391b613c8db8f21fe6545d6448adb188dd2b54749f31e7cd7abefb6e61f388d2

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
24-05-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

5d6f0577264346d7c28f1853871d89b7
SHA1

a606fa6e79ed5ca473eed30cc8483901ca67fae1
SHA256

391b613c8db8f21fe6545d6448adb188dd2b54749f31e7cd7abefb6e61f388d2
SHA512

9d43f0ef1ed41ac338a157dbcc74e5ebdb00ff83935aeb96095af9fe780a2217ae6362e6577b51780baffcaa50e2ee8f0c92345a473a199da5897411d3f72159
SSDEEP

24576:x7FUDowAyrTVE3U5FZvOcAqJys9vvys3gEhyel1XXkJ2k89zCA8:xBuZrEU1OMJys9HLRy3J2k8ob

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

1408 NordVPNSetup.tmp
Loads dropped DLL 3 IoCs

Processes:

NordVPNSetup.tmp

pid process

1408 NordVPNSetup.tmp
1408 NordVPNSetup.tmp
1408 NordVPNSetup.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NordVPNSetup.tmp

description pid process

Token: SeDebugPrivilege 1408 NordVPNSetup.tmp

pid	process
1408	NordVPNSetup.tmp

pid	process
1408	NordVPNSetup.tmp
1408	NordVPNSetup.tmp
1408	NordVPNSetup.tmp

description	pid	process
Token: SeDebugPrivilege	1408	NordVPNSetup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NordVPNSetup.exe

description	pid	process	target process
PID 1224 wrote to memory of 1408	1224	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1224 wrote to memory of 1408	1224	NordVPNSetup.exe	NordVPNSetup.tmp
PID 1224 wrote to memory of 1408	1224	NordVPNSetup.exe	NordVPNSetup.tmp

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\is-NESGU.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NESGU.tmp\NordVPNSetup.tmp" /SL5="$C0068,890444,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3CSBD.tmp\Nord.Setup.dll
Filesize
40KB

MD5
fb15e8ae0e2decdb97257514355d2b0e

SHA1
d329afd113203e248d945609793a4c9663665bbb

SHA256
3a658d57d8723a5ab7a29ae212d3cee0c090c04d5a02579fa4cc1b658929c0b7

SHA512
08493b22ee4e082bd6ea0935965bd54dcbdc0992793b0fb7caf9801351f815a81dd143a87b6ae2d0ed45f20fe7f33680ae7dede3e915ada8ebe9b7522eb507f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NESGU.tmp\NordVPNSetup.tmp
Filesize
3.1MB

MD5
6693ddaca0479cdeea33386155e9cacf

SHA1
0b426408257359afbcee9de1332804541aab1e89

SHA256
384dab757af95f6d6d4a80351507f6f455c0fce58f2aa32ff1c1e8ceeb3ade82

SHA512
8afc8322631da373c9ea09bc81df6c071ea760d9ac3535235c4f59768a1a8ffc654741205baddb4fed843eb20622e534432171e8f436a05e88fd320232df9678

Download Submit
memory/1224-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1224-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1224-26-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1408-14-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1408-23-0x0000000073EE0000-0x0000000073EF0000-memory.dmp

Filesize
64KB

Download
memory/1408-24-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1408-22-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/1408-25-0x00000000061E0000-0x000000000670C000-memory.dmp

Filesize
5.2MB

Download
memory/1408-27-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download