Malware Analysis Report

2024-11-13 14:24

Sample ID 210907-g6ps6sfcem
Target NordVPNSetup.exe
SHA256 eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e
Tags
echelon discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e

Threat Level: Known bad

The file NordVPNSetup.exe was found to be: Known bad.

Malicious Activity Summary

echelon discovery spyware stealer

Echelon

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-07 06:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-07 06:25

Reported

2021-09-07 06:27

Platform

win7-en

Max time kernel

137s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"

Signatures

Echelon

stealer spyware echelon

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1664 set thread context of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 1664 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 832 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Windows\SysWOW64\WerFault.exe
PID 832 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Windows\SysWOW64\WerFault.exe
PID 832 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Windows\SysWOW64\WerFault.exe
PID 832 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 2684

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 50.16.239.65:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1664-53-0x0000000000900000-0x0000000000901000-memory.dmp

memory/1664-55-0x0000000004D30000-0x0000000004DEA000-memory.dmp

memory/1664-56-0x0000000000550000-0x0000000000554000-memory.dmp

memory/1664-57-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/1664-58-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1664-59-0x00000000057A0000-0x000000000583E000-memory.dmp

memory/1664-60-0x0000000005840000-0x00000000058D6000-memory.dmp

memory/832-61-0x0000000000400000-0x000000000049A000-memory.dmp

memory/832-62-0x00000000004934C6-mapping.dmp

memory/832-63-0x0000000000400000-0x000000000049A000-memory.dmp

memory/832-65-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

memory/832-66-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/832-67-0x0000000005200000-0x0000000005270000-memory.dmp

memory/1324-68-0x0000000000000000-mapping.dmp

memory/1324-69-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-07 06:25

Reported

2021-09-07 06:27

Platform

win10v20210408

Max time kernel

89s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"

Signatures

Echelon

stealer spyware echelon

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4060 set thread context of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
PID 4060 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 3020

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 50.16.235.219:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/4060-114-0x0000000000150000-0x0000000000151000-memory.dmp

memory/4060-116-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/4060-117-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/4060-118-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/4060-119-0x0000000002570000-0x0000000002571000-memory.dmp

memory/4060-120-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/4060-121-0x0000000004E00000-0x0000000004EBA000-memory.dmp

memory/4060-122-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/4060-123-0x0000000004B80000-0x0000000004B84000-memory.dmp

memory/4060-124-0x0000000005B50000-0x0000000005BEE000-memory.dmp

memory/4060-125-0x00000000082E0000-0x0000000008376000-memory.dmp

memory/2268-126-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2268-127-0x00000000004934C6-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NordVPNSetup.exe.log

MD5 b4f7a6a57cb46d94b72410eb6a6d45a9
SHA1 69f3596ffa027202d391444b769ceea0ae14c5f7
SHA256 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b
SHA512 be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

memory/2268-131-0x0000000005220000-0x0000000005221000-memory.dmp

memory/2268-132-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/2268-133-0x0000000006160000-0x00000000061D0000-memory.dmp