Analysis

  • max time kernel
    469s
  • max time network
    1591s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-03-2024 18:05

General

  • Target

    potato-launcher.exe

  • Size

    125.1MB

  • MD5

    18ee796a8809b673ff1557d2e5de0d2d

  • SHA1

    caed7dc59028467b18d851a60c62de75871dbafc

  • SHA256

    6d83c3644949d716ab50d79a264eb3c27899ad76ac5db67445974d32ff34e81e

  • SHA512

    5a580c461837bd4200e6dadb92bb12166e7c1f0e30fa53abcd447933454a59387d3e528d616aa04dfa38e987ae3f70cc0cbe95bd9d171bd28b19d69508e76c5c

  • SSDEEP

    1572864:DQieIiHsefCEh2C/OFYt7D5tbkhl440qH2A6LRzQmTXqiGrB:DGEC/qYt2sTX+

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=gpu-process --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1460 /prefetch:2
      2⤵
        PID:5076
      • C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3460
      • C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=renderer --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        PID:4324
      • C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\potato-launcher.exe" --type=gpu-process --field-trial-handle=1452,12232941864867033136,7730113696170313515,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2372 /prefetch:2
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\potato-launcher\Network Persistent State

      Filesize

      182B

      MD5

      4bf4de22b9ec2623df888602ec206927

      SHA1

      cca259876d216ce68ea6501dc497859fd30df5fa

      SHA256

      c482b2f9541b0b4df0aa2762a40e0e207142ed3135ec6232a7ec32c7bc8afce6

      SHA512

      9f848c07a9375ffe53347a4a9efd85a1ec535a5aaecda750799e6d3f35c6ab6868859609468cc7f80d893d9118faae6cccbfaa8455a70e246f520ce7fd53a77e

    • C:\Users\Admin\AppData\Roaming\potato-launcher\Network Persistent State~RFe58f596.TMP

      Filesize

      59B

      MD5

      2800881c775077e1c4b6e06bf4676de4

      SHA1

      2873631068c8b3b9495638c865915be822442c8b

      SHA256

      226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

      SHA512

      e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

    • memory/5076-8-0x00007FF9E6F00000-0x00007FF9E6F01000-memory.dmp

      Filesize

      4KB