f7548d6d71826678c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\apps.csg

          Filesize

          444B

          MD5

          5475132f1c603298967f332dc9ffb864

          SHA1

          4749174f29f34c7d75979c25f31d79774a49ea46

          SHA256

          0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

          SHA512

          54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\apps.schema

          Filesize

          150B

          MD5

          1659677c45c49a78f33551da43494005

          SHA1

          ae588ef3c9ea7839be032ab4323e04bc260d9387

          SHA256

          5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

          SHA512

          740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\appsconversions.txt

          Filesize

          863KB

          MD5

          f96bc17471a5a7512f96d1a7e96dc2ec

          SHA1

          dff2604dcf06f7da9566028771f81f3eb117105d

          SHA256

          d7b7ae405896463f8628f1acee505da01c95779aea86f6b63f3a426745030237

          SHA512

          01462aff1f1ca9fbc7a421a826984112cbef1546a41057213d76ad99fbf64ef131eb989fd3ae2bba1fac3c82c1081fd7c23b3b5d331bbe9d484f76d4ec57968d

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921384547499786.txt

          Filesize

          27KB

          MD5

          47a4ff6651a6ebe2afb78d818e46dd8d

          SHA1

          e067066b8517d3c5c307801bb8e7c0f8a5347115

          SHA256

          ac89c0958969e99c2b73a36a3ccc0088452612b3074f15797e278d7cc0380fa4

          SHA512

          5876248e231761f8e1ce00c58f9aa80d3d96270fffc03e2be0d165a1a086dceac2bd1bb3a609efa4ac58197896753b26bc74d3c18186acf8a6959ce5bd8bd046

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921384630886023.txt

          Filesize

          14KB

          MD5

          b9a3570135c6cdac61e23a655424bb81

          SHA1

          b25c823b867b820fa34e0d61892c99af1b3db241

          SHA256

          e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

          SHA512

          73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          12KB

          MD5

          585d59e56728fdeb3389e4fb7cd6bc3b

          SHA1

          bb169c6ec156a09bb60dc354958cd6cb3dd46090

          SHA256

          b16aa654cb4f6d1111954f861e1c2ff9ff2e97a4f5e9bed6ff3ae4cf9c1ac828

          SHA512

          212de690d347865bfbd5aebcae465b6eac5187013a9fe0b07e0275bf58e6f25d29b981c20a06ed894c2d3203090f51250e414b4b4dde7ede1f523670c3822665

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          13KB

          MD5

          a700bf85ea76215925e01281cdb77e0a

          SHA1

          11f39902e4119d7aab491faadb6e0130de0f7bff

          SHA256

          9f1931f5df753efff55d89290a3c15308127f4973b72b73676e68a7562ed3adc

          SHA512

          74c615a08fce167f2438f70be1fd2a720ae4de7a3809e5483ce0a84eac31990c0950e9acf45051a17852256d56e4c47c2089d3f01b23134c87cdc62338b12327

        • memory/2744-5654-0x0000011F43C50000-0x0000011F43C70000-memory.dmp

          Filesize

          128KB

        • memory/2744-5655-0x0000012745260000-0x0000012745280000-memory.dmp

          Filesize

          128KB

        • memory/2744-5647-0x0000011F43C90000-0x0000011F43CB0000-memory.dmp

          Filesize

          128KB

        • memory/4040-5771-0x000002822CF50000-0x000002822CF70000-memory.dmp

          Filesize

          128KB

        • memory/4040-5770-0x000002822CBC0000-0x000002822CBE0000-memory.dmp

          Filesize

          128KB

        • memory/4040-5736-0x000002822CC00000-0x000002822CC20000-memory.dmp

          Filesize

          128KB

        • memory/4040-5732-0x0000027A2AB20000-0x0000027A2AC20000-memory.dmp

          Filesize

          1024KB

        • memory/4040-5731-0x0000027A2AB20000-0x0000027A2AC20000-memory.dmp

          Filesize

          1024KB