Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

potato-lau....6.exe

windows7-x64

7

potato-lau....6.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDIR/app-64.7z

windows7-x64

3

$PLUGINSDIR/app-64.7z

windows10-2004-x64

3

LICENSE.electron.txt

windows7-x64

1

LICENSE.electron.txt

windows10-2004-x64

1

chrome_100...nt.pak

windows7-x64

3

chrome_100...nt.pak

windows10-2004-x64

3

chrome_200...nt.pak

windows7-x64

3

chrome_200...nt.pak

windows10-2004-x64

3

icudtl.dat

windows7-x64

3

icudtl.dat

windows10-2004-x64

3

locales/am.pak

windows7-x64

3

locales/am.pak

windows10-2004-x64

3

locales/ar.pak

windows7-x64

3

locales/ar.pak

windows10-2004-x64

3

locales/bg.pak

windows7-x64

3

locales/bg.pak

windows10-2004-x64

3

locales/bn.pak

windows7-x64

3

locales/bn.pak

windows10-2004-x64

3

locales/ca.pak

windows7-x64

3

locales/ca.pak

windows10-2004-x64

3

locales/cs.pak

windows7-x64

3

locales/cs.pak

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    potato-launcher.Setup.2.2.6.exe

  • Size

    60.2MB

  • MD5

    5344ce3654bd1db264e8cc5d75a62b59

  • SHA1

    817854ce44c8b3c5cc6854e7324f904f9f18d900

  • SHA256

    c5fd5691f4eec136f0bdbfbc3f84c0f70cb0b39d03ea4402eace25b90a699c82

  • SHA512

    d95874fe444133001a00738d79ce95e5486e7a215ddee25cb497d71ea2989319011734d5f0b8c2f921adf99aa93fc02131b9bb5f44844c36c24ff3cf3e6df86c

  • SSDEEP

    1572864:Ng0PJY8xZrIfDg7IksBLC958fhXdfbH5C:Ng0PJYuZkf37FCUdtVC

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 17 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\potato-launcher.Setup.2.2.6.exe
    "C:\Users\Admin\AppData\Local\Temp\potato-launcher.Setup.2.2.6.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3376
  • C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe
    "C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe" --type=gpu-process --field-trial-handle=1572,18409305928427292021,11744419679773072136,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1580 /prefetch:2
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3356
    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,18409305928427292021,11744419679773072136,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:8
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:712
    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe" --type=renderer --field-trial-handle=1572,18409305928427292021,11744419679773072136,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\potato-launcher\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2544
    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\potato-launcher\potato-launcher.exe" --type=gpu-process --field-trial-handle=1572,18409305928427292021,11744419679773072136,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1480 /prefetch:2
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:4760
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\D3DCompiler_47.dll
      Filesize

      4.3MB

      MD5

      7641e39b7da4077084d2afe7c31032e0

      SHA1

      2256644f69435ff2fee76deb04d918083960d1eb

      SHA256

      44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

      SHA512

      8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\chrome_100_percent.pak
      Filesize

      123KB

      MD5

      a59ea69d64bf4f748401dc5a46a65854

      SHA1

      111c4cc792991faf947a33386a5862e3205b0cff

      SHA256

      f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

      SHA512

      12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\chrome_200_percent.pak
      Filesize

      183KB

      MD5

      1985b8fc603db4d83df72cfaeeac7c50

      SHA1

      5b02363de1c193827062bfa628261b1ec16bd8cf

      SHA256

      7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

      SHA512

      27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\ffmpeg.dll
      Filesize

      2.7MB

      MD5

      32305330c7da4c1f8f5d6a96cea1c050

      SHA1

      faffd0472613ec05e03b97e19ab2cf3fcc1131c3

      SHA256

      a82017dcdeffa20362af06e6891335e3dc720c04721c7c99f57ffc2f1f5e12a7

      SHA512

      be50b90f8f036d8631c4ee08601bb16fbe93fb7f7a5460af312a7bbaf595541acf722637bc8830c25f9b957abe68cbffb0adf594ffcfb675ce82122b062cb283

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\icudtl.dat
      Filesize

      9.9MB

      MD5

      70499b58dc18e7ee1d7452a1d7a8bc6e

      SHA1

      41c5382f08c6a88670ce73a20c0dcdb3822f19e9

      SHA256

      02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0

      SHA512

      a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\libEGL.dll
      Filesize

      436KB

      MD5

      58b262243d3fc20bd2be53dc5a916704

      SHA1

      e5d327d0ae3dd8c6d8703d1a948ca149af05a804

      SHA256

      3c7bb3af62b10503e4b7365b36f417940cf905062f67b44f6a720ecbb8fa1cd6

      SHA512

      1d100b64003f4899b88588c0542ba1a11838755aa39aeda8590e3f54f4a107fc394ccb076a3f51f9366cc8df02452c1437304efd1ef97cb1b673cb096e7457e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\libglesv2.dll
      Filesize

      7.5MB

      MD5

      b6d3c9f886ca3f0c23a1127ad315a0f4

      SHA1

      182816a795662a55a3cece044394aebe2321cd80

      SHA256

      8f88137a6808da0528231c0d6718fb0c8f261395b5960943149260e2827b6558

      SHA512

      8f6ebb9a774f0049f511c246a27f9a67aa1696fc5b17579e60899a144098baf3815dc60c6933ad37efeab5d9e8a88dc4b3f0d615f313619ece3b500cca27a41d

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\locales\en-US.pak
      Filesize

      85KB

      MD5

      6bbeeb72daebc3b0cbd9c39e820c87a9

      SHA1

      bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

      SHA256

      ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

      SHA512

      66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\resources.pak
      Filesize

      4.9MB

      MD5

      6120d136e6d76250458f419b8d3bb719

      SHA1

      185fcbf43e5e3c42b4c5e458429389432e5a038f

      SHA256

      16c0aacf7f675564d93daf07faf027842225f06f77d83fe4de8b45999617571a

      SHA512

      b41c3ecb4363fa43bb277ceee3f9bca25d00838e28434f7d85a92d275d558c392d6250f6564eea1353adb9bf8696923a09dee93ecf1187b3b9766bccd399fad7

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\resources\app.asar
      Filesize

      9.0MB

      MD5

      3e36aec2ca825a9d4dccd4fce4cd62d2

      SHA1

      0696e73b83aeca408ae4e7b6d1e16f6e1418ea1a

      SHA256

      07b4c728170b8a9318ea79679d2f5c3602344b35280679148a4e828e928b863d

      SHA512

      9d7645263a9818e5e811c4563d6146dd7437cfda8bb43311553b776f8a1c67a4191c025d1dc61915417a8295644dafc7a2f939e3016544c3340b0d8bdcdef5c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\potato-launcher\v8_context_snapshot.bin
      Filesize

      160KB

      MD5

      06a8585b4d1376ec2f559ae59efd82ab

      SHA1

      5ac5fb297c113109c979fae08cf1245a56b80acc

      SHA256

      662cc8ea152b1c4f910085b207b5b14826aed9f324ea23a9602db6d61c721c4f

      SHA512

      d77097fd0d17a29c7a231677598da238d14c34d8efb7b03e72aa94f3dc6a8fa7cbec3a8a5eaffd8cf9db83894c1fd0f7d7bcf38e6abb1899a8884371f6607729

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsh8CB0.tmp\SpiderBanner.dll
      Filesize

      9KB

      MD5

      17309e33b596ba3a5693b4d3e85cf8d7

      SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

      SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

      SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsh8CB0.tmp\StdUtils.dll
      Filesize

      100KB

      MD5

      c6a6e03f77c313b267498515488c5740

      SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

      SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

      SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsh8CB0.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsh8CB0.tmp\WinShell.dll
      Filesize

      3KB

      MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

      SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

      SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

      SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsh8CB0.tmp\nsProcess.dll
      Filesize

      4KB

      MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

      SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

      SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

      SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsh8CB0.tmp\nsis7z.dll
      Filesize

      424KB

      MD5

      80e44ce4895304c6a3a831310fbf8cd0

      SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

      SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

      SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\potato-launcher\Network Persistent State
      Filesize

      182B

      MD5

      4bf4de22b9ec2623df888602ec206927

      SHA1

      cca259876d216ce68ea6501dc497859fd30df5fa

      SHA256

      c482b2f9541b0b4df0aa2762a40e0e207142ed3135ec6232a7ec32c7bc8afce6

      SHA512

      9f848c07a9375ffe53347a4a9efd85a1ec535a5aaecda750799e6d3f35c6ab6868859609468cc7f80d893d9118faae6cccbfaa8455a70e246f520ce7fd53a77e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\potato-launcher\Network Persistent State~RFe58c138.TMP
      Filesize

      59B

      MD5

      2800881c775077e1c4b6e06bf4676de4

      SHA1

      2873631068c8b3b9495638c865915be822442c8b

      SHA256

      226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

      SHA512

      e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

      Download Submit

    • memory/3356-219-0x00007FF800E40000-0x00007FF800E41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3356-303-0x000001FB06290000-0x000001FB06431000-memory.dmp

      Filesize

      1.6MB

      Download