bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

2840 NordVPNSetup.tmp
Loads dropped DLL 4 IoCs

Processes:

NordVPNSetup.exeNordVPNSetup.tmp

pid process

1700 NordVPNSetup.exe
2840 NordVPNSetup.tmp
2840 NordVPNSetup.tmp
2840 NordVPNSetup.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

2840 NordVPNSetup.tmp

pid	process
2840	NordVPNSetup.tmp

pid	process
1700	NordVPNSetup.exe
2840	NordVPNSetup.tmp
2840	NordVPNSetup.tmp
2840	NordVPNSetup.tmp

pid	process
2840	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

NordVPNSetup.exe

description	pid	process	target process
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1700 wrote to memory of 2840	1700	NordVPNSetup.exe	NordVPNSetup.tmp

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\is-NJ4FL.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NJ4FL.tmp\NordVPNSetup.tmp" /SL5="$40150,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab63D4.tmp
Filesize
59KB

MD5
f9abdd3dc2af9a8f1a30eabd07f3e4a5

SHA1
51e5bce27cc827cc0f8cda32f56f9940161f7229

SHA256
8bc258bfc826f232a58d943dbc6e1a49b70351612d5219a900f959189e444ae2

SHA512
c760ced308257919bc6097c2a8f2372c6cb81f9d6c0f79b025163ac3d64c6aa79196e4d6818909b42417b6cce29174f642358accc9231feaa2dc19b694ccb020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63E6.tmp
Filesize
109KB

MD5
99645b0d0a302fd27c049f1724c4e819

SHA1
3a4836ca7894b5908311cacbbf88ef849428a011

SHA256
bcf5fab5e18016895459b3672012c8ba13a87dfd17b95bac79c3fef5964a61fa

SHA512
3dac2d2fd05d318f82d79f26984cd4b74a0fc87aea61bd0d0955477e2c3d12b83cecbf2c310063c26761ed8d6f89f9cb20ab2f532bcffeb8770dc90359d71976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NJ4FL.tmp\NordVPNSetup.tmp
Filesize
435KB

MD5
ae89ceeea711cbb15500f0b3b633b4c5

SHA1
01a2855aa1407fe6004215c45c4bd9653066f849

SHA256
f548dccf5d179d7233102a2b646db118f5eb1ac8f0baf06be42a3637f0fc89b2

SHA512
577015efe072ede35688b2141d0d464e65ccf85a83d42374dc92bed6f04e022cfd7c101e0520541998789bef54895d32c1d12c2c4a83056acc2499037dfa95ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NJ4FL.tmp\NordVPNSetup.tmp
Filesize
1.2MB

MD5
b7765fc6f05ad11e2eff89b77beb6389

SHA1
5e091687407c69976c0e9a534f2cbf69cba3719e

SHA256
b1c2a95ca75b45439fd891dbb921b87acf9e9e585a4e9d337e20a7a8e7582c10

SHA512
978dde8676c1405741a53e04e519c69f68e783c151a185f459963aae0dd631abf0fc0b790ba00336fc536355ea70bf7ee233d8bfe32e8be00ced6584583966d8

Download Submit
\Users\Admin\AppData\Local\Temp\is-EQ2F8.tmp\Nord.Setup.dll
Filesize
40KB

MD5
fb3b4bb0ea4f23de6109281606a35c8e

SHA1
01fc9184e971407bf2c7bc4b4e5181c96a16e38b

SHA256
5a8c26e985a7346e04d95e57373e7f65646d42f2403ccb24e5092d21d6a2a5b9

SHA512
6481aa9610589fb9609d74c8daa70b527593833972540bbcfeef11bc1ec66544b77ad5517b06b46b3e157969593095045253487c57a6b712efba9f47b75873e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-NJ4FL.tmp\NordVPNSetup.tmp
Filesize
1.4MB

MD5
0879ed7bcbd2d9ada3b967d9c9d7326f

SHA1
64035b9d1f2942d788e6f42fd59242ae9ec6ec4c

SHA256
567e436af74280817b8e54244d4e5b5d9e2b1a6577b00f6489579d9a8d5f9d0b

SHA512
b265e157df6630b38dbdea1eae5bd4c4b5efa6fd5f21dea7d9b9cf823a4912b4cd5bfecbe65cb46d8da7c9636957f1bd19b56896827c5de5d1cf9ca35279bec8

Download Submit
memory/1700-2-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1700-179-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2840-29-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-21-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-18-0x00000000034A0000-0x00000000034E0000-memory.dmp

Filesize
256KB

Download
memory/2840-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2840-180-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2840-181-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2840-183-0x00000000034A0000-0x00000000034E0000-memory.dmp

Filesize
256KB

Download
memory/2840-184-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads