bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
141s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

4020 NordVPNSetup.tmp
Loads dropped DLL 3 IoCs

Processes:

NordVPNSetup.tmp

pid process

4020 NordVPNSetup.tmp
4020 NordVPNSetup.tmp
4020 NordVPNSetup.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NordVPNSetup.tmp

description pid process

Token: SeDebugPrivilege 4020 NordVPNSetup.tmp

pid	process
4020	NordVPNSetup.tmp

pid	process
4020	NordVPNSetup.tmp
4020	NordVPNSetup.tmp
4020	NordVPNSetup.tmp

description	pid	process
Token: SeDebugPrivilege	4020	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NordVPNSetup.exe

description	pid	process	target process
PID 3724 wrote to memory of 4020	3724	NordVPNSetup.exe	NordVPNSetup.tmp
PID 3724 wrote to memory of 4020	3724	NordVPNSetup.exe	NordVPNSetup.tmp
PID 3724 wrote to memory of 4020	3724	NordVPNSetup.exe	NordVPNSetup.tmp

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\is-PBKL6.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PBKL6.tmp\NordVPNSetup.tmp" /SL5="$6006C,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ACDHA.tmp\Nord.Setup.dll
Filesize
11KB

MD5
14c0bc56c020ca702379927b3700cfbf

SHA1
7cb3c2c815268821f7b42b58c3ff63860f0d3f4c

SHA256
a2ac55bf624c4f8dfb7187297ebad936b8f176e84e0a5fc980ae7f4b41ad448c

SHA512
caa984210805a52d65a0ddce42d9987205938b185f455860c55554102d5084809eae9eb158f55fadf7b7823673396e77bb3f9a7d03a2f9014a35efc346f940bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ACDHA.tmp\Nord.Setup.dll
Filesize
40KB

MD5
b18bd486c5718397bc65d77a16ce2593

SHA1
58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

SHA256
0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

SHA512
f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PBKL6.tmp\NordVPNSetup.tmp
Filesize
381KB

MD5
fd012643d3f664ec4f3cf6acc4ced36a

SHA1
a8baee668d21e204527248a90f8f803e49fcb464

SHA256
04406dc08a615c6ac21546e481a152c93254ee8733a0eda9626eeb82684ac954

SHA512
4231d7c948dbbab3c0facacf79fbc1566eb205fe4cbfee85636511799bd044b4d7516f789422527d75336f5d012c21c7cb634c6c714dc0332311264547080717

Download Submit
memory/3724-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3724-2-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3724-27-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4020-23-0x00000000042F0000-0x0000000004300000-memory.dmp

Filesize
64KB

Download
memory/4020-25-0x0000000073440000-0x0000000073BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-24-0x0000000073CE0000-0x0000000073CF0000-memory.dmp

Filesize
64KB

Download
memory/4020-19-0x0000000003790000-0x00000000037A0000-memory.dmp

Filesize
64KB

Download
memory/4020-26-0x0000000006930000-0x0000000006E5C000-memory.dmp

Filesize
5.2MB

Download
memory/4020-6-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4020-28-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4020-29-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4020-32-0x0000000003790000-0x00000000037A0000-memory.dmp

Filesize
64KB

Download
memory/4020-33-0x0000000073440000-0x0000000073BF0000-memory.dmp

Filesize
7.7MB

Download