| File name: | vpsetup.exe |
| Full analysis: | https://app.any.run/tasks/355cdb6c-5831-4443-8ed4-64e97e8383a1 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 25, 2024, 08:47:06 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 668AECE25C236DAE50D2196E41AC8C0C |
| SHA1: | 97480152AE6D355CCA7845A8CA8BB2FD89BCDF20 |
| SHA256: | E9ABDA83472C89B778D7FBB5FC468F16B38F890D1E38698750D12E4495727EA1 |
| SSDEEP: | 98304:w9bjyPMYqMM03VA1deU7Qf2UhJak49Z4SV48s1JzlAFvZUiZGkdcbhdKeie26mU9:5PZmV1giAtYiS2Sz8 |
MALICIOUS
Drops the executable file immediately after the start
- vpsetup.exe (PID: 3848)
- nchsetup.exe (PID: 3932)
- ffmpeg23.exe (PID: 3960)
- mp3el2.exe (PID: 3212)
Changes the autorun value in the registry
- nchsetup.exe (PID: 3932)
SUSPICIOUS
Executable content was dropped or overwritten
- vpsetup.exe (PID: 3848)
- nchsetup.exe (PID: 3932)
- ffmpeg23.exe (PID: 3960)
- mp3el2.exe (PID: 3212)
Reads security settings of Internet Explorer
- vpsetup.exe (PID: 3848)
- nchsetup.exe (PID: 3932)
- videopad.exe (PID: 2892)
Reads the Internet Settings
- vpsetup.exe (PID: 3848)
- nchsetup.exe (PID: 3932)
- videopad.exe (PID: 2892)
Starts itself from another location
- nchsetup.exe (PID: 3932)
Creates a software uninstall entry
- nchsetup.exe (PID: 3932)
Searches for installed software
- nchsetup.exe (PID: 3932)
Process requests binary or script from the Internet
- nchsetup.exe (PID: 3932)
INFO
Checks supported languages
- vpsetup.exe (PID: 3848)
- nchsetup.exe (PID: 3932)
- mp3el2.exe (PID: 3212)
- ffmpeg23.exe (PID: 3960)
- videopad.exe (PID: 2892)
- videopad.exe (PID: 2420)
Reads the computer name
- vpsetup.exe (PID: 3848)
- nchsetup.exe (PID: 3932)
- videopad.exe (PID: 2420)
- videopad.exe (PID: 2892)
Create files in a temporary directory
- vpsetup.exe (PID: 3848)
- mp3el2.exe (PID: 3212)
- ffmpeg23.exe (PID: 3960)
- nchsetup.exe (PID: 3932)
- videopad.exe (PID: 2892)
Creates files in the program directory
- nchsetup.exe (PID: 3932)
- ffmpeg23.exe (PID: 3960)
- mp3el2.exe (PID: 3212)
Creates files or folders in the user directory
- nchsetup.exe (PID: 3932)
- videopad.exe (PID: 2892)
Reads the machine GUID from the registry
- nchsetup.exe (PID: 3932)
- videopad.exe (PID: 2892)
Reads CPU info
- videopad.exe (PID: 2892)
Process checks computer location settings
- videopad.exe (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:09:21 05:45:58+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 12 |
| CodeSize: | 2560 |
| InitializedDataSize: | 6136320 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1286 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (Australian) |
| CharacterSet: | Unicode |
| CompanyName: | NCH Software |
| FileDescription: | VideoPad Video Editor |
| FileVersion: | 16.08 |
| ProductVersion: | 16.08 |
| ProductName: | VideoPad |
| LegalCopyright: | NCH Software |
| InternalName: | VideoPad |
| OriginalFileName: | VideoPad.exe |
Total processes
46
Monitored processes
7
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2420 | "C:\Program Files\NCH Software\VideoPad\videopad.exe" -installsched | C:\Program Files\NCH Software\VideoPad\videopad.exe | — | nchsetup.exe | |||||||||||
User: admin Company: NCH Software Integrity Level: MEDIUM Description: VideoPad Video Editor Exit code: 0 Version: 16.08 Modules
| |||||||||||||||
| 2892 | "C:\Program Files\NCH Software\VideoPad\videopad.exe" | C:\Program Files\NCH Software\VideoPad\videopad.exe | nchsetup.exe | ||||||||||||
User: admin Company: NCH Software Integrity Level: MEDIUM Description: VideoPad Video Editor Exit code: 0 Version: 16.08 Modules
| |||||||||||||||
| 3212 | "C:\Program Files\NCH Software\VideoPad\mp3el2.exe" -LQUIET -instby fiVideoPad -instsvar VIDEOPADRelatedprogramsfreeon | C:\Program Files\NCH Software\VideoPad\mp3el2.exe | nchsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3652 | "C:\Users\admin\AppData\Local\Temp\vpsetup.exe" | C:\Users\admin\AppData\Local\Temp\vpsetup.exe | — | explorer.exe | |||||||||||
User: admin Company: NCH Software Integrity Level: MEDIUM Description: VideoPad Video Editor Exit code: 3221226540 Version: 16.08 Modules
| |||||||||||||||
| 3848 | "C:\Users\admin\AppData\Local\Temp\vpsetup.exe" | C:\Users\admin\AppData\Local\Temp\vpsetup.exe | explorer.exe | ||||||||||||
User: admin Company: NCH Software Integrity Level: HIGH Description: VideoPad Video Editor Exit code: 0 Version: 16.08 Modules
| |||||||||||||||
| 3932 | "C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\vpsetup.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat" | C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe | vpsetup.exe | ||||||||||||
User: admin Company: NCH Software Integrity Level: HIGH Description: VideoPad Video Editor Exit code: 0 Version: 16.08 Modules
| |||||||||||||||
| 3960 | "C:\Users\admin\AppData\Local\Temp\VideoPad-864-1\ffmpeg23.exe" -LQUIET -instby coVideoPad -instsvar VIDEOPADRelatedprogramsfreeonLLIBInstquickoff | C:\Users\admin\AppData\Local\Temp\VideoPad-864-1\ffmpeg23.exe | nchsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
8 896
Read events
7 311
Write events
1 569
Delete events
16
Modification events
| (PID) Process: | (3848) vpsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3848) vpsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3848) vpsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3848) vpsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3932) nchsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | VideoPadInstall |
Value: C:\Users\admin\AppData\Local\Temp\vpsetup.exe | |||
| (PID) Process: | (3932) nchsetup.exe | Key: | HKEY_CURRENT_USER\Software\NCH Software\VideoPad\Software |
| Operation: | write | Name: | SVar |
Value: VIDEOPADRelatedprogramsfreeon | |||
| (PID) Process: | (3932) nchsetup.exe | Key: | HKEY_CURRENT_USER\Software\NCH Software\VideoPad\Settings |
| Operation: | write | Name: | InstalledByAdmin |
Value: 1 | |||
| (PID) Process: | (3932) nchsetup.exe | Key: | HKEY_CURRENT_USER\Software\NCH Software\VideoPad\UsageStatsChoice |
| Operation: | write | Name: | llinad |
Value: 1 | |||
| (PID) Process: | (3932) nchsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3932) nchsetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
15
Suspicious files
38
Text files
634
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3848 | vpsetup.exe | C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cab | — | |
MD5:— | SHA256:— | |||
| 3932 | nchsetup.exe | C:\Program Files\NCH Software\VideoPad\videopad.exe | executable | |
MD5:51A6B131BD3AB1C22F55260C60FE7FC1 | SHA256:ECDBFB870867E922F648819DF74D57B6098C0713337E1B780B7CF6CA7D33BD7C | |||
| 3932 | nchsetup.exe | C:\ProgramData\NCH Software\VideoPad\bdmv\index.bdmv | binary | |
MD5:166EEDECAE3C417CEAC1C3D6745CEF3E | SHA256:BAD301EEDFF7B31EA2A9C59B14C313DC09642932D4C69B81E65B2BFF9E6BF160 | |||
| 3848 | vpsetup.exe | C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe | executable | |
MD5:51A6B131BD3AB1C22F55260C60FE7FC1 | SHA256:ECDBFB870867E922F648819DF74D57B6098C0713337E1B780B7CF6CA7D33BD7C | |||
| 3848 | vpsetup.exe | C:\Users\admin\AppData\Local\Temp\n1s\nchdata.cab | compressed | |
MD5:F8EABC6383EDE351938ACEED88D2C1BE | SHA256:2CA8F1943CF9DE6AAF9B6054EEC325521F1CD6BBDDF09471B0238EC392A1FAA6 | |||
| 3932 | nchsetup.exe | C:\Program Files\NCH Software\VideoPad\shellmenu.dll | executable | |
MD5:55D4973F968D671383A5CCE9564DC09E | SHA256:5345EBFEA9A98A23F5D2E6F14E0E229310CBEC5C7A569A31578061BD949B66FE | |||
| 3932 | nchsetup.exe | C:\ProgramData\NCH Software\VideoPad\bdmv\MovieObject.bdmv | binary | |
MD5:D09C378F8BF32DFA8980804907476390 | SHA256:786153F704EC247566EF93F4C42C8D06BA8CA5D94DBF83913B909A9C7B821FB7 | |||
| 3932 | nchsetup.exe | C:\Program Files\NCH Software\VideoPad\shellmenub.msix | compressed | |
MD5:FC78D31F3ED680BD577879521D749AB7 | SHA256:6CBAD1180DAB86EEF82B0FF1CFE27F7E08E2083465008D280CEE85A7080ED07C | |||
| 3932 | nchsetup.exe | C:\ProgramData\NCH Software\VideoPad\bdmv\multititle\00000.bdjo | binary | |
MD5:ED39D1BD3A114FF6E2A5F2320FD8BB70 | SHA256:5D2534909459AC8BA09872AAE3126823758125AA2E0E09D59EDC21979A1804D0 | |||
| 3848 | vpsetup.exe | C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat | executable | |
MD5:F2011A2248873C4DB8A0F7AD3AD7E184 | SHA256:78253FA531AC1799DA288CD76373F599054AC63C7112655E34E4948E857CB6D2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
2
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3932 | nchsetup.exe | GET | 200 | 66.39.83.117:80 | http://audiochannel.net/components/ffmpeg23.exe | unknown | executable | 3.16 Mb | unknown |
2892 | videopad.exe | GET | 200 | 66.39.83.117:80 | http://audiochannel.net/components/shared/dustscratch_textures.zip | unknown | compressed | 1.33 Mb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3932 | nchsetup.exe | 66.39.83.117:80 | audiochannel.net | PAIR-NETWORKS | US | unknown |
3932 | nchsetup.exe | 173.247.253.164:443 | secure.nch.com.au | INMOTION | US | unknown |
2892 | videopad.exe | 66.39.83.117:80 | audiochannel.net | PAIR-NETWORKS | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
audiochannel.net |
| whitelisted |
secure.nch.com.au |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3932 | nchsetup.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
3932 | nchsetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3932 | nchsetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |