Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

NordVPNSetup.exe

windows7-x64

8

NordVPNSetup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NordVPNSetup.exe

  • Size

    1.7MB

  • MD5

    59cb69a08fdd9cb4b0539e3356df1d4d

  • SHA1

    0c773a0a76f821780c002d527bee387b98904569

  • SHA256

    bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

  • SHA512

    51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2

  • SSDEEP

    24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Users\Admin\AppData\Local\Temp\is-PBKL6.tmp\NordVPNSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PBKL6.tmp\NordVPNSetup.tmp" /SL5="$6006C,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-ACDHA.tmp\Nord.Setup.dll
    Filesize

    11KB

    MD5

    14c0bc56c020ca702379927b3700cfbf

    SHA1

    7cb3c2c815268821f7b42b58c3ff63860f0d3f4c

    SHA256

    a2ac55bf624c4f8dfb7187297ebad936b8f176e84e0a5fc980ae7f4b41ad448c

    SHA512

    caa984210805a52d65a0ddce42d9987205938b185f455860c55554102d5084809eae9eb158f55fadf7b7823673396e77bb3f9a7d03a2f9014a35efc346f940bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-ACDHA.tmp\Nord.Setup.dll
    Filesize

    40KB

    MD5

    b18bd486c5718397bc65d77a16ce2593

    SHA1

    58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

    SHA256

    0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

    SHA512

    f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PBKL6.tmp\NordVPNSetup.tmp
    Filesize

    381KB

    MD5

    fd012643d3f664ec4f3cf6acc4ced36a

    SHA1

    a8baee668d21e204527248a90f8f803e49fcb464

    SHA256

    04406dc08a615c6ac21546e481a152c93254ee8733a0eda9626eeb82684ac954

    SHA512

    4231d7c948dbbab3c0facacf79fbc1566eb205fe4cbfee85636511799bd044b4d7516f789422527d75336f5d012c21c7cb634c6c714dc0332311264547080717

    Download Submit

  • memory/3724-0-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/3724-2-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/3724-27-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4020-23-0x00000000042F0000-0x0000000004300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-25-0x0000000073440000-0x0000000073BF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4020-24-0x0000000073CE0000-0x0000000073CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-19-0x0000000003790000-0x00000000037A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-26-0x0000000006930000-0x0000000006E5C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4020-6-0x0000000002810000-0x0000000002811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4020-28-0x0000000000400000-0x000000000071B000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4020-29-0x0000000002810000-0x0000000002811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4020-32-0x0000000003790000-0x00000000037A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-33-0x0000000073440000-0x0000000073BF0000-memory.dmp

    Filesize

    7.7MB

    Download