Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-10-2024 11:11

General

  • Target

    potato_latestx64.exe

  • Size

    36.6MB

  • MD5

    32de33fa29f59bbf9eed061a8206c068

  • SHA1

    39f650ba2f5df46efc1a5c4603b94e0cde41dab5

  • SHA256

    0b6bcbd6fa84ee15a2d6752377d74acd3d2b27a784381199252d48d0535bcc0e

  • SHA512

    3645c05e4762cae51d58b5744db2da38690ee3559029f67c87500592572acd73a8e30383b39fdb4fb931a7c06cf7ab7292657217d6a0fb0c45fa4704b7444373

  • SSDEEP

    786432:QxOtk8Nf+CPCKjEYh/FxVymMqTAS/Hqdpxq9327MpOuzfzpgg4nocFEnvY:QxOtJNHCKjEYhonpxq9m7MpOYzpxXcFB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\potato_latestx64.exe
    "C:\Users\Admin\AppData\Local\Temp\potato_latestx64.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\is-OM5U8.tmp\potato_latestx64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OM5U8.tmp\potato_latestx64.tmp" /SL5="$401CA,37390699,806912,C:\Users\Admin\AppData\Local\Temp\potato_latestx64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\background_messagebox.png

    Filesize

    4KB

    MD5

    d1a4f5ba76b7e7a702f13fbd9bbb76c7

    SHA1

    2c8e3fbf70f0a89a833c3607fface79a9072d324

    SHA256

    bcd3b5b4f4fb5a956a6ad14236567dcb1117b621713c50483433d7af1011e724

    SHA512

    6afc8c206f4cc9969bcc4ba373f05742ea318733891a145ef580f4116170c9fcab4479d8955e58f23d3cf445fdc9ed5eceabd086ce2324fc751f5bbb89d9d578

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\background_welcome.png

    Filesize

    23KB

    MD5

    09d7f0a3d432577e99da00e3531d9190

    SHA1

    3d8afcb34cadebb61bb8314d225e204dcdde8ae2

    SHA256

    0af66eefbf71908e10f449f606a73a6a3bfd5bc223e762cb493848cc30642452

    SHA512

    42d238bd8fd280466458ca1daf7f899c6fe9f61627482097553bec1501c8366edfe856fc5905c1d5c2e14fba083600674cfb71522aa863820d257fc291dc3922

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_browse.png

    Filesize

    13KB

    MD5

    d724d25b757d8f203cd6777da8cd17a8

    SHA1

    51ac4866ba5550c73512a05fa4cccf36beb05a61

    SHA256

    78114fdef066f771aa842a682f0e71deb06b98a1b065689611814ba165460fc0

    SHA512

    183b1eccbf901f21ef992df79024b6bd2fa49e5e6599298ddeed9dfdb647d58a6407b519f5eeebc9a2c4eb6c9afb12e80ee5f3233d8ad7f8145496d569737fb0

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_cancel.png

    Filesize

    6KB

    MD5

    fb8e04322eee99db624e395d969dbc59

    SHA1

    4ac99299b54c657c0d40679fc6e4f3840638ca58

    SHA256

    e5a6d0c5f16ca8bebd882dfac1b77336b477ea22f7b22bde72580824dd2d94e9

    SHA512

    90020fe26f252e4277235eed8f91da5754373f0fdcde0cff6c7bcf8ece5c2ee66c952ef884a69664fe412c55ea9cae1933fad1a0d9c626bdd836e6a177cef0b7

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_close.png

    Filesize

    3KB

    MD5

    2b29884a02b398ef5b3d4cb2db1e5c34

    SHA1

    a8f7e6525378b22185a0bd3010d1b86fca1a9c2f

    SHA256

    789e0fd796fa36c23f053acc85dbcc1c03035f93b92cce76840811d8b898b025

    SHA512

    9093d8c0910118c3dbc1170b183738530fd7bdace1d0e7f839fcee701a807de17d9c1da5d2b9da06ac7ec9b0c89db99f3461c4ae5c553a52c22cfb413ee41883

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_customize_setup.png

    Filesize

    10KB

    MD5

    9fd5cf39cb1d65a7dd9fc7396fc03550

    SHA1

    41179665031dc8031197ee7450fc49b3efba052f

    SHA256

    adf67d4817b7061ef2ceb74375e1216908df908b4da839a70c275c66f4130193

    SHA512

    a951745de5fe3925add368eeaf57e6e67a7fa021df2289a3e6b64313890f60fc1a7e5aee49fa489cf268b63cad27c0d78daee1679a518aab4b25bcb9c8498a77

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_license.png

    Filesize

    11KB

    MD5

    410c7780e6700028ab373f9efe75f728

    SHA1

    4c6eb2e50b83e2bc8f58aa0b643a549028b16603

    SHA256

    16f20688f713c3bee746bd0d745f843c99f6c360f71b44aa5713f9d5fae2cf75

    SHA512

    0e63f245dc8e8799376b3f7e33da5a2f40e3788b7e1541e07e8e171b91c6e4dd0a0f9bca0a02cd6d4e34618bcc112bea29d2d99e19e44aac3a8ad5029e9ef790

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_minimize.png

    Filesize

    3KB

    MD5

    53377fd010771582b62621793237d97c

    SHA1

    7028bce353330e3fc2cfe0e3c94a9cb7c1f116e7

    SHA256

    7967738a3a3bd46f2c128eb9d66183c93dbb56cf51e08aa439162f999fc952a1

    SHA512

    a62a7813d60429b7532797f53878acac02975bd13524c496626219180f498033127870659cc96f4fecbcd67976140b904443e93d3a193d149027906f5dcb15d6

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_ok.png

    Filesize

    6KB

    MD5

    558e7219fc377b63365513c4e017cf24

    SHA1

    ac508857ab9657abc0f731ff09712bbafadd1f0b

    SHA256

    43818ff077e39e82519171f9525ba3be84e584252d42946733a07a3f39455466

    SHA512

    dfdec62bf1e1cf0f6f0eb9c825e75bcf1d7eacb7925acf8b4e19fd4f382cb95e8e01c14fde3cc58c9e47d26b296c34dfb469c42d1aa67670ad511a3698ee31f4

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_setup_or_next.png

    Filesize

    16KB

    MD5

    f759680e272b5fc9e60738b7dbbbc623

    SHA1

    defcdd008ddb3a3d5e4da4824f6114649c2e2c23

    SHA256

    ea9a1ac0057cf97ff422d306526ea3d73345673bd82f4fdffc2c4313fdb74b31

    SHA512

    cb2dc79e28edeaaa415653165e23c21236a6535bec6737349d5e9af69e5f92531d1c7da9ff55df10a09bc7731ab15fd4385d6436e78dd7a00792a0848c54eac8

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\button_uncustomize_setup.png

    Filesize

    10KB

    MD5

    aa5886c0e8b173955df656efbcbc00d4

    SHA1

    a05b410e756d4b2b6c30a448a55777691c55b2dd

    SHA256

    7b4577498af66c8f3b2e69f65a36306395826fbfd21c8e8b227ab760c793b5d1

    SHA512

    15d74e888d5490478da9b5e429509cb864fdbc7ac0ad368353b5043fd07923e2d7ead94907ccb458b84f19022d8be1def8bed5c58866d20181206792be7b49a2

  • C:\Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\checkbox_license.png

    Filesize

    27KB

    MD5

    e1ca6a42984d8b7ededb48a3f7133791

    SHA1

    b1c13e402f939ac9f00a795482a6f4b80b27a5bd

    SHA256

    023cca5e5bbab5aed27e5290d91a14573a0178d8cfaac73d402221c78c5f013d

    SHA512

    80a93ae1ffc67593faa28c8043135d92b6cc4bddc830a285c2e176c09450b391b4189e9bb060fb93002c236e69f4c48a247946b8169bb97c6b3f42ee07e45d14

  • \Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\botva2.dll

    Filesize

    37KB

    MD5

    67965a5957a61867d661f05ae1f4773e

    SHA1

    f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

    SHA256

    450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

    SHA512

    c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

  • \Users\Admin\AppData\Local\Temp\is-A1EJM.tmp\innocallback.dll

    Filesize

    63KB

    MD5

    1c55ae5ef9980e3b1028447da6105c75

    SHA1

    f85218e10e6aa23b2f5a3ed512895b437e41b45c

    SHA256

    6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

    SHA512

    1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

  • \Users\Admin\AppData\Local\Temp\is-OM5U8.tmp\potato_latestx64.tmp

    Filesize

    3.1MB

    MD5

    35691b21e16be1680a048488aeb6c781

    SHA1

    fc78ae64ba72ff72fb2647586fa2d861f4eedc9f

    SHA256

    c02ce89ee8cdcc6c30941b574aafa165a442ad7f02b87de0eb1f184557fe7e97

    SHA512

    1e98b0394f17036b009a667ceed838b19f15ddd51d4739300c8d68dec59b3187c4ed38455b49c8cb87a6570fb61750f16f5d5137d9f720aeaad2bd1506ce5967

  • memory/2564-124-0x00000000029A0000-0x00000000029AF000-memory.dmp

    Filesize

    60KB

  • memory/2564-53-0x00000000029A0000-0x00000000029AF000-memory.dmp

    Filesize

    60KB

  • memory/2564-8-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/2564-126-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/2564-125-0x00000000029C0000-0x00000000029D5000-memory.dmp

    Filesize

    84KB

  • memory/2564-60-0x00000000029C0000-0x00000000029D5000-memory.dmp

    Filesize

    84KB

  • memory/2564-123-0x00000000003B0000-0x00000000006E2000-memory.dmp

    Filesize

    3.2MB

  • memory/2564-134-0x00000000029C0000-0x00000000029D5000-memory.dmp

    Filesize

    84KB

  • memory/2564-133-0x00000000029A0000-0x00000000029AF000-memory.dmp

    Filesize

    60KB

  • memory/2564-150-0x00000000029C0000-0x00000000029D5000-memory.dmp

    Filesize

    84KB

  • memory/3032-0-0x0000000000E70000-0x0000000000F43000-memory.dmp

    Filesize

    844KB

  • memory/3032-2-0x0000000000E71000-0x0000000000F19000-memory.dmp

    Filesize

    672KB

  • memory/3032-122-0x0000000000E70000-0x0000000000F43000-memory.dmp

    Filesize

    844KB