Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 14:34

General

  • Target

    2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

  • Size

    4.2MB

  • MD5

    9faa3989e1c265c64243e541933006a4

  • SHA1

    8da1a9fd1ce541a5a0f1482d92333b4971637af7

  • SHA256

    991c07d9836f6523cd1a62e546a9aaf35ddde4b45c7154b02c963187c365bbec

  • SHA512

    098741d61d625a3649300d24c09b4c6a6d6685cb269df65142b48ff4920ff2a8ed599cf5997b200c294137aa88ba56d16d98e178bb75fdd08632b49e509b966b

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4U:ieF+iIAEl1JPz212IhzL+Bzz3dw/VNs

Malware Config

Signatures

  • Gofing

    Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

  • Gofing family
  • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops Chrome extension 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Drops Chrome extension
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3416
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2256
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3556

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip.dll

          Filesize

          4.2MB

          MD5

          7d23f494eb481c8e8218a4d5d256c2a8

          SHA1

          08374433e7f1d31a8686a81beadc6f7e5e6d6458

          SHA256

          1058ec1dccf26989b31c1cee50c7e611382b8604a5434fc6b4e366fc0c964415

          SHA512

          6906ba12f751baabc88b3bd55c61a4b8dd619a3f4d73ba8e9983c5f9844d668ceded89f4782c7106c13740a2b91fe9bf071d91c43e6d3b98068e38f6efb64164

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.8MB

          MD5

          4e291df50371d2e638e6a06facd3c167

          SHA1

          037d9818ca840983ac914a284925c00600166dba

          SHA256

          f44b83b8b8294826cddc74a243bfafca6384119a0f86e6b0d97cf18d8384dc71

          SHA512

          26fd858d2fa19f245e6f4395c97bf4ed8e7ceadbef0e772bea5df45f2995ea56028151582ff8dc99c01911afd2c0e352e9c0b8f897858832d5830c8056dbef24

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\T8NJX1ZX\microsoft.windows[1].xml

          Filesize

          97B

          MD5

          ab679a886ba5bdef46117adbc46673e9

          SHA1

          12a618ecf20dd5badf25804d865bc7999d35fdf0

          SHA256

          a030bd09e7e25a30fa07ca6f7ab78d9c31e966c1a9decea5b6d4082796d2c105

          SHA512

          71bf6f403280b00aa89e007e75355b69a8feb4aa21948386f9cc3ecf8c3f823f52ab3c9732292a0892f25277d48b2efb4f7ddcf6b90612ac2125e9097012aacf

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921390014919862.txt

          Filesize

          14KB

          MD5

          b9a3570135c6cdac61e23a655424bb81

          SHA1

          b25c823b867b820fa34e0d61892c99af1b3db241

          SHA256

          e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

          SHA512

          73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          12KB

          MD5

          00c7f3ed978b5c62695a5acb5553a493

          SHA1

          7077ecd9d2a9f7a25c71c01ef8169ed70ddfe8f3

          SHA256

          991223388174e48476ec0744a4b928ed812266c5f5f8c1fc6338c55f09c0a3f6

          SHA512

          4ca590859c17503fa990e53c0b25540b5c1849516cb756d1a03850aa327e32994bcb857c9f7d36b6b8bb1ead273236fba5fd6b37dd84f8572803c82b7272deac

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

          Filesize

          13KB

          MD5

          afe53fbbff0f11ad7c1560e5f7637352

          SHA1

          ddbbb3d0a851c0b665e603dd699c978097ce8425

          SHA256

          088ce95aabb8e49ac41da4e8c1ab709c88a79a797b978b1db4174e1e66eaa193

          SHA512

          65f3a35969b9db97761ee227ee2839f0498b84472569387883d8085fe391080b1e0ecfc1066877201f1b60cdd44163714153dedfd9e78210587d9522097b6e48

        • memory/2256-5879-0x00000290E9840000-0x00000290E9860000-memory.dmp

          Filesize

          128KB

        • memory/2256-5887-0x00000290E9800000-0x00000290E9820000-memory.dmp

          Filesize

          128KB

        • memory/2256-5888-0x00000290E9B80000-0x00000290E9BA0000-memory.dmp

          Filesize

          128KB

        • memory/3556-5927-0x0000021E50B80000-0x0000021E50BA0000-memory.dmp

          Filesize

          128KB

        • memory/3556-5928-0x0000021E50B40000-0x0000021E50B60000-memory.dmp

          Filesize

          128KB

        • memory/3556-5929-0x0000021E50F50000-0x0000021E50F70000-memory.dmp

          Filesize

          128KB