bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetupPrograms.TheMicroTech.Net.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4620	NordVPNSetupPrograms.TheMicroTech.Net.tmp

Loads dropped DLL 3 IoCs

pid	Process
4620	NordVPNSetupPrograms.TheMicroTech.Net.tmp
4620	NordVPNSetupPrograms.TheMicroTech.Net.tmp
4620	NordVPNSetupPrograms.TheMicroTech.Net.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NordVPNSetupPrograms.TheMicroTech.Net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NordVPNSetupPrograms.TheMicroTech.Net.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	NordVPNSetupPrograms.TheMicroTech.Net.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4620	NordVPNSetupPrograms.TheMicroTech.Net.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4620	5060	NordVPNSetupPrograms.TheMicroTech.Net.exe	84
PID 5060 wrote to memory of 4620	5060	NordVPNSetupPrograms.TheMicroTech.Net.exe	84
PID 5060 wrote to memory of 4620	5060	NordVPNSetupPrograms.TheMicroTech.Net.exe	84

C:\Users\Admin\AppData\Local\Temp\NordVPNSetupPrograms.TheMicroTech.Net.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetupPrograms.TheMicroTech.Net.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\is-78CCM.tmp\NordVPNSetupPrograms.TheMicroTech.Net.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-78CCM.tmp\NordVPNSetupPrograms.TheMicroTech.Net.tmp" /SL5="$502D6,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetupPrograms.TheMicroTech.Net.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-78CCM.tmp\NordVPNSetupPrograms.TheMicroTech.Net.tmp

Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JE4DD.tmp\Nord.Setup.dll

Filesize
40KB

MD5
b18bd486c5718397bc65d77a16ce2593

SHA1
58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

SHA256
0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

SHA512
f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

Download Submit
memory/4620-24-0x0000000074240000-0x0000000074250000-memory.dmp

Filesize
64KB

Download
memory/4620-6-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4620-19-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4620-23-0x00000000042A0000-0x00000000042B0000-memory.dmp

Filesize
64KB

Download
memory/4620-25-0x0000000006920000-0x0000000006E4C000-memory.dmp

Filesize
5.2MB

Download
memory/4620-26-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4620-29-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4620-31-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5060-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5060-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/5060-27-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download