Analysis Overview
SHA256
eaee3b7f33e680cfebcac7634b0ea0aaefac8564bc50603cb90669a43d89a29e
Threat Level: Known bad
The file NordVPNSetup.exe was found to be: Known bad.
Malicious Activity Summary
Echelon
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-07 06:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-07 06:25
Reported
2021-09-07 06:27
Platform
win7-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1664 set thread context of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 2684
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 50.16.239.65:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1664-53-0x0000000000900000-0x0000000000901000-memory.dmp
memory/1664-55-0x0000000004D30000-0x0000000004DEA000-memory.dmp
memory/1664-56-0x0000000000550000-0x0000000000554000-memory.dmp
memory/1664-57-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/1664-58-0x0000000000500000-0x0000000000501000-memory.dmp
memory/1664-59-0x00000000057A0000-0x000000000583E000-memory.dmp
memory/1664-60-0x0000000005840000-0x00000000058D6000-memory.dmp
memory/832-61-0x0000000000400000-0x000000000049A000-memory.dmp
memory/832-62-0x00000000004934C6-mapping.dmp
memory/832-63-0x0000000000400000-0x000000000049A000-memory.dmp
memory/832-65-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
memory/832-66-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/832-67-0x0000000005200000-0x0000000005270000-memory.dmp
memory/1324-68-0x0000000000000000-mapping.dmp
memory/1324-69-0x0000000000250000-0x0000000000251000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-07 06:25
Reported
2021-09-07 06:27
Platform
win10v20210408
Max time kernel
89s
Max time network
152s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4060 set thread context of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 3020
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 50.16.235.219:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/4060-114-0x0000000000150000-0x0000000000151000-memory.dmp
memory/4060-116-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/4060-117-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/4060-118-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/4060-119-0x0000000002570000-0x0000000002571000-memory.dmp
memory/4060-120-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/4060-121-0x0000000004E00000-0x0000000004EBA000-memory.dmp
memory/4060-122-0x0000000004F60000-0x0000000004F61000-memory.dmp
memory/4060-123-0x0000000004B80000-0x0000000004B84000-memory.dmp
memory/4060-124-0x0000000005B50000-0x0000000005BEE000-memory.dmp
memory/4060-125-0x00000000082E0000-0x0000000008376000-memory.dmp
memory/2268-126-0x0000000000400000-0x000000000049A000-memory.dmp
memory/2268-127-0x00000000004934C6-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NordVPNSetup.exe.log
| MD5 | b4f7a6a57cb46d94b72410eb6a6d45a9 |
| SHA1 | 69f3596ffa027202d391444b769ceea0ae14c5f7 |
| SHA256 | 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b |
| SHA512 | be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c |
memory/2268-131-0x0000000005220000-0x0000000005221000-memory.dmp
memory/2268-132-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/2268-133-0x0000000006160000-0x00000000061D0000-memory.dmp