Overview
overview
7Static
static
31.exe
windows7-x64
71.exe
windows10-2004-x64
72.exe
windows7-x64
72.exe
windows10-2004-x64
7Setup.exe
windows7-x64
7Setup.exe
windows10-2004-x64
7_中文版...64.exe
windows7-x64
7_中文版...64.exe
windows10-2004-x64
7potato_latestx64.exe
windows7-x64
7potato_latestx64.exe
windows10-2004-x64
7Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 11:11
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
_中文版_TG_telegrnai_win_dows_ios_X_64.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
_中文版_TG_telegrnai_win_dows_ios_X_64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
potato_latestx64.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
potato_latestx64.exe
Resource
win10v2004-20240802-en
General
-
Target
potato_latestx64.exe
-
Size
36.6MB
-
MD5
32de33fa29f59bbf9eed061a8206c068
-
SHA1
39f650ba2f5df46efc1a5c4603b94e0cde41dab5
-
SHA256
0b6bcbd6fa84ee15a2d6752377d74acd3d2b27a784381199252d48d0535bcc0e
-
SHA512
3645c05e4762cae51d58b5744db2da38690ee3559029f67c87500592572acd73a8e30383b39fdb4fb931a7c06cf7ab7292657217d6a0fb0c45fa4704b7444373
-
SSDEEP
786432:QxOtk8Nf+CPCKjEYh/FxVymMqTAS/Hqdpxq9327MpOuzfzpgg4nocFEnvY:QxOtJNHCKjEYhonpxq9m7MpOYzpxXcFB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2564 potato_latestx64.tmp -
Loads dropped DLL 3 IoCs
pid Process 3032 potato_latestx64.exe 2564 potato_latestx64.tmp 2564 potato_latestx64.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language potato_latestx64.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language potato_latestx64.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29 PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29 PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29 PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29 PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29 PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29 PID 3032 wrote to memory of 2564 3032 potato_latestx64.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\potato_latestx64.exe"C:\Users\Admin\AppData\Local\Temp\potato_latestx64.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\is-OM5U8.tmp\potato_latestx64.tmp"C:\Users\Admin\AppData\Local\Temp\is-OM5U8.tmp\potato_latestx64.tmp" /SL5="$401CA,37390699,806912,C:\Users\Admin\AppData\Local\Temp\potato_latestx64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d1a4f5ba76b7e7a702f13fbd9bbb76c7
SHA12c8e3fbf70f0a89a833c3607fface79a9072d324
SHA256bcd3b5b4f4fb5a956a6ad14236567dcb1117b621713c50483433d7af1011e724
SHA5126afc8c206f4cc9969bcc4ba373f05742ea318733891a145ef580f4116170c9fcab4479d8955e58f23d3cf445fdc9ed5eceabd086ce2324fc751f5bbb89d9d578
-
Filesize
23KB
MD509d7f0a3d432577e99da00e3531d9190
SHA13d8afcb34cadebb61bb8314d225e204dcdde8ae2
SHA2560af66eefbf71908e10f449f606a73a6a3bfd5bc223e762cb493848cc30642452
SHA51242d238bd8fd280466458ca1daf7f899c6fe9f61627482097553bec1501c8366edfe856fc5905c1d5c2e14fba083600674cfb71522aa863820d257fc291dc3922
-
Filesize
13KB
MD5d724d25b757d8f203cd6777da8cd17a8
SHA151ac4866ba5550c73512a05fa4cccf36beb05a61
SHA25678114fdef066f771aa842a682f0e71deb06b98a1b065689611814ba165460fc0
SHA512183b1eccbf901f21ef992df79024b6bd2fa49e5e6599298ddeed9dfdb647d58a6407b519f5eeebc9a2c4eb6c9afb12e80ee5f3233d8ad7f8145496d569737fb0
-
Filesize
6KB
MD5fb8e04322eee99db624e395d969dbc59
SHA14ac99299b54c657c0d40679fc6e4f3840638ca58
SHA256e5a6d0c5f16ca8bebd882dfac1b77336b477ea22f7b22bde72580824dd2d94e9
SHA51290020fe26f252e4277235eed8f91da5754373f0fdcde0cff6c7bcf8ece5c2ee66c952ef884a69664fe412c55ea9cae1933fad1a0d9c626bdd836e6a177cef0b7
-
Filesize
3KB
MD52b29884a02b398ef5b3d4cb2db1e5c34
SHA1a8f7e6525378b22185a0bd3010d1b86fca1a9c2f
SHA256789e0fd796fa36c23f053acc85dbcc1c03035f93b92cce76840811d8b898b025
SHA5129093d8c0910118c3dbc1170b183738530fd7bdace1d0e7f839fcee701a807de17d9c1da5d2b9da06ac7ec9b0c89db99f3461c4ae5c553a52c22cfb413ee41883
-
Filesize
10KB
MD59fd5cf39cb1d65a7dd9fc7396fc03550
SHA141179665031dc8031197ee7450fc49b3efba052f
SHA256adf67d4817b7061ef2ceb74375e1216908df908b4da839a70c275c66f4130193
SHA512a951745de5fe3925add368eeaf57e6e67a7fa021df2289a3e6b64313890f60fc1a7e5aee49fa489cf268b63cad27c0d78daee1679a518aab4b25bcb9c8498a77
-
Filesize
11KB
MD5410c7780e6700028ab373f9efe75f728
SHA14c6eb2e50b83e2bc8f58aa0b643a549028b16603
SHA25616f20688f713c3bee746bd0d745f843c99f6c360f71b44aa5713f9d5fae2cf75
SHA5120e63f245dc8e8799376b3f7e33da5a2f40e3788b7e1541e07e8e171b91c6e4dd0a0f9bca0a02cd6d4e34618bcc112bea29d2d99e19e44aac3a8ad5029e9ef790
-
Filesize
3KB
MD553377fd010771582b62621793237d97c
SHA17028bce353330e3fc2cfe0e3c94a9cb7c1f116e7
SHA2567967738a3a3bd46f2c128eb9d66183c93dbb56cf51e08aa439162f999fc952a1
SHA512a62a7813d60429b7532797f53878acac02975bd13524c496626219180f498033127870659cc96f4fecbcd67976140b904443e93d3a193d149027906f5dcb15d6
-
Filesize
6KB
MD5558e7219fc377b63365513c4e017cf24
SHA1ac508857ab9657abc0f731ff09712bbafadd1f0b
SHA25643818ff077e39e82519171f9525ba3be84e584252d42946733a07a3f39455466
SHA512dfdec62bf1e1cf0f6f0eb9c825e75bcf1d7eacb7925acf8b4e19fd4f382cb95e8e01c14fde3cc58c9e47d26b296c34dfb469c42d1aa67670ad511a3698ee31f4
-
Filesize
16KB
MD5f759680e272b5fc9e60738b7dbbbc623
SHA1defcdd008ddb3a3d5e4da4824f6114649c2e2c23
SHA256ea9a1ac0057cf97ff422d306526ea3d73345673bd82f4fdffc2c4313fdb74b31
SHA512cb2dc79e28edeaaa415653165e23c21236a6535bec6737349d5e9af69e5f92531d1c7da9ff55df10a09bc7731ab15fd4385d6436e78dd7a00792a0848c54eac8
-
Filesize
10KB
MD5aa5886c0e8b173955df656efbcbc00d4
SHA1a05b410e756d4b2b6c30a448a55777691c55b2dd
SHA2567b4577498af66c8f3b2e69f65a36306395826fbfd21c8e8b227ab760c793b5d1
SHA51215d74e888d5490478da9b5e429509cb864fdbc7ac0ad368353b5043fd07923e2d7ead94907ccb458b84f19022d8be1def8bed5c58866d20181206792be7b49a2
-
Filesize
27KB
MD5e1ca6a42984d8b7ededb48a3f7133791
SHA1b1c13e402f939ac9f00a795482a6f4b80b27a5bd
SHA256023cca5e5bbab5aed27e5290d91a14573a0178d8cfaac73d402221c78c5f013d
SHA51280a93ae1ffc67593faa28c8043135d92b6cc4bddc830a285c2e176c09450b391b4189e9bb060fb93002c236e69f4c48a247946b8169bb97c6b3f42ee07e45d14
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
Filesize
3.1MB
MD535691b21e16be1680a048488aeb6c781
SHA1fc78ae64ba72ff72fb2647586fa2d861f4eedc9f
SHA256c02ce89ee8cdcc6c30941b574aafa165a442ad7f02b87de0eb1f184557fe7e97
SHA5121e98b0394f17036b009a667ceed838b19f15ddd51d4739300c8d68dec59b3187c4ed38455b49c8cb87a6570fb61750f16f5d5137d9f720aeaad2bd1506ce5967