128a621cee920bb777cebfc5e3e781248b5c23a0bd76405a1e04a911e66038a7

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VideoPadVideoEditor.exe
Size

5.8MB
MD5

a9d1fdf7316e5d762fe9b20842367d99
SHA1

5636f5de3e1b6cb14437e7b2e7b45eafc83e1ead
SHA256

128a621cee920bb777cebfc5e3e781248b5c23a0bd76405a1e04a911e66038a7
SHA512

1acb2787233d200e8c4f8a4c95c1092a7898a9899702c86c28171fd2466d281b8758a7b84b7556ebee42c0a5d39e379797594892ae5602b003e5d7db85c033cd
SSDEEP

98304:ay05jlcx0QMWgzWQ7mN+cOGHzFfDEe+8SnLHTKAmWu4JWY9UQvcPBt3bNAv:aE107mNCoSe+jlY4hOUcPBtg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\VideoPadInstall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VideoPadVideoEditor.exe"	nchsetup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	VideoPadVideoEditor.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	nchsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4872	2420	VideoPadVideoEditor.exe	88
PID 2420 wrote to memory of 4872	2420	VideoPadVideoEditor.exe	88
PID 2420 wrote to memory of 4872	2420	VideoPadVideoEditor.exe	88

C:\Users\Admin\AppData\Local\Temp\VideoPadVideoEditor.exe
"C:\Users\Admin\AppData\Local\Temp\VideoPadVideoEditor.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\VideoPadVideoEditor.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
11.7MB

MD5
969684068c64860b9e2d7415da6f7ec2

SHA1
0c12c3320a8721a1af276a608cdf49976da6cbb0

SHA256
ab85c75fd1e7856c9ccab5d58e7c80809c29e73ec064a90fc297bbfc7c051a7a

SHA512
389134e95e4c1673e268333932ff66e889c4b1929c4cb34113139fa185e351b05915dfe584fda3ac1ae8606cf1318ef034f8a574af03ad271453a7d7b3fb8560

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
11.7MB

MD5
969684068c64860b9e2d7415da6f7ec2

SHA1
0c12c3320a8721a1af276a608cdf49976da6cbb0

SHA256
ab85c75fd1e7856c9ccab5d58e7c80809c29e73ec064a90fc297bbfc7c051a7a

SHA512
389134e95e4c1673e268333932ff66e889c4b1929c4cb34113139fa185e351b05915dfe584fda3ac1ae8606cf1318ef034f8a574af03ad271453a7d7b3fb8560

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
11.7MB

MD5
969684068c64860b9e2d7415da6f7ec2

SHA1
0c12c3320a8721a1af276a608cdf49976da6cbb0

SHA256
ab85c75fd1e7856c9ccab5d58e7c80809c29e73ec064a90fc297bbfc7c051a7a

SHA512
389134e95e4c1673e268333932ff66e889c4b1929c4cb34113139fa185e351b05915dfe584fda3ac1ae8606cf1318ef034f8a574af03ad271453a7d7b3fb8560

Download Submit