hxxp://d1k8f6a0wbit4d[.]cloudfront[.]net/uj0j9dqQp/1[.]3[.]88[.]710/psiphon[.]exe

Analysis

max time kernel
299s
max time network
294s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16/08/2023, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://d1k8f6a0wbit4d.cloudfront.net/uj0j9dqQp/1.3.88.710/psiphon.exe

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133366446117219707"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 5112	3764	chrome.exe	70
PID 3764 wrote to memory of 5112	3764	chrome.exe	70
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 3576	3764	chrome.exe	76
PID 3764 wrote to memory of 1304	3764	chrome.exe	72
PID 3764 wrote to memory of 1304	3764	chrome.exe	72
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73
PID 3764 wrote to memory of 1120	3764	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://d1k8f6a0wbit4d.cloudfront.net/uj0j9dqQp/1.3.88.710/psiphon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff17409758,0x7fff17409768,0x7fff17409778
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2640 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2632 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:2
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3920 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1812,i,10250170357885228010,9044296771317758494,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1bca0b39-3894-4b68-b80c-bc474c69ccb8.tmp

Filesize
5KB

MD5
507c8de20dd6aa5eb964751088af2817

SHA1
6fa92f44a4eae1605663442d4027b5e5a8f31275

SHA256
4d250c2166bc03df322face44bed8203ace2ba7f616f4af5f34c4f99092acc52

SHA512
f286280c64b5588462390fc28432e1420a6008b0c115836c3b6192499d5deb47730764c887f87ee02b9518041808f706c81fd4a5166bfa0008366a4055da4037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dcb83aadcc48e7e943dc4896b6ce33c7

SHA1
dbe5fbe367d2b154b46cbcba5ae22d38055489e0

SHA256
1fa1b45b8fa8ac7a26b89bc2bdccf05d4a6934572cb0fe8235c0fc59318005e6

SHA512
cb970af4de7070c4a999a75ac875115a7e9b4ba44fd424519f5ad89b08458206c70fd506c4c3f1baf912b09dedd6a0eb3affacf2870b2d58ea0ea70eb8a47f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
39f352c69106383a0440b5aea7eae710

SHA1
3ce9eea696ef9008a33d7de0eaa772497808abb0

SHA256
06a67e3d6c31c149a2d0084cad931dddf063dd0c24bbac95bd74302fafa77f05

SHA512
2c5d11bf3a68332a34ec8e42bf3b165e8997315b6ec12be9e749bb70628adab5f219190f47004f7821820d1adf3c2e106a2a1de7d8fe78b03aecccd493f462ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
6ed277082848369caa362ea1ed0b031a

SHA1
c235fe6cb3002e61a39a78525676a05f439f1945

SHA256
34afe096f3fa04b87523283071b113ae1c8d935f0272b044b44f476bb80bbb22

SHA512
c0fcc1022daa49d0bd1ee99c39eaa29c92bd01af564614f3a229e0361e858d3745885420d8cfac3e31eb9617a0d530ea631f35f0987fecf73fad413e28668d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit