hxxps://samperson[.]itch[.]io/desktop-goose

Analysis

max time kernel
47s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samperson.itch.io/desktop-goose

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2408	msedge.exe
2408	msedge.exe
3016	msedge.exe
3016	msedge.exe
4784	identity_helper.exe
4784	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3228	3016	msedge.exe	60
PID 3016 wrote to memory of 3228	3016	msedge.exe	60
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 3516	3016	msedge.exe	86
PID 3016 wrote to memory of 2408	3016	msedge.exe	85
PID 3016 wrote to memory of 2408	3016	msedge.exe	85
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87
PID 3016 wrote to memory of 3548	3016	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samperson.itch.io/desktop-goose
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb7ab46f8,0x7ffbb7ab4708,0x7ffbb7ab4718
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6666675229955145684,7157427602409376977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84381d71cf667d9a138ea03b3283aea5

SHA1
33dfc8a32806beaaafaec25850b217c856ce6c7b

SHA256
32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

SHA512
469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\284714ae-86c1-4af4-abd2-b9dd5f3795cc.tmp

Filesize
24KB

MD5
35f77ec6332f541cd8469e0d77af0959

SHA1
abaec73284cee460025c6fcbe3b4d9b6c00f628c

SHA256
f0be4c5c99b216083bd9ee878f355e1aa508f94feb14aeebcfba4648d85563a7

SHA512
e0497dbe48503ebbf6a3c9d188b9637f80bccf9611a9e663d9e4493912d398c6b2a9eab3f506e5b524b3dabbca7bb5a88f882a117b03a3b39f43f291b59870c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
a40fab99bd7606b832bdcfb76ef42bac

SHA1
08968a3ba015114411cecbabf7c371648bdabbaa

SHA256
bac74f6b1c011fe7eeb9abdb745dc3b51fd6885a67a82b9d2c7f70a8c21a445a

SHA512
a8d287c6e5207821acb61af39ff46b0a7e40403d311f5910b2c7e013db048b4e3366f3f9a56b81508dbb0e214b0267418a84b7a5f6f3698792dfede216598cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
037022d000b77b5a1364e840c9f40913

SHA1
47e456958aa35c9c54d296ca1f694a8abaa3157f

SHA256
0014bc3c565fdad50c508b0c8bac3c49c30c8acade9bfe065c4bcc0d52926f6e

SHA512
a5f91510276b18ccb2a9754290a29bce15f9828f3b10b6e4e803c3a328c7abb505b4e2b90aeb89bc03447f15471282db18df0902d14874c609f1cb003517bb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba5ceff9400d1d3cb69f25d91f56b9ee

SHA1
2a0e254c920c04ca4d546ec28e601f777a180928

SHA256
82c685661ef27d6955a931e5d81a30e93c937786a595f5813f385f2aec1962c6

SHA512
590e5c073f5549c823b75995f9b9fe2334de5324c9036c106f53463da07f82dcd750e30a4165f43b9c60df11ae2dcf92e757692c90e6335b16d2a339a411b443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0df96ba1bf7cf7ace7ee834e76a88ad0

SHA1
d122a16d913561418d48ebf2dd66cee1178a1ac3

SHA256
d3eeb0c741311fc3a0292f1e05cc1fcc632fedad335e8b9dccba87da70f519da

SHA512
9cf9a6fcde10b7db2252f17086a04baca8669d6f6f8f00a112f268e4ac13ddb39c4c7c2e0f916f8096b953bff28cad24e656d7b9b229509e2c48a85572752950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d999cafb292409b4ee562ba49f993950

SHA1
848bee7f3317b29865172f5b6d23e0a808d901f0

SHA256
0079fbf9717ad6364c6c48ab1ece304e58d2d1160b37f5b4f55e4fd2cb97e282

SHA512
7c79990b58ce5ba149ae060347e73d7117d7c0f21c6a934825c0ec93c5f95efcb327d8080a31948c598abd913688e6f06807d02b966f5d44b2fc3938f26a0899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c7d8e27028c855340d08c17cf2ba1e7a

SHA1
ec8d99d45c0bc92e76d219bc2460753983bc495c

SHA256
7488469a878db999941e4824b5bdf744e36e8761c2764b6c419ae32547b30255

SHA512
fb842dbdce3bfb03c58857fb8000e4f03aa838b8f46c327abea15fdd434c0d62f286e8a4af91ca18d312c060d82a5187a1ca93ad83f2e460ecbe178e14c13997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e15350be105fbfb5a650cccecd04f488

SHA1
a8b4c95b1c5c27837ce8525510952cc5b9f9aaa4

SHA256
77668f5e1b075be396d0f63add413062a82e8b9fda9f7c045fbebb538c6cb88a

SHA512
3580ef2132191ec9d93da8ea6bf9ba9140f7efbfc7a990e34dab39bce2f9866299d1c01d6552d6d878a9e1b69e1279c4919e2a8ec3db6d727111a68329306faf

Download Submit