Overview

overview

7

Static

static

5

Portable_�...n3.exe

windows7-x64

5

Portable_�...n3.exe

windows10-2004-x64

5

Portable_�...on.dll

windows7-x64

3

Portable_�...on.dll

windows10-2004-x64

3

Portable_�...le.exe

windows7-x64

7

Portable_�...le.exe

windows10-2004-x64

7

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...ce.dll

windows7-x64

3

$PLUGINSDI...ce.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Portable_去廣告_C.Psiphon3.184 20241119/PsiphonPortable.exe

  • Size

    142KB

  • MD5

    49bf9dca0c8eaff957f62f0f3cef0ba5

  • SHA1

    c15ad261cf8e2e33fe36c9b69abfdc29bac3d19d

  • SHA256

    cc7c4aca06452689cd8be37ab8ba2285f6b977ffa7473812713190bf3f2996d4

  • SHA512

    ce352f7c82aee9a464d4f452ecafebeaeb7db87bfe5f8818a7e2354fe66208dbdf69c2fbdef197d41fbfeacdb7238b1447c188f24ad6ab03d86f3882ca4b2d64

  • SSDEEP

    3072:YqeqOYEUXPnDSwPK4u1I0KzpFKFpcVDxCtODy:jEUXP7u1WpF/Dy

Score
7/10
discoveryupx

Malware Config

Signatures

  • Loads dropped DLL 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Portable_去廣告_C.Psiphon3.184 20241119\PsiphonPortable.exe
    "C:\Users\Admin\AppData\Local\Temp\Portable_去廣告_C.Psiphon3.184 20241119\PsiphonPortable.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\Portable_去廣告_C.Psiphon3.184 20241119\App\Psiphon\psiphon3.exe
      "C:\Users\Admin\AppData\Local\Temp\Portable_去廣告_C.Psiphon3.184 20241119\App\Psiphon\psiphon3.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1680
        3⤵
        • Program crash
        PID:3364
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4168 -ip 4168
    1⤵
      PID:400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Portable_去廣告_C.Psiphon3.184 20241119\Data\PortableApps.comLauncherRuntimeData-PsiphonPortable.ini
      Filesize

      86B

      MD5

      ae59b96901e0cdec21c84e9b825beae4

      SHA1

      4fa7f8482caa7be2169f57445dcabad589ada14a

      SHA256

      29e1ebefc6ca9dbd57d95fdc8c4e50da97ef4667047968a4665605ec20e16a83

      SHA512

      a6ab7abadb1d360a00d0105e30225b5d982cb47dee928d9e45c7aa54f2ff49c7a277651c89c3c49973da49fb9fb86ef92fd2c45fcb16f2f45cf6a407675718ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Portable_去廣告_C.Psiphon3.184 20241119\Data\settings\Psiphon.reg
      Filesize

      452B

      MD5

      e2a203ca6e155d6960f4d7e7e741893b

      SHA1

      a8737102c5a5aabd5b59a29907fbbbc05df3a9bd

      SHA256

      863df7402e7283f531331f0f97381b81700f745e6b312a1977ef5ae2170ff8e9

      SHA512

      d6c37c12f1f463e0602d603423a0a3ac6c8f088305b020f97f938f33265adbf24cead308639f69da82ed3083a26c51a9601e9604d3b21cadfce145a38bce9d03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsf9397.tmp\System.dll
      Filesize

      11KB

      MD5

      bf712f32249029466fa86756f5546950

      SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

      SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

      SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsf9397.tmp\UAC.dll
      Filesize

      13KB

      MD5

      a88baad3461d2e9928a15753b1d93fd7

      SHA1

      bb826e35264968bbc3b981d8430ac55df1e6d4a6

      SHA256

      c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

      SHA512

      5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsf9397.tmp\launcher.ini
      Filesize

      666B

      MD5

      13a80331ae779addf158da5d51515b3f

      SHA1

      5cce658366cc5cd8fac1f5287d3e15b1ae5c5cf8

      SHA256

      d463e2ce20e25b2ed290dcf6dc1c01dcc60b5dda71e932ccfa9f5ddf53e81910

      SHA512

      59849a3e60a4075c1a743c67109916213112a1bc494dc47b4e85e621bca8ca4554a155a24f07104846227100c06c7c16bf157e7fc97eb5f00f8121c1b341e2c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsf9397.tmp\newadvsplash.dll
      Filesize

      8KB

      MD5

      55a723e125afbc9b3a41d46f41749068

      SHA1

      01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

      SHA256

      0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

      SHA512

      559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsf9397.tmp\newtextreplace.dll
      Filesize

      11KB

      MD5

      b5358341df2cb171876a5f201e31a834

      SHA1

      df34750ea5504274be5ff8ddd306b49e302d04f9

      SHA256

      156b9b583399faf13c4d46b89339fb0f7f38dc847ac2d7872178d8e3998b9734

      SHA512

      821dc42e24fa2d44a1d4d16b26c3da2688dac0fa44a266e38da2aff706c91440d83a87abc74131930e6c38a44a0c5e627db2d045375fde147e0edd3276f4b014

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsf9397.tmp\registry.dll
      Filesize

      29KB

      MD5

      2880bf3bbbc8dcaeb4367df8a30f01a8

      SHA1

      cb5c65eae4ae923514a67c95ada2d33b0c3f2118

      SHA256

      acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

      SHA512

      ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

      Download Submit

    • memory/2240-78-0x0000000005210000-0x0000000005273000-memory.dmp

      Filesize

      396KB

      Download

    • memory/4168-94-0x0000000000400000-0x0000000001F8D000-memory.dmp

      Filesize

      27.6MB

      Download

    • memory/4168-95-0x0000000000401000-0x0000000001811000-memory.dmp

      Filesize

      20.1MB

      Download

    • memory/4168-91-0x0000000000401000-0x0000000001811000-memory.dmp

      Filesize

      20.1MB

      Download

    • memory/4168-90-0x0000000000400000-0x0000000001F8D000-memory.dmp

      Filesize

      27.6MB

      Download