f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264

Analysis

max time kernel
103s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HandBrake-1.7.3-x86_64-Win_GUI.exe
Size

22.6MB
MD5

1a1598a4f8a2d8d6b1925cb22a74d5aa
SHA1

ce693673a6f207be639fc07d21f90833dc386072
SHA256

f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264
SHA512

63706b168aa11c6370a36fce9d73b585486f2a9e396c183eb725430f70a67d5c301701823b1e566b70a601443b748ad428de2c91e507b4a8f8d14e344571a18f
SSDEEP

393216:Xx4SBEeiv1+mx9BQNCX3fjSfy05s+EwWAa4ND046BsZdCu17QCnqXd:X3BE9l1XLSf9ZE5iD04RZD2d

Score

5^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	HandBrake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	HandBrake.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\HandBrake\HandBrake.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\hb.dll	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\portable.ini.template	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\doc\COPYING	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\uninst.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\HandBrake.Worker.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe

Executes dropped EXE 2 IoCs

pid	Process
4196	HandBrake.exe
3628	HandBrake.exe

Loads dropped DLL 5 IoCs

pid	Process
3344	HandBrake-1.7.3-x86_64-Win_GUI.exe
3344	HandBrake-1.7.3-x86_64-Win_GUI.exe
3344	HandBrake-1.7.3-x86_64-Win_GUI.exe
4196	HandBrake.exe
3628	HandBrake.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\AppId = "{1a46400f-4c81-802a-c2c1-1e9a687a9340}"	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\RunAs = "Interactive User"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\DisplayName = "HandBrake"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\CLSID	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\CustomActivator = "{1a46400f-4c81-802a-c2c1-1e9a687a9340}"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\1A46400F-4C81-802A-C2C1-1E9A687A9340\\Icon.png"	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\IconBackgroundColor = "FFDDDDDD"	HandBrake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\Has7.0.1Fix = "1"	HandBrake.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	HandBrake.exe
Token: SeDebugPrivilege	3628	HandBrake.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4196	HandBrake.exe
3628	HandBrake.exe

C:\Users\Admin\AppData\Local\Temp\HandBrake-1.7.3-x86_64-Win_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\HandBrake-1.7.3-x86_64-Win_GUI.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
PID:3344

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4196

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HandBrake\HandBrake.exe

Filesize
7.2MB

MD5
8b141a97d90cc5b30085302ae7fc6bfd

SHA1
fafcca7c9b84f2d6e25d4469732085fc4fc56d54

SHA256
4f609dfcadaaa93baa3a56279535662bea5e8ca8f7a0d95c898b86218351f967

SHA512
af98d3fb316ba379cc4b461c154a481370a374b03408fb66ee930f3c4b62a1b4c76292a92560f6d26d615ae77738085de06601cc9406cb11701af09f8bdb6aa8

Download Submit
C:\Program Files\HandBrake\HandBrake.exe

Filesize
1024KB

MD5
99e5f923e1ebe2a8f0cdb69337135306

SHA1
052a6abcfa81f92dc6712a9af1f2558fade92898

SHA256
55f3b305e836fce79fadb99afb023995cf5444f63cb699b139dab7bfec3058bc

SHA512
c71285f22af97f0e5a90c69b9412c7df0f219d9f289b0a506d2df0a37e5bc4c2e3934169a3403c9cebbefc8c365de4f6fa4f3508bdfbbde8878e5a91dda39bf7

Download Submit
C:\Program Files\HandBrake\HandBrake.exe

Filesize
5.2MB

MD5
cf0c191fe9dff3be696e4e00fa51784f

SHA1
bc1aa8d9c438032fab0563f4f71951c16c1ff588

SHA256
7ab233601f8b707daec0e60ad8dfa769c8b512b6d6bcfc035ded770e354c1938

SHA512
3dfeddafca4ff011d195b16535e459b0f6cb192bb4846bd030cfd453f3dfb515ddd0c393dc742503d19dc6d33470eeadf9fa15a7512231d04fd560a8dc3a2dc5

Download Submit
C:\Program Files\HandBrake\hb.DLL

Filesize
13.0MB

MD5
7fdc5a733f3e10ed3dedffdf0e2282b6

SHA1
bfd978e0bb80bd5ee90639a8e4f949773e5babf1

SHA256
2be97624ef07cf1f12cf914a8c8d9c64b98a237e3bbbe55a76595edfefeac4b1

SHA512
4e78428d46caaa791d0334e3b6bff8e3991911d4a83c016699f652facbff5b4893f0e28cf2803d4a43801f15c870f2c3d83c0d6ad36af377c80ac0e44fd7470f

Download Submit
C:\Program Files\HandBrake\hb.dll

Filesize
11.8MB

MD5
a49b478ecb92f3807e9af9f63f12a365

SHA1
760bf1d29e8e83c34dc6338222e81d04408fe76e

SHA256
6997b5fd4b16159c1a0272f7fd0f4c40c2bde05c6f4010ed3320e3561fe77895

SHA512
c79dcdc6736999e3edc9396db093af68dddd3e3cc5f13cc6edda93640d9c94f38cf1b621a16b8cdd0f40fb05d87900190cfac899c2cd86b1a97aa576d50dd4f0

Download Submit
C:\Program Files\HandBrake\hb.dll

Filesize
704KB

MD5
1e689a738e9fba86d69584ecab4a76dc

SHA1
5aa00d606a40a669101faa55a4de298f351cf1a7

SHA256
0e728b89064b860e12d10417cfe0afb4c5ce5c5134850a6120bfcbb137172cd2

SHA512
8f371a11c0e00829a03a737493e22a4d2d0a2a3a8dc85382013440a07bbdbbf87a1aa4bad8b52cb3d0c4efc7c3eb82e4822ea79d5c9760a69b3852be8fbf49a2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk

Filesize
898B

MD5
a655f45cc5afda069c653f0687d582f9

SHA1
e9c2bc489e4be431e7c48fb6215525dbd70d7e59

SHA256
999340bda6f0295f33a113ef1b3186e4611588aed37cef2a2718dfe4c4b22a5a

SHA512
658e3e9da7dc213293c65bbc23e1753d6e32809746eeaf1d2097182e1b33fc261324e36f5f19f9a560eff0a3ae01544032be75101239b8f8fbbc5fab6aa330d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDD22.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDD22.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDD22.tmp\ioSpecial.ini

Filesize
1KB

MD5
0f2017d3fd7dbd903ab6dfa93a21a54f

SHA1
b4a709a84f0a1967fe9636a7eeff1f72410f61de

SHA256
4d9ea566f4d6b539a25088883acfd3e3a66fc65e2d666997a41f62ae803346ad

SHA512
af47c3287a1aa7aa7af5315b67f1158af50df28a4967c258feba06a7b3b923aeec8a452b4b0ef136837bccc81fd979bccdcb155efc402f6924d78e4f72fa77b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDD22.tmp\ioSpecial.ini

Filesize
1KB

MD5
e9056c0623111c79c92e20b42c59efe7

SHA1
a42e7709de24af1352dd4c2360313dd1b6b080fc

SHA256
b4fd34d82e304a920d82079d4fe82fbb8a926be4f4d010e3bf9b149b030299c2

SHA512
2648369aed6baa355cc64bfbe0dfc5058e4a70d82d5da1660390ca261bac1c4728123f5490e3e1e262e20fffb797db7f1d1f5a38f5cb4bc2daf0ae31587aca13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDD22.tmp\ioSpecial.ini

Filesize
1KB

MD5
3dd28a92d829b309458e2c6bc6ba2997

SHA1
c8bca9a7984ca16b1549c5f4c18f562ef7db647a

SHA256
9b93820700aea59b6ed68b2d8db37d94e4fe8b7654452b67d6af515f0f05d7bc

SHA512
eff6d8453f2e8afdda4a64cab61c80a5f046a7f00f0ebaa1bc5f844e74b61e6ca2e04b42d7726fa7715a21e592d3e3cbea0d7538ded2996104424d33c8ecd56a

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\presets.json

Filesize
362KB

MD5
896744217ce8c5eba843c34cd7275c2c

SHA1
693ebcdef3137f4b54ccb81412afe396822768a7

SHA256
eee6fe1ebc50c8d5550413005a23f126abab52ceb04b63291b92a44160eebc12

SHA512
50d380362e40ca494202852d492ae53d4671bd4d92325783b2334617b48c233efbf5fe958aad4c1f495bb5ca0c62a67e9ead07ccbe9d807a42e80fb49ffb12dc

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
1KB

MD5
3971ed05777ff97980ddf3cebb5e6b50

SHA1
f960197c28192718416655efde4ee53e19241d80

SHA256
3937126b4a054412a35f7f03872fe53930b46c583e9f5075672734e3356875a4

SHA512
8d18e0f5b42e9d7fb51ae1928bc39c05e94b3b800313bacbff76641b36ed4468ed43986167aa8d0a4c2fbf3ac1e31a78dd90d2c7fd2420322022cd77aede75f7

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
91a8b7d47427f05df7b41fb9e98ae18f

SHA1
c21f6e1acd977a05e231eaa79374f6f768066f7e

SHA256
15aeac4c77b8a6f3eb1dd6416f16fdd39cb22bd3f8468f693bd4ebddc8c2ff20

SHA512
dde293e4bef61eb30e85e325f84adcc5f0575b239765acabd6d7cca3dab0378c185021f4eb09ef585ffcdd920f07b86627144754e991e9c94882528fba6857e5

Download Submit
C:\Users\Public\Desktop\HandBrake.lnk

Filesize
880B

MD5
ca056b64494327d24dfdb596509e38e8

SHA1
a49af039c7bf259584540c45bcbec4895f5eefe1

SHA256
300b5edcecde4176b8d68f203a6adc6369891da6ee3ad5b2f9c3818130694508

SHA512
19c6b9a1fe7d0a6fe7339cbce0f7ffde85a113f90d96281348ea8b0536c4bf564ed8196279e25767d7006d5b5cedb66ddf32d058a170fafa3d72541010374076

Download Submit
memory/3628-348-0x00007FFD34E20000-0x00007FFD3A7E9000-memory.dmp

Filesize
89.8MB

Download
memory/3628-313-0x00007FFD4AF90000-0x00007FFD4B48E000-memory.dmp

Filesize
5.0MB

Download
memory/3628-434-0x00007FFD4AF90000-0x00007FFD4B48E000-memory.dmp

Filesize
5.0MB

Download
memory/4196-203-0x0000000180000000-0x00000001802B4000-memory.dmp

Filesize
2.7MB

Download
memory/4196-298-0x00007FFD34E20000-0x00007FFD3A7E9000-memory.dmp

Filesize
89.8MB

Download
memory/4196-304-0x00000156F1450000-0x00000156F14A3000-memory.dmp

Filesize
332KB

Download
memory/4196-293-0x00000156F14D0000-0x00000156F159E000-memory.dmp

Filesize
824KB

Download
memory/4196-328-0x00000156EE660000-0x00000156EE6B3000-memory.dmp

Filesize
332KB

Download
memory/4196-333-0x00000156F2600000-0x00000156F2688000-memory.dmp

Filesize
544KB

Download
memory/4196-218-0x00000156F0400000-0x00000156F040D000-memory.dmp

Filesize
52KB

Download
memory/4196-346-0x00007FFD34E20000-0x00007FFD3A7E9000-memory.dmp

Filesize
89.8MB

Download
memory/4196-347-0x00000156F1BA0000-0x00000156F1D6E000-memory.dmp

Filesize
1.8MB

Download
memory/4196-215-0x00000156F0560000-0x00000156F05BA000-memory.dmp

Filesize
360KB

Download
memory/4196-212-0x00000156F0380000-0x00000156F03C3000-memory.dmp

Filesize
268KB

Download
memory/4196-209-0x00000156F0410000-0x00000156F04E2000-memory.dmp

Filesize
840KB

Download
memory/4196-206-0x00000156F0770000-0x00000156F0BB0000-memory.dmp

Filesize
4.2MB

Download
memory/4196-202-0x00007FFD4AF90000-0x00007FFD4B48E000-memory.dmp

Filesize
5.0MB

Download
memory/4196-437-0x00007FFD4AF90000-0x00007FFD4B48E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads