bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30-07-2023 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

1944 NordVPNSetup.tmp
Loads dropped DLL 4 IoCs

Processes:

NordVPNSetup.exeNordVPNSetup.tmp

pid process

2672 NordVPNSetup.exe
1944 NordVPNSetup.tmp
1944 NordVPNSetup.tmp
1944 NordVPNSetup.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

1944 NordVPNSetup.tmp

pid	process
1944	NordVPNSetup.tmp

pid	process
2672	NordVPNSetup.exe
1944	NordVPNSetup.tmp
1944	NordVPNSetup.tmp
1944	NordVPNSetup.tmp

pid	process
1944	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

NordVPNSetup.exe

description	pid	process	target process
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2672 wrote to memory of 1944	2672	NordVPNSetup.exe	NordVPNSetup.tmp

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\is-V3921.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V3921.tmp\NordVPNSetup.tmp" /SL5="$80120,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab82F7.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8329.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QI683.tmp\Nord.Setup.dll

Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V3921.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V3921.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
\Users\Admin\AppData\Local\Temp\is-QI683.tmp\Nord.Setup.dll

Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-QI683.tmp\Nord.Setup.dll

Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-QI683.tmp\Nord.Setup.dll

Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-V3921.tmp\NordVPNSetup.tmp

Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
memory/1944-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1944-75-0x0000000073B30000-0x00000000740DB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-83-0x0000000073B30000-0x00000000740DB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-72-0x00000000032E0000-0x0000000003320000-memory.dmp

Filesize
256KB

Download
memory/1944-234-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1944-236-0x00000000032E0000-0x0000000003320000-memory.dmp

Filesize
256KB

Download
memory/1944-237-0x0000000073B30000-0x00000000740DB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-238-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2672-55-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2672-233-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download