fa2ff0f2de91ce2de9ac142cdffb56ec1716c9e16f561cda689f4f2010eceeb4 | Triage

Analysis

max time kernel
325s
max time network
1554s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 19:16

Sharing

Report Analysis Logs

General

Target

psiphon3.exe
Size

6.8MB
MD5

2ebc28739e3c11341136fc5404c44579
SHA1

6adb43880cac3dfe5a5356d19d588648739763e7
SHA256

fa2ff0f2de91ce2de9ac142cdffb56ec1716c9e16f561cda689f4f2010eceeb4
SHA512

c296a128487eb6fe393296b38ea290e7e2bdc7dce3dddcdc3f32d709da04e1b3bb488f3dcf1b0d9b36b937a867fd3d1f7b3c14131219875aa60a29339ac8c6f1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3928 4144 WerFault.exe psiphon3.exe

Modifies registry class 7 IoCs

Processes:

psiphon3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\ = "URL:psiphon"	psiphon3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\URL Protocol	psiphon3.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell\open\command	psiphon3.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell	psiphon3.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell\open	psiphon3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\psiphon3.exe\" -- \"%1\""	psiphon3.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\psiphon	psiphon3.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3928 WerFault.exe
Token: SeBackupPrivilege 3928 WerFault.exe
Token: SeDebugPrivilege 3928 WerFault.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

psiphon3.exe

pid process

4144 psiphon3.exe
4144 psiphon3.exe

C:\Users\Admin\AppData\Local\Temp\psiphon3.exe
"C:\Users\Admin\AppData\Local\Temp\psiphon3.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 2012
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...