Overview
overview
8Static
static
3potato-lau....6.exe
windows10-1703-x64
8$PLUGINSDI...er.dll
windows10-1703-x64
1$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3LICENSES.c...m.html
windows10-1703-x64
4d3dcompiler_47.dll
windows10-1703-x64
1ffmpeg.dll
windows10-1703-x64
1libEGL.dll
windows10-1703-x64
1libGLESv2.dll
windows10-1703-x64
1potato-launcher.exe
windows10-1703-x64
7resources/elevate.exe
windows10-1703-x64
1swiftshade...GL.dll
windows10-1703-x64
1swiftshade...v2.dll
windows10-1703-x64
1vk_swiftshader.dll
windows10-1703-x64
1vulkan-1.dll
windows10-1703-x64
1$PLUGINSDI...ec.dll
windows10-1703-x64
3$PLUGINSDI...ss.dll
windows10-1703-x64
3$PLUGINSDI...7z.dll
windows10-1703-x64
3Uninstall ...er.exe
windows10-1703-x64
7$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3$PLUGINSDI...ec.dll
windows10-1703-x64
3$PLUGINSDI...ss.dll
windows10-1703-x64
3Analysis
-
max time kernel
469s -
max time network
1591s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
04-03-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
potato-launcher.Setup.2.2.6.exe
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240221-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240221-en
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win10-20240221-en
Behavioral task
behavioral7
Sample
d3dcompiler_47.dll
Resource
win10-20240221-en
Behavioral task
behavioral8
Sample
ffmpeg.dll
Resource
win10-20240221-en
Behavioral task
behavioral9
Sample
libEGL.dll
Resource
win10-20240221-en
Behavioral task
behavioral10
Sample
libGLESv2.dll
Resource
win10-20240221-en
Behavioral task
behavioral11
Sample
potato-launcher.exe
Resource
win10-20240221-en
Behavioral task
behavioral12
Sample
resources/elevate.exe
Resource
win10-20240221-en
Behavioral task
behavioral13
Sample
swiftshader/libEGL.dll
Resource
win10-20240221-en
Behavioral task
behavioral14
Sample
swiftshader/libGLESv2.dll
Resource
win10-20240221-en
Behavioral task
behavioral15
Sample
vk_swiftshader.dll
Resource
win10-20240221-en
Behavioral task
behavioral16
Sample
vulkan-1.dll
Resource
win10-20240221-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240221-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10-20240221-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240221-en
Behavioral task
behavioral20
Sample
Uninstall potato-launcher.exe
Resource
win10-20240221-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240221-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240221-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240221-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10-20240221-en
General
-
Target
potato-launcher.exe
-
Size
125.1MB
-
MD5
18ee796a8809b673ff1557d2e5de0d2d
-
SHA1
caed7dc59028467b18d851a60c62de75871dbafc
-
SHA256
6d83c3644949d716ab50d79a264eb3c27899ad76ac5db67445974d32ff34e81e
-
SHA512
5a580c461837bd4200e6dadb92bb12166e7c1f0e30fa53abcd447933454a59387d3e528d616aa04dfa38e987ae3f70cc0cbe95bd9d171bd28b19d69508e76c5c
-
SSDEEP
1572864:DQieIiHsefCEh2C/OFYt7D5tbkhl440qH2A6LRzQmTXqiGrB:DGEC/qYt2sTX+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
potato-launcher.exepotato-launcher.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Control Panel\International\Geo\Nation potato-launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Control Panel\International\Geo\Nation potato-launcher.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
potato-launcher.exepotato-launcher.exepotato-launcher.exepid Process 3460 potato-launcher.exe 3460 potato-launcher.exe 4324 potato-launcher.exe 4324 potato-launcher.exe 3932 potato-launcher.exe 3932 potato-launcher.exe 3932 potato-launcher.exe 3932 potato-launcher.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
potato-launcher.exedescription pid Process procid_target PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 5076 4924 potato-launcher.exe 74 PID 4924 wrote to memory of 3460 4924 potato-launcher.exe 75 PID 4924 wrote to memory of 3460 4924 potato-launcher.exe 75 PID 4924 wrote to memory of 4324 4924 potato-launcher.exe 76 PID 4924 wrote to memory of 4324 4924 potato-launcher.exe 76 PID 4924 wrote to memory of 3932 4924 potato-launcher.exe 77 PID 4924 wrote to memory of 3932 4924 potato-launcher.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=gpu-process --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1460 /prefetch:22⤵PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=renderer --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4324
-
-
C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=gpu-process --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2372 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54bf4de22b9ec2623df888602ec206927
SHA1cca259876d216ce68ea6501dc497859fd30df5fa
SHA256c482b2f9541b0b4df0aa2762a40e0e207142ed3135ec6232a7ec32c7bc8afce6
SHA5129f848c07a9375ffe53347a4a9efd85a1ec535a5aaecda750799e6d3f35c6ab6868859609468cc7f80d893d9118faae6cccbfaa8455a70e246f520ce7fd53a77e
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b