bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

2580 NordVPNSetup.tmp
Loads dropped DLL 3 IoCs

Processes:

NordVPNSetup.tmp

pid process

2580 NordVPNSetup.tmp
2580 NordVPNSetup.tmp
2580 NordVPNSetup.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NordVPNSetup.tmp

description pid process

Token: SeDebugPrivilege 2580 NordVPNSetup.tmp

pid	process
2580	NordVPNSetup.tmp

pid	process
2580	NordVPNSetup.tmp
2580	NordVPNSetup.tmp
2580	NordVPNSetup.tmp

description	pid	process
Token: SeDebugPrivilege	2580	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NordVPNSetup.exe

description	pid	process	target process
PID 3064 wrote to memory of 2580	3064	NordVPNSetup.exe	NordVPNSetup.tmp
PID 3064 wrote to memory of 2580	3064	NordVPNSetup.exe	NordVPNSetup.tmp
PID 3064 wrote to memory of 2580	3064	NordVPNSetup.exe	NordVPNSetup.tmp

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\is-AL8DH.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AL8DH.tmp\NordVPNSetup.tmp" /SL5="$501CE,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9LFPL.tmp\Nord.Setup.dll

Filesize
20KB

MD5
efd6c78398c9b0ed9795b2b9f1a365d1

SHA1
9cf22574b1746b868b5d893c8b6b86933f24cfa6

SHA256
0eee8cf4863b70b63a2b0e2b475dd33172069a0954795889cb8fd3e241d89aae

SHA512
68441fdd646bb462a5fd9d1d73db56d45f5356b6fb9533b4b649220747ed7b9759235ae6ab91845904b61c3d96f54d090cd5688ff964ad834c01925a1a49cb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9LFPL.tmp\Nord.Setup.dll

Filesize
40KB

MD5
b18bd486c5718397bc65d77a16ce2593

SHA1
58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

SHA256
0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

SHA512
f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AL8DH.tmp\NordVPNSetup.tmp

Filesize
266KB

MD5
b29b677e400b2c88eed3849f27dc28e3

SHA1
130f67cb0f5df8d7ff07ab610d438f97367e07c0

SHA256
e3c47325a57fb0cd2a7f50a52c7d51e668b9ee434be5c300ff2e11adca8f9dbf

SHA512
db3bc50b4d22826b83042c0f4eeded93b5653e236bc8a927119aa04612fb6f46b216e6644ca06e3d2f7f1e4d59169c942989e99eea2ef29cba4bad4d4afc9a9d

Download Submit
memory/2580-22-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/2580-18-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/2580-23-0x0000000073E50000-0x0000000073E60000-memory.dmp

Filesize
64KB

Download
memory/2580-5-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2580-24-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/2580-25-0x0000000006930000-0x0000000006E5C000-memory.dmp

Filesize
5.2MB

Download
memory/2580-27-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2580-28-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2580-31-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/2580-32-0x00000000735B0000-0x0000000073D60000-memory.dmp

Filesize
7.7MB

Download
memory/3064-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3064-26-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download