Analysis Overview
SHA256
eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e
Threat Level: Known bad
The file NordVPNSetup.exe was found to be: Known bad.
Malicious Activity Summary
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-27 11:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-27 11:46
Reported
2021-06-27 11:49
Platform
win7v20210410
Max time kernel
70s
Max time network
172s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1088 set thread context of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 2756
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.218.217:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1088-59-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1088-61-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/1088-62-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1088-63-0x0000000004EB0000-0x0000000004F6A000-memory.dmp
memory/1088-64-0x0000000000440000-0x0000000000444000-memory.dmp
memory/1088-65-0x0000000005870000-0x000000000590E000-memory.dmp
memory/1088-66-0x0000000008110000-0x00000000081A6000-memory.dmp
memory/820-67-0x0000000000400000-0x000000000049A000-memory.dmp
memory/820-68-0x00000000004934C6-mapping.dmp
memory/820-69-0x0000000000400000-0x000000000049A000-memory.dmp
memory/820-71-0x0000000004890000-0x0000000004891000-memory.dmp
memory/820-72-0x0000000005880000-0x00000000058F0000-memory.dmp
memory/1356-73-0x0000000000000000-mapping.dmp
memory/1356-74-0x0000000000890000-0x0000000000891000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-27 11:46
Reported
2021-06-27 11:48
Platform
win10v20210410
Max time kernel
66s
Max time network
135s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4092 set thread context of 372 | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2948
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.136.132:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/4092-114-0x0000000000690000-0x0000000000691000-memory.dmp
memory/4092-116-0x0000000005610000-0x0000000005611000-memory.dmp
memory/4092-117-0x0000000005040000-0x0000000005041000-memory.dmp
memory/4092-118-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/4092-119-0x00000000052D0000-0x000000000538A000-memory.dmp
memory/4092-120-0x0000000005430000-0x0000000005431000-memory.dmp
memory/4092-121-0x0000000005240000-0x0000000005244000-memory.dmp
memory/4092-122-0x0000000005100000-0x0000000005101000-memory.dmp
memory/4092-123-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/4092-124-0x0000000006070000-0x000000000610E000-memory.dmp
memory/4092-125-0x00000000087F0000-0x0000000008886000-memory.dmp
memory/372-127-0x00000000004934C6-mapping.dmp
memory/372-126-0x0000000000400000-0x000000000049A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NordVPNSetup.exe.log
| MD5 | b4f7a6a57cb46d94b72410eb6a6d45a9 |
| SHA1 | 69f3596ffa027202d391444b769ceea0ae14c5f7 |
| SHA256 | 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b |
| SHA512 | be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c |
memory/372-131-0x0000000005680000-0x0000000005681000-memory.dmp
memory/372-132-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/372-133-0x0000000006490000-0x0000000006500000-memory.dmp