bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
141s
max time network
140s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	NordVPNSetup.tmp

Loads dropped DLL 3 IoCs

pid	Process
2784	NordVPNSetup.tmp
2784	NordVPNSetup.tmp
2784	NordVPNSetup.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 2784	204	NordVPNSetup.exe	74
PID 204 wrote to memory of 2784	204	NordVPNSetup.exe	74
PID 204 wrote to memory of 2784	204	NordVPNSetup.exe	74

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:204
- C:\Users\Admin\AppData\Local\Temp\is-GG24P.tmp\NordVPNSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GG24P.tmp\NordVPNSetup.tmp" /SL5="$8007E,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GG24P.tmp\NordVPNSetup.tmp

Filesize
1.8MB

MD5
32864422e561f307199cd711d8d6763b

SHA1
c556d9adf7a502d74211eb38a174256d64a8bc4a

SHA256
0e996ccd1b6425bd90370738d51c4d4cb836b7a1f0fa2bffe0ded4bf3c1a2650

SHA512
82acb3b0726d2b264fab6fe9f304792a7a84aa1032e9340507882c2bdf87afd292fb1e052a28cf7a1e75b1436ccffa74962d54ec84265f8641f69e9c115148ac

Download Submit
\Users\Admin\AppData\Local\Temp\is-DPTBE.tmp\Nord.Setup.dll

Filesize
40KB

MD5
b18bd486c5718397bc65d77a16ce2593

SHA1
58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

SHA256
0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

SHA512
f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

Download Submit
memory/204-27-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/204-1-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2784-6-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2784-19-0x00000000037E0000-0x00000000037F0000-memory.dmp

Filesize
64KB

Download
memory/2784-23-0x00000000036E0000-0x00000000036F0000-memory.dmp

Filesize
64KB

Download
memory/2784-24-0x0000000073110000-0x0000000073120000-memory.dmp

Filesize
64KB

Download
memory/2784-25-0x0000000072940000-0x000000007302E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-26-0x0000000006960000-0x0000000006E8C000-memory.dmp

Filesize
5.2MB

Download
memory/2784-28-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2784-29-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2784-32-0x00000000037E0000-0x00000000037F0000-memory.dmp

Filesize
64KB

Download
memory/2784-33-0x0000000072940000-0x000000007302E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads