9dc90f1f05edddba503a8df4c41f5b3c664d840d3b9097c4393f3bb939ea65bf

Analysis

max time kernel
16s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PicoPDFEditingSoftware.exe
Size

1.5MB
MD5

f6b95936cb7486dd5ca43c63c8ad36c6
SHA1

a488faf5fa1c773b58988276ee61b0e9aa6dab24
SHA256

9dc90f1f05edddba503a8df4c41f5b3c664d840d3b9097c4393f3bb939ea65bf
SHA512

ceaf3738892d4e552fef0833c212c9e500ac026a15834a32ba741e4978158476c70f8e60a796075447b2da99509066fb283b68d27847aa533b2803254d63e85b
SSDEEP

49152:5YyCar5yHxc9AXOgoLCrkMszdwMOL0fOt79drZ01:qLaERc7ghpsBzOLL79Y

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PicoPDFInstall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PicoPDFEditingSoftware.exe"	nchsetup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	PicoPDFEditingSoftware.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NCH Software\PicoPDF\picopdf.exe	nchsetup.exe
File opened for modification	C:\Program Files (x86)\NCH Software\PicoPDF\picopdf.exe	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\PicoPDF\shellmenu.dll	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\PicoPDF\shellmenua.msix	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\PicoPDF\shellmenub.msix	nchsetup.exe
File created	C:\Program Files (x86)\NCH Software\PicoPDF\picopdfsetup_v6.19.exe	nchsetup.exe

Executes dropped EXE 3 IoCs

pid	Process
3308	nchsetup.exe
2148	picopdf.exe
1544	picopdf.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{448a73a3-22df-4b22-b0a5-31d449bc39dd}\LocalServer32	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{448a73a3-22df-4b22-b0a5-31d449bc39dd}\LocalServer32\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -systemnotifyevent"	nchsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.doc\Shell\NCHconvertdoc	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.7z\Shell\NCHextract\ = "Extract with Express Zip"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.html\Shell\NCHconvertdoc\ = "Convert file type with Doxillion"	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\drpfile\shell\open	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\ds2file\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.webm\Shell\NCHconvertvideo\ = "Convert video file format with Prism"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.pcx\Shell\NCHeditphoto\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind PhotoPad \"%L\""	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.pcx\Shell\NCHeditphoto	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NCH.PicoPDF.pdf\DefaultIcon	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ape\Shell\NCHconvertsound	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tga\Shell\NCHconvertimage\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind Pixillion \"%L\""	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avi\Shell\NCHeditvideo	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg2\Shell\NCHconvertvideo\command	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\NCHconvertimage\ = "Convert image file format with Pixillion"	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.webp	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\webpfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.oga\Shell\NCHeditsound\ = "Edit sound file with WavePad"	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ogg	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aac\Shell\NCHconvertsound\ = "Convert sound file format with Switch"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.htm\Shell\NCHconvertdoc\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind Doxillion \"%L\""	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\7-Zip\.tar	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\NCHeditphoto\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind PhotoPad \"%L\""	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.pcx\ = "pcxfile"	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.oga\Shell\NCHeditsound\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mkv\Shell\NCHconvertvideo\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\wpdfile	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg2\Shell\NCHeditvideo	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\dfxfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,19"	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mkv\Shell\NCHeditvideo\ = "Edit video file with VideoPad"	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aif\Shell\NCHeditsound\command	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\NCHconvertimage\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind Pixillion \"%L\""	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.bz2\Shell\NCHextract\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jp2\Shell\NCHconvertimage	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\NCHeditphoto\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.pgf\Shell\NCHeditphoto\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m4a\Shell\NCHconvertsound	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\Shell\NCHconvertvideo\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.caf\Shell\NCHeditsound\command	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\heiffile\DefaultIcon	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rtf\Shell\NCHconvertdoc\ = "Convert file type with Doxillion"	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\dssfile\shell	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\wdpfile\shell\open\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind WavePad \"%L\""	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.divx\Shell\NCHconvertvideo\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\Shell\NCHconvertimage\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.png\Shell\NCHslideshow\command	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mpdpfile\ = "Unhandled Extension Handler Finder"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vox\Shell\NCHeditsound\ = "Edit sound file with WavePad"	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.aiff\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind Switch \"%L\""	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mp3\Shell\NCHconvertsound	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mkv\Shell\NCHeditvideo\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dng	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.srf\Shell\NCHslideshow\command	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\picopdf.exe\shell\open\command	nchsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\vpjfile\shell\open\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind VideoPad \"%L\""	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.oga\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind Switch \"%L\""	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dng\Shell\NCHeditphoto	nchsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\mpdpfile	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m4v\Shell\NCHeditvideo\command\ = "\"C:\\Program Files (x86)\\NCH Software\\PicoPDF\\picopdf.exe\" -extfind VideoPad \"%L\""	nchsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\Shell\NCHconvertdoc\ = "Convert file type with Doxillion"	nchsetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.iso\Shell\NCHburn	nchsetup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3308	nchsetup.exe
3308	nchsetup.exe
3308	nchsetup.exe
3308	nchsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3308	5104	PicoPDFEditingSoftware.exe	82
PID 5104 wrote to memory of 3308	5104	PicoPDFEditingSoftware.exe	82
PID 5104 wrote to memory of 3308	5104	PicoPDFEditingSoftware.exe	82

C:\Users\Admin\AppData\Local\Temp\PicoPDFEditingSoftware.exe
"C:\Users\Admin\AppData\Local\Temp\PicoPDFEditingSoftware.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\PicoPDFEditingSoftware.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3308
- - C:\Program Files (x86)\NCH Software\PicoPDF\picopdf.exe
    "C:\Program Files (x86)\NCH Software\PicoPDF\picopdf.exe"
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Program Files (x86)\NCH Software\PicoPDF\picopdf.exe
    "C:\Program Files (x86)\NCH Software\PicoPDF\picopdf.exe" -installsched
    3⤵
    - Executes dropped EXE
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat

Filesize
159KB

MD5
aa3440ea0ac1b25846731287f849fb62

SHA1
484bf8fca647a5f9dcd4363ab9d47babf1c1e43b

SHA256
64698d1ee067c8b398f07100b693886b5d113473a339dfaf7d43bc2898ae3810

SHA512
cdc8acfc72c2d7586977f7b5c6156b77768835629de8e4b798ed8695ad152364af67f13e4bb475360b8609ded41bbb63cbfcf993222bb97afac650010df46f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
3.4MB

MD5
4e1f5f4bcd2ff3fbcc266ad026fbbbd2

SHA1
c2cc06979b8920511d78d15e0900e1f04f671d1c

SHA256
cba2ab55a7afd7ae700f3999c5b74edd3c6cb76eee8fb25f6867e82651235550

SHA512
4a82150f4d7446db5126095229b7f1534291a488fb5448e60d442ef3b1feb02d3004ecc42477d947f4adc86416ccc96713b40c50c3fdae8b75005bce958ab6e7

Download Submit