Analysis
-
max time kernel
325s -
max time network
1554s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
psiphon3.exe
Resource
win7-en-20211208
onlyloggerredlinesmokeloadersocelarsmedia272256backdoordiscoveryevasioninfostealerloaderpersistencespywarestealersuricatatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
psiphon3.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
psiphon3.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
psiphon3.exe
-
Size
6.8MB
-
MD5
2ebc28739e3c11341136fc5404c44579
-
SHA1
6adb43880cac3dfe5a5356d19d588648739763e7
-
SHA256
fa2ff0f2de91ce2de9ac142cdffb56ec1716c9e16f561cda689f4f2010eceeb4
-
SHA512
c296a128487eb6fe393296b38ea290e7e2bdc7dce3dddcdc3f32d709da04e1b3bb488f3dcf1b0d9b36b937a867fd3d1f7b3c14131219875aa60a29339ac8c6f1
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3928 4144 WerFault.exe psiphon3.exe -
Modifies registry class 7 IoCs
Processes:
psiphon3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\ = "URL:psiphon" psiphon3.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\URL Protocol psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell\open\command psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell\open psiphon3.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\psiphon3.exe\" -- \"%1\"" psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon psiphon3.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe 3928 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3928 WerFault.exe Token: SeBackupPrivilege 3928 WerFault.exe Token: SeDebugPrivilege 3928 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
psiphon3.exepid process 4144 psiphon3.exe 4144 psiphon3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\psiphon3.exe"C:\Users\Admin\AppData\Local\Temp\psiphon3.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 20122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken