f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264

Analysis

max time kernel
29s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07-03-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HandBrake-1.7.3-x86_64-Win_GUI.exe
Size

22.6MB
MD5

1a1598a4f8a2d8d6b1925cb22a74d5aa
SHA1

ce693673a6f207be639fc07d21f90833dc386072
SHA256

f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264
SHA512

63706b168aa11c6370a36fce9d73b585486f2a9e396c183eb725430f70a67d5c301701823b1e566b70a601443b748ad428de2c91e507b4a8f8d14e344571a18f
SSDEEP

393216:Xx4SBEeiv1+mx9BQNCX3fjSfy05s+EwWAa4ND046BsZdCu17QCnqXd:X3BE9l1XLSf9ZE5iD04RZD2d

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\HandBrake\HandBrake.Worker.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\HandBrake.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\hb.dll	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\portable.ini.template	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\doc\COPYING	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\uninst.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	HandBrake.exe

Loads dropped DLL 4 IoCs

pid	Process
3924	HandBrake-1.7.3-x86_64-Win_GUI.exe
3924	HandBrake-1.7.3-x86_64-Win_GUI.exe
3924	HandBrake-1.7.3-x86_64-Win_GUI.exe
3588	HandBrake.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	HandBrake.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3588	HandBrake.exe

C:\Users\Admin\AppData\Local\Temp\HandBrake-1.7.3-x86_64-Win_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\HandBrake-1.7.3-x86_64-Win_GUI.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
PID:3924

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HandBrake\HandBrake.exe

Filesize
32.1MB

MD5
a8d047afa3a933b11859dd32121cb4de

SHA1
00fa5e86ebadba61dd54914c22527744a91611b5

SHA256
e17d8e7ea16a318456edfdccfe4bbddacaa610f4ab5d2cc1d3e22b3846752c2c

SHA512
aa7cd7c7b99ed2c3933042669a861cd24e04d0a91cfdb5bd67286caa62d8b001d624d5ab927ceca05c77975dd754d9e329b13910fe0bb7e116a63952dd45fc00

Download Submit
C:\Program Files\HandBrake\HandBrake.exe

Filesize
10.4MB

MD5
2959bf33af894437ea760372cc4c18d1

SHA1
ca838e8804226d72362bf6673835951affc1c093

SHA256
811af6da4498faccb11112bc1c6eaa31ec48dc6c59a0d9f5d9b11d263f6575a8

SHA512
473eb4855e1513b2319e7abc7aa82df0fc640dd97f680ece5e6b242012e26c04f5fdc25f782883e6b89b2ec7e9aa26e1010c0a01da0c9c1a956c384f848c70db

Download Submit
C:\Program Files\HandBrake\HandBrake.exe

Filesize
11.5MB

MD5
479db9cb9004206a9f341a8b106fb857

SHA1
2ba6b4adf3fd0b92166fa93fcf72e47360ce7c23

SHA256
ddcf44c8f3c0af0a476130bdf10d714159ff69b3577634cf854d000a287aaae6

SHA512
d20af495ecd9a2b3f4d8601cbec61d23fc18793cd915e6cb6ae4517d072a14c610399db3a8d9ea65fc1e8a2897bc3e1b69da91334824ec1eae763cefbd2a2ac2

Download Submit
C:\Program Files\HandBrake\hb.DLL

Filesize
2.7MB

MD5
e919d44814b24f07e646fcfd647ee23e

SHA1
9aebba25d1b51e181ac1453de0e618fe66baaec1

SHA256
59818e3742dc00d9aac2c555b92f41fc3390d2095f1464189f458dfb22007877

SHA512
84db4e095cff044c107ea3216044441ae9ac0fdd73888aca30dc13f2ea14331120eb7ded431f25fd5ae454e79041a51860557cdb7dbc2a724845ace52f793eff

Download Submit
C:\Program Files\HandBrake\hb.dll

Filesize
2.2MB

MD5
01a6faf4b5147033c045a4b94eb0c96c

SHA1
9b31fb043e426aa74770c5cc2b505761dce2c02a

SHA256
c7f4f1dec9ebd1d845ed222b5ff6a04b2536e36ab881808cdda9911c5a7826a1

SHA512
cabc024a43fac94a7a42722da300c4d91d81f74b7a126b81c3d30535aaca9162e4de8f1dd96c4e7110e2bf26144abb2139e331caf2ca480fd976215513259c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\ioSpecial.ini

Filesize
1KB

MD5
bdb8b331a95e700087b6cdac951a0725

SHA1
329b6172121a6348696fb81287c3cc9bc517af3b

SHA256
ffb74133cb6bc0bf91d61e0ee13c5dc6749aff0baa858f9b76839d55d7a38147

SHA512
8d825ea419fdde7f758a61b7753709ed016292bb4bfc604531f3bec6f3ec32d88e81c345e5d7d5776c4f005b440a95b74e95508aa6eea2f918bc262dc31e2293

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\ioSpecial.ini

Filesize
1KB

MD5
dd6b981307ca1ee96d49477ce18c81ca

SHA1
65de47ebbacfdbc76afc155784ddb3e7dda8f1fc

SHA256
b8d15ac26a6ce0c5e1665017a8085bcadaa1b7ddae09a6e4a48ae6135d807241

SHA512
a52695123f0d98ffa2398f767b174b7abe601821d063266f57ae04c7a96e053f71381587189f3ed6cdf0e1a9d3bb4cd27deae860f40443c11ba40da26824a39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\ioSpecial.ini

Filesize
1KB

MD5
9f5ff171c12ff1e6e2a5885341a21b72

SHA1
3116438f61c97e179cbf4d63e0c7ca82253c124d

SHA256
82182c64a00dbc518ba96e184c4a5e01dd42d2281c89230bf78858c3aecfda85

SHA512
ffb7b89c787b2ae3cc24f00a1488bbec78732d15a6044c52c19f6b9c0563412fffa56c8da8650fe52e547c731c173e80e3381fd308cec8c87948efd15bfd1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\ioSpecial.ini

Filesize
1KB

MD5
92e7d50235610f0a3a57bfcd1262dc32

SHA1
3e5ad3e3fbd168692ae3f6f4292f2c41d2ce8c70

SHA256
2cefe4ff196d710bf65be868ff5d6acccaf10fb6d97f5232dc64564826190990

SHA512
5fcf45dcfbde5bfb139b818fb273be29dc00907e4a1cd128f172561b6df4bf413e72ea5a7f81c899516cce6504ff5ec76868cab4062af739fd7eecd624457c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6310.tmp\ioSpecial.ini

Filesize
1KB

MD5
96d67c4df3d7eacffb4bf5708a305ae6

SHA1
8448c769b3a6fd98047c5105fbedbddc512c2657

SHA256
91b3de070d01531b7e8f24a85a2f424fa3cdbf410edec0b9c30ed22eb66f303f

SHA512
d72ce62798a16cf66a54eec2f4fb914188a3aa9d59b2f72aa1a287255e92c3e8582729f086cae08dd92f60fc8123439ecda1c4bd1e73653015cb3447d1c4fc84

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
4cddcf2f4d4555aa00915e49a0c3e652

SHA1
9a064e41d6afecd15a6fdcea393a3c0554cfc40d

SHA256
b9cc6c310b02266d4ccef2c8f13c4f2dc6b0adbee67b40be1d8368ef77a958a1

SHA512
4cf9e2654923f021a9cfed2ec99190d7e28e8fb89d764159160615c6f956e39b3dbc6f9aef65855f500fdaf22074853ab1d4d797a8639e63ff64f793276a187d

Download Submit
memory/3588-218-0x000001CE2EB00000-0x000001CE2EB0D000-memory.dmp

Filesize
52KB

Download
memory/3588-212-0x000001CE2EAB0000-0x000001CE2EAF3000-memory.dmp

Filesize
268KB

Download
memory/3588-215-0x000001CE4F150000-0x000001CE4F1AA000-memory.dmp

Filesize
360KB

Download
memory/3588-209-0x000001CE50F10000-0x000001CE50FE2000-memory.dmp

Filesize
840KB

Download
memory/3588-206-0x000001CE51360000-0x000001CE517A0000-memory.dmp

Filesize
4.2MB

Download
memory/3588-204-0x00007FFD4F560000-0x00007FFD4FA5E000-memory.dmp

Filesize
5.0MB

Download
memory/3588-202-0x0000000180000000-0x00000001802B4000-memory.dmp

Filesize
2.7MB

Download
memory/3588-293-0x000001CE51EE0000-0x000001CE51FAE000-memory.dmp

Filesize
824KB

Download
memory/3588-296-0x000001CE512E0000-0x000001CE51333000-memory.dmp

Filesize
332KB

Download
memory/3588-300-0x000001CE4F030000-0x000001CE4F083000-memory.dmp

Filesize
332KB

Download
memory/3588-303-0x000001CE52640000-0x000001CE526C8000-memory.dmp

Filesize
544KB

Download
memory/3588-306-0x00007FFD3ED20000-0x00007FFD446E9000-memory.dmp

Filesize
89.8MB

Download