676aea942a11ce91bc29388ca949fd2201682b63c13cf33327421d980e586e49

Analysis

max time kernel
122s
max time network
159s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PTOTAC_WINCASIHD_17.50.58.exe
Size

45.9MB
MD5

cfd4bc5b3adfdb2716cc92f2d8a49784
SHA1

e3b777de2f0201155bac46c4a168a2aa787e72bb
SHA256

676aea942a11ce91bc29388ca949fd2201682b63c13cf33327421d980e586e49
SHA512

28be60febf0ea1d2fee656a80bbcdba2a5871244984cf81f243e3467481ba59db09f61c4ebba36c8d59c74ef524575831b72082eacf1988c15e1a0f6b46a31aa
SSDEEP

786432:8s4bQrCDby1pmxJ7hUwT0UVnnewa+tr2EKYknaKkwpleuvAyPBC3srYpJmGLrkoU:sGD1pmPAUVnnlpxmhdkw/cJmW/H0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2760	PTOTAC_WINCASIHD_17.50.58.tmp
1104	Potato.exe
1404	Potato.exe
2212	svbonxh3.exe

Loads dropped DLL 8 IoCs

pid	Process
2988	PTOTAC_WINCASIHD_17.50.58.exe
2760	PTOTAC_WINCASIHD_17.50.58.tmp
2976	taskeng.exe
2212	svbonxh3.exe
2212	svbonxh3.exe
2212	svbonxh3.exe
2212	svbonxh3.exe
2212	svbonxh3.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	208.67.222.220

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Potato.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PTOTAC_WINCASIHD_17.50.58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PTOTAC_WINCASIHD_17.50.58.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\allowPath	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\shell\open\command	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\6745787ff863f3839ea2c261db669180\\4713b1991\\1c460c8f5\\Potato.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/6745787ff863f3839ea2c261db669180/4713b1991/1c460c8f5/\" -- \"%1\""	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\allowPath\array\path	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\DefaultIcon	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\6745787ff863f3839ea2c261db669180\\4713b1991\\1c460c8f5\\Potato.exe,1\""	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt\shell\open\command	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt\DefaultIcon	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt\shell\open	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\allowPath\array	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\allowPath\array\path\�6��{�Ȝݼ�&�.?�@ = "true"	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\URL Protocol	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\6745787ff863f3839ea2c261db669180\\4713b1991\\1c460c8f5\\Potato.exe,1\""	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\shell\open	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\ = "URL:Potato Link"	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\shell	Potato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\pt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\6745787ff863f3839ea2c261db669180\\4713b1991\\1c460c8f5\\Potato.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/6745787ff863f3839ea2c261db669180/4713b1991/1c460c8f5/\" -- \"%1\""	Potato.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\potato.pt\shell	Potato.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Potato.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Potato.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Potato.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Potato.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Potato.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Potato.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1104	Potato.exe
1404	Potato.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	PTOTAC_WINCASIHD_17.50.58.tmp
2760	PTOTAC_WINCASIHD_17.50.58.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	Potato.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	524	wmic.exe
Token: SeSecurityPrivilege	524	wmic.exe
Token: SeTakeOwnershipPrivilege	524	wmic.exe
Token: SeLoadDriverPrivilege	524	wmic.exe
Token: SeSystemProfilePrivilege	524	wmic.exe
Token: SeSystemtimePrivilege	524	wmic.exe
Token: SeProfSingleProcessPrivilege	524	wmic.exe
Token: SeIncBasePriorityPrivilege	524	wmic.exe
Token: SeCreatePagefilePrivilege	524	wmic.exe
Token: SeBackupPrivilege	524	wmic.exe
Token: SeRestorePrivilege	524	wmic.exe
Token: SeShutdownPrivilege	524	wmic.exe
Token: SeDebugPrivilege	524	wmic.exe
Token: SeSystemEnvironmentPrivilege	524	wmic.exe
Token: SeRemoteShutdownPrivilege	524	wmic.exe
Token: SeUndockPrivilege	524	wmic.exe
Token: SeManageVolumePrivilege	524	wmic.exe
Token: 33	524	wmic.exe
Token: 34	524	wmic.exe
Token: 35	524	wmic.exe
Token: SeIncreaseQuotaPrivilege	524	wmic.exe
Token: SeSecurityPrivilege	524	wmic.exe
Token: SeTakeOwnershipPrivilege	524	wmic.exe
Token: SeLoadDriverPrivilege	524	wmic.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2760	PTOTAC_WINCASIHD_17.50.58.tmp
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1104	Potato.exe
1104	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe
1404	Potato.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2988 wrote to memory of 2760	2988	PTOTAC_WINCASIHD_17.50.58.exe	30
PID 2004 wrote to memory of 1104	2004	taskeng.exe	33
PID 2004 wrote to memory of 1104	2004	taskeng.exe	33
PID 2004 wrote to memory of 1104	2004	taskeng.exe	33
PID 2004 wrote to memory of 1104	2004	taskeng.exe	33
PID 1104 wrote to memory of 2844	1104	Potato.exe	34
PID 1104 wrote to memory of 2844	1104	Potato.exe	34
PID 1104 wrote to memory of 2844	1104	Potato.exe	34
PID 1104 wrote to memory of 2844	1104	Potato.exe	34
PID 1104 wrote to memory of 1404	1104	Potato.exe	37
PID 1104 wrote to memory of 1404	1104	Potato.exe	37
PID 1104 wrote to memory of 1404	1104	Potato.exe	37
PID 1104 wrote to memory of 1404	1104	Potato.exe	37
PID 1404 wrote to memory of 524	1404	Potato.exe	38
PID 1404 wrote to memory of 524	1404	Potato.exe	38
PID 1404 wrote to memory of 524	1404	Potato.exe	38
PID 1404 wrote to memory of 524	1404	Potato.exe	38
PID 2976 wrote to memory of 2212	2976	taskeng.exe	41
PID 2976 wrote to memory of 2212	2976	taskeng.exe	41
PID 2976 wrote to memory of 2212	2976	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\PTOTAC_WINCASIHD_17.50.58.exe
"C:\Users\Admin\AppData\Local\Temp\PTOTAC_WINCASIHD_17.50.58.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\is-QC1RR.tmp\PTOTAC_WINCASIHD_17.50.58.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QC1RR.tmp\PTOTAC_WINCASIHD_17.50.58.tmp" /SL5="$40108,47266724,1090560,C:\Users\Admin\AppData\Local\Temp\PTOTAC_WINCASIHD_17.50.58.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2760

C:\Windows\system32\taskeng.exe
taskeng.exe {7D557A89-51D2-4999-BB8D-79D613E9863C} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\4713b1991\1c460c8f5\Potato.exe
  C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\4713b1991\1c460c8f5\Potato.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic BaseBoard get SerialNumber
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\4713b1991\1c460c8f5\Potato.exe
    "C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\4713b1991\1c460c8f5\Potato.exe" -noupdate
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic BaseBoard get SerialNumber
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:524

C:\Windows\system32\taskeng.exe
taskeng.exe {AFD4DD22-9D2E-4AD9-B7D9-0298A82A1EBA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\svbonxh3.exe
  C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\svbonxh3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC18D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1CE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\34a6d805642d06a18e7576c

Filesize
12.9MB

MD5
0af9c4e52e04dd850421a861383dc840

SHA1
cbea9a6a3daf10573e11e96131a79e350b062582

SHA256
8283c33b68467ba84bd74c1888238ad616affd4972f176deb68d224866d3cc90

SHA512
f81e8d464ae4d7bddaf43b2b026b0a04e976dc617526b48b716c90a5dc7bafb32e4e841baf89bf08942fdc83c5d623e710ef2b567a0f3de55eda1eac43944326

Download Submit
C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\libcef.dll

Filesize
2.3MB

MD5
8cf38f54aaa53e636a071336e0703776

SHA1
3748b5464f9b6e025b032c3d6f9e814381888700

SHA256
14e11b9b39f8c638afaf3976c4ca18fed30a533d73cd73f8057e1a8a5cf0a2ee

SHA512
0f0da7430e53f52db6ac3026f92440f1a3344d953d7204a187b29d2091313201f46833761603bf877b2246d3cb4c515e149667248618bef54fe85f74d43b7c80

Download Submit
C:\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\4713b1991\1c460c8f5\log_start0.txt

Filesize
972B

MD5
279ebc44a0fc862056e012a3b15a0fcd

SHA1
32cbd4b7f425e62ba8861e26c59b3a7bf1f13ee3

SHA256
4912b70bd8abe0d9edfbe49341abbac6f0394c10d805071a6a403b62a248f2c8

SHA512
ca5821f15dc2bff5e4f9820a06d4edb84531cc50b0bb8079f824c965429f5e5651e4c7f876bc0d02af652e9a4bad8e3ce651a3be54faa7f52594972e3abc80f8

Download Submit
\Users\Admin\AppData\Local\Temp\is-QC1RR.tmp\PTOTAC_WINCASIHD_17.50.58.tmp

Filesize
3.2MB

MD5
5adbbe41edfdb7509a7bca5c8bbb494c

SHA1
9b69991e71d700c8fb1f77dc20f702e43ac7e5b0

SHA256
842dae30f95fb76e9309616d2a2fa18080663d60477f9c960041d1592b0f8414

SHA512
d2ab280d728113be6036c6d0d11234dacf93b54fc2e3d5b13390848cddd04ef67dc8df3ae5b8ab2ada7ab38209498bbad6c62774028530816ef007512ffee2a3

Download Submit
\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\KRShmq.dll

Filesize
44KB

MD5
0f74b11cfb900e448a44652305eaf43a

SHA1
d89fb77b6e8c90595811d1c46f48f1165cdc9bb4

SHA256
fff63d3d2758d5b9ca93a1fce7773deedfd99ecdeb8c77ecb15733fa387b185c

SHA512
862247be086ac879981af68776e29d5c11f3fe3c8bcd3b78987b77e9df519a6055c68b6e90bfdc202c1780997ef00a758fa084cbf2522cd32cf5d4a51270643e

Download Submit
\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\svbonxh3.exe

Filesize
5.3MB

MD5
cefc4527be9855271deb935a24242d09

SHA1
7532dd28082459ee1a3ba9566fa136478144b4a4

SHA256
301a4520035bfa1f0f0b3e988f2a148795935a73593a755b65821c4db868541b

SHA512
855097e9cae1767a1c1dbe127626cbe5b7369efdb5382fa8b8f5ef330aca4ffee3bc8d48cd3dd64bb1e9b2bb781ff0ec3f28aa6381ae5f75722a58a7efcc0008

Download Submit
\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
\Users\Admin\AppData\Roaming\6745787ff863f3839ea2c261db669180\28e6c3ebd\a5420de614\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
memory/1104-47-0x00000000002E0000-0x0000000003EB0000-memory.dmp

Filesize
59.8MB

Download
memory/1104-42-0x00000000002E0000-0x0000000003EB0000-memory.dmp

Filesize
59.8MB

Download
memory/2212-80-0x0000000000950000-0x0000000001642000-memory.dmp

Filesize
12.9MB

Download
memory/2212-76-0x000007FEF5E90000-0x000007FEF62A6000-memory.dmp

Filesize
4.1MB

Download
memory/2212-81-0x0000000003060000-0x0000000004884000-memory.dmp

Filesize
24.1MB

Download
memory/2212-85-0x0000000003060000-0x0000000004884000-memory.dmp

Filesize
24.1MB

Download
memory/2760-36-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2760-33-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2760-9-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2988-38-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2988-1-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2988-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download