8b4f3b6766beb4e90ba462610d192408d61138155f5bb012b8ff898e1f0bc3af

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

45.9MB
MD5

c0f835c27793a4af61fbfe851e41c61b
SHA1

e13c361912723d02f90aaaecb1db7a8b10f05c8e
SHA256

8b4f3b6766beb4e90ba462610d192408d61138155f5bb012b8ff898e1f0bc3af
SHA512

c3bc9f15c93eaa1ebdb6676d8beddc6100aa79d523bd598aec47541f4ec978e1b5904b9468bbdf9459076344c5fff122e4e59d6734d378379d28cc1eb661df7a
SSDEEP

393216:A4wUMfMvgtQjIOlTTvwTzRMPIaZ2X+060hYTTdOALQWQziLPDc56f7e3RqaospV+:GfMUQjIQTzwiIKlnLKGbK3Rq6qu/G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1976	setup.tmp
4396	unins000.exe
5052	_iu14D2N.tmp

Loads dropped DLL 3 IoCs

pid	Process
1976	setup.tmp
1976	setup.tmp
1976	setup.tmp

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Goat Simulator\Binaries\Win32\is-MS84S.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Goat Simulator\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Goat Simulator\unins000.dat	_iu14D2N.tmp
File created	C:\Program Files (x86)\Goat Simulator\is-TEE3K.tmp	setup.tmp
File created	C:\Program Files (x86)\Goat Simulator\Redist\is-R6C5J.tmp	setup.tmp
File created	C:\Program Files (x86)\Goat Simulator\Redist\is-J98BR.tmp	setup.tmp
File created	C:\Program Files (x86)\Goat Simulator\Redist\is-PL5T3.tmp	setup.tmp
File created	C:\Program Files (x86)\Goat Simulator\is-CP5LJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Goat Simulator\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Goat Simulator\is-QBEFE.tmp	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	setup.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 1976	3428	setup.exe	90
PID 3428 wrote to memory of 1976	3428	setup.exe	90
PID 3428 wrote to memory of 1976	3428	setup.exe	90
PID 1976 wrote to memory of 4396	1976	setup.tmp	103
PID 1976 wrote to memory of 4396	1976	setup.tmp	103
PID 1976 wrote to memory of 4396	1976	setup.tmp	103
PID 4396 wrote to memory of 5052	4396	unins000.exe	104
PID 4396 wrote to memory of 5052	4396	unins000.exe	104
PID 4396 wrote to memory of 5052	4396	unins000.exe	104

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\is-K41PJ.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K41PJ.tmp\setup.tmp" /SL5="$702B4,47874797,53248,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files (x86)\Goat Simulator\unins000.exe
    "C:\Program Files (x86)\Goat Simulator\unins000.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Goat Simulator\unins000.exe" /FIRSTPHASEWND=$201D6 /SILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Goat Simulator\Binaries\Win32\GoatGame-Win32-Shipping.exe

Filesize
41.5MB

MD5
98aa9fb897a5ed3673654b2923953f7e

SHA1
771617bde7626aba2a7c7139fb0697996ea15cc7

SHA256
7f24dea3330fc02fb0c11acdd46a4aa673e2c4d38ec9510f152696e5a0e56619

SHA512
4eb1efafba2bca60bcfd010be1c3452b173d56274f5c9e91ea01e22a4de0d40a76068631523fc38e218f408bf565313432fef4d75e0ccdaeeda885e51a945e3b

Download Submit
C:\Program Files (x86)\Goat Simulator\Redist\dotNetFx40_Full_setup.exe

Filesize
868KB

MD5
53406e9988306cbd4537677c5336aba4

SHA1
06becadb92a5fcca2529c0b93687c2a0c6d0d610

SHA256
fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425

SHA512
4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

Download Submit
C:\Program Files (x86)\Goat Simulator\Redist\dxwebsetup.exe

Filesize
292KB

MD5
880a353dc9ab4202f2cfbec1cb37181d

SHA1
0bafee10ed68194fb332d3b46f7d92c8ad962843

SHA256
6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578

SHA512
795db9946ac4bac6af4afcbd2e87671b45c488ea32d61daa821012f0213bde76af1d7ae395b9adfdc0fed5fd80367e232a6bc1d834e7dc9028b885fa908149d8

Download Submit
C:\Program Files (x86)\Goat Simulator\Redist\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
C:\Program Files (x86)\Goat Simulator\d.url

Filesize
199B

MD5
b4e166f1350a90236dbe1474410deca0

SHA1
82429f70bad41f880eba2c98111253778bf0b7bc

SHA256
c998172c4843a25e6bbe182b37efa7816d7427942641749bfdd6b6549fccb7d8

SHA512
22cd8a7075177e5f6a50d37d991ca8a3415cd87f4502b00668ceb8db0d541a3749f5c4fa8cc6117d3fcad0f21c34ef86fe8e66418324047720502fa4453f10f1

Download Submit
C:\Program Files (x86)\Goat Simulator\ic.ico

Filesize
4KB

MD5
0ad69f7ddfa482eed49f9e6bbf160db3

SHA1
62c2af8d68e27529c63dd217642b42bf04d939a7

SHA256
11a6871005afc9868c9915dbd26cb5c888ca3cd31a74a2c58dbf60a32be5b95b

SHA512
1a8d83aab8f74cc649b7d5d466b4c17302cae9dbd021c4d5003e37a8b8a97784cdcfba411b4ae36ad92afa3c674c8951e045b1ff7e81afb8f9800b731e4ae475

Download Submit
C:\Program Files (x86)\Goat Simulator\unins000.dat

Filesize
44KB

MD5
559a27ab3157e5886794f0dd6b25cd42

SHA1
d0bb5c745da1e6eb312dd091e6b37c47ee31ebf9

SHA256
daca4a5b7731c97259e1bafc3029471a0cac832567fb97c03a83d601f2f8a13e

SHA512
2ad8fb8526310574409ba5b24366c6218740f4848620df6f037d8db8833723dac0e353f3439e2a49da0308907b72c9207eda88bf376e43b4613251f5c53d6913

Download Submit
C:\Program Files (x86)\Goat Simulator\unins000.exe

Filesize
681KB

MD5
d8b7abcd932ba43ac150e77ef78018fc

SHA1
688d0f877d0aa4db9b1ec6990922c7712f66aaef

SHA256
74931dec9acdf27a1c28e8855bcd0bd7bbfa276ee9f6ea30e3fab26889af700d

SHA512
540edbf4adf822b2736893755daf179c349ce13cc8efebaae95c5f71fe56c6e662fcbe4e7b21f35e2a847c802e26747c51025f0c2872667f6742888691e4e041

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Goat Simulator\Cat-A-Cat GAMES.lnk

Filesize
1KB

MD5
baec55a2e272ce98d91f09d81a259235

SHA1
bcf04df894429cd21c76a63fab50b683c916cf43

SHA256
02b1d844b01c4778a27918245b520fd1b4870bb186ae9043e6a6b9bfed0583e8

SHA512
506c03ef5152c47238d4808517e6a4a5844d470b640af5ee03c8fd64720cef3d61dfbca2d941d42e0ba08b6f4f517208e862f3e0ebd31bce99a75e61ed2eef1c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Goat Simulator\Goat Simulator.lnk

Filesize
2KB

MD5
dab550b3d633e7225d1045ff7ab6b6ca

SHA1
eb8d3b2fdc03e589d05bc6a202eb409a11864129

SHA256
048780b72f19bb156c972a49cd87ea67f67d1e82b9f5de79b9e7f316df31ce4b

SHA512
a082cc41b952eda0943a80777c93e4ba612fc9583406cec3ac4177f87019c3ecd3f6d0c7499c7c4a95d50734e932cf6664b8f29b6cf8670422b4921f492d604b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Goat Simulator\Óäàëèòü Èãðó.lnk

Filesize
1KB

MD5
5446256c798d6fdbdb5776f438cfe370

SHA1
c39d78adf690389ece4f616952f1198d415bcd26

SHA256
b382b3d8bf1bd42510726410155073327c02da52f0e49d01a5cdda27cbd1e567

SHA512
d869a0cfe9cc1d5db9cebecab5d574d7f8ff15382f190a208cb6183362cfd94b0189b39961564f290cce4eb1054eef62a791321e406dd18e59e5d9bf4c7badab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AIE0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G168J.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G168J.tmp\unarc.dll

Filesize
299KB

MD5
d6c79afef36773206e479e0b1a7cf059

SHA1
5faa19aa1629e401915001a3392e3d916be38578

SHA256
5b08aff352a39b7e10efdaa99efb27e02c2fe16b6e5c2e4c14b84a64eee86d6b

SHA512
4016292d81779f635baf6f5756b6f07474a0265d3845a02937d30422427e11e5b27b8494689ebd6242c07f50642d2b2d3589f43d97b3b121927fb99bb1c2c5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K41PJ.tmp\setup.tmp

Filesize
671KB

MD5
acec08a952e0b9a24afe1f95bb335e11

SHA1
edd75d5928d96c0eddae2fc88bc52787357acc46

SHA256
52976fc5d14c217b0b50f4c95e81cd82494430035d15bbcd586303f6b5f63b44

SHA512
93b3a2964857e0cb3ef4425a33279b16f7a914d1ce585406141f81680ce9a469f41c4199cfc3acaf0246a4d978dcbf22bfa68978217054c9b04b93b8280716a7

Download Submit
C:\Users\Public\Desktop\Cat-A-Cat Games.lnk

Filesize
1KB

MD5
662a23bd927dc072ce9a16166b752169

SHA1
45e0d535730a841e9188d0d19b28fbc2e989bae8

SHA256
24dbb0730461228c6ef4d14a247f4bdd7455b5c3a27fbba9635546766f8e00f4

SHA512
879a7c99a271f5b86eed9d5241944f668585df101aa07b9b94ca5da71e663d3f1edcc88f821b5f7b0a693f48b60f2f81c1ed4deab73065b71b42480c45ef6b00

Download Submit
C:\Users\Public\Desktop\Goat Simulator.lnk

Filesize
2KB

MD5
85bf87b9f42532c8017950d144456ef6

SHA1
ff66e6bbdd5d732dd1948ce63e2b59450d50da55

SHA256
daaa10d371b5dbd4af4cb3e7c263877741e9bf9c4291bbac92c5f94a1f6000f7

SHA512
e69487568182533d3234810ded0d646958c83702d221069f8f6be0f7844634e32c71c9a095aebb68f5cd5b85d0a100a30c0801edf2d8fc097ba63b7bef3aaf60

Download Submit
memory/1976-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-60-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-115-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-65-0x0000000002430000-0x0000000002445000-memory.dmp

Filesize
84KB

Download
memory/1976-107-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-61-0x0000000002430000-0x0000000002445000-memory.dmp

Filesize
84KB

Download
memory/1976-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-26-0x0000000002430000-0x0000000002445000-memory.dmp

Filesize
84KB

Download
memory/1976-18-0x0000000002430000-0x0000000002445000-memory.dmp

Filesize
84KB

Download
memory/1976-103-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-7-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1976-27-0x0000000061080000-0x000000006110B000-memory.dmp

Filesize
556KB

Download
memory/3428-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3428-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3428-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3428-116-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4396-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4396-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5052-101-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5052-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download