f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HandBrake-1.7.3-x86_64-Win_GUI.exe
Size

22.6MB
MD5

1a1598a4f8a2d8d6b1925cb22a74d5aa
SHA1

ce693673a6f207be639fc07d21f90833dc386072
SHA256

f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264
SHA512

63706b168aa11c6370a36fce9d73b585486f2a9e396c183eb725430f70a67d5c301701823b1e566b70a601443b748ad428de2c91e507b4a8f8d14e344571a18f
SSDEEP

393216:Xx4SBEeiv1+mx9BQNCX3fjSfy05s+EwWAa4ND046BsZdCu17QCnqXd:X3BE9l1XLSf9ZE5iD04RZD2d

Score

5^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	HandBrake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	HandBrake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	HandBrake.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\HandBrake\hb.dll	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\portable.ini.template	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\doc\COPYING	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\uninst.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\HandBrake.Worker.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\HandBrake.exe	HandBrake-1.7.3-x86_64-Win_GUI.exe

Executes dropped EXE 3 IoCs

pid	Process
3200	HandBrake.exe
1960	HandBrake.exe
2916	HandBrake.exe

Loads dropped DLL 6 IoCs

pid	Process
4020	HandBrake-1.7.3-x86_64-Win_GUI.exe
4020	HandBrake-1.7.3-x86_64-Win_GUI.exe
4020	HandBrake-1.7.3-x86_64-Win_GUI.exe
3200	HandBrake.exe
1960	HandBrake.exe
2916	HandBrake.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\DisplayName = "HandBrake"	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\1A46400F-4C81-802A-C2C1-1E9A687A9340\\Icon.png"	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\CustomActivator = "{1a46400f-4c81-802a-c2c1-1e9a687a9340}"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\AppId = "{1a46400f-4c81-802a-c2c1-1e9a687a9340}"	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\RunAs = "Interactive User"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\IconBackgroundColor = "FFDDDDDD"	HandBrake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\Has7.0.1Fix = "1"	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	HandBrake.exe
Token: SeDebugPrivilege	1960	HandBrake.exe
Token: SeDebugPrivilege	2916	HandBrake.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3200	HandBrake.exe
1960	HandBrake.exe
1960	HandBrake.exe
3200	HandBrake.exe
2916	HandBrake.exe

C:\Users\Admin\AppData\Local\Temp\HandBrake-1.7.3-x86_64-Win_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\HandBrake-1.7.3-x86_64-Win_GUI.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
PID:4020

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3200

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HandBrake\HandBrake.exe

Filesize
35.6MB

MD5
ee3cbf592c24b1bf04d906ded5c7d1a9

SHA1
1931bdd5d120635c357b3000dff08ec9110ce1e3

SHA256
ee818fe194c29f1f31d6edffeb8256405618dab251f3765bbbacfb91ea666336

SHA512
97b52abf6cab8540bb7e6467eddaf02199c34fb40eb561ee022e626f9976e9a6d5b1006d053f2f1234c4a8760d686a6dfece1c5fd25483ff2d67bae43e38d8ac

Download Submit
C:\Program Files\HandBrake\hb.DLL

Filesize
66.1MB

MD5
d3f0f312725a18d683820cd9def15860

SHA1
521a515d3683e4c37500fcd6576aa19bffa0e512

SHA256
0af40481a7c392c68069b1a8c225beb3e7062760131ae09bad467d84b09c1862

SHA512
08a346c13f9c602e8ff51c3f461dc9002dc5ac1f16e975e53f39e094d9fa7f7934e7ef63daaedf10d0524b80308dd6ee792e706b3999cafa0fd07ce4f76ce2e0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk

Filesize
898B

MD5
a1ca1c1a129264bd2cc0d974e4319b6c

SHA1
fdf35604df78629697333b0f6daeb8a2f7e8610e

SHA256
b681bb225f3108b45f63c3278f054608d37a0444b3fb3d0137dba033b3d14440

SHA512
bf6068c50b00bdcf80c6e6dfa672b31b07bdfdc10a415934e21d60d5eca54bcd2585d32492318617e45a915fa538b3d34f5a03bd957975abd509d10f8f119124

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3569.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3569.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3569.tmp\ioSpecial.ini

Filesize
1KB

MD5
f8a77a9f80db17901b6a9510c074733e

SHA1
1ef649c9e0982441d9b2afcdbd9802ba90902d98

SHA256
1e1a5a321b539172c9ecb2484f163a67c6bcb7d60bb08cca35dd1d27256d8c41

SHA512
79eaa291588fd0e44dbd42be3b09b5a3046389a97c115bb466d36eb050537ee1542896938531d85dba776d7e26cfc3d0ee549e141f2aabd4c03966814a99f7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3569.tmp\ioSpecial.ini

Filesize
1KB

MD5
098248ad1453da60f6d1a23b480a8c31

SHA1
45a843db0229101373b3088fe64346bf5e4abc91

SHA256
b047d35ce6f0a26c47c8148f78e9b2cf7cf033637a0f30c95d0c74e2c9e13f5e

SHA512
e82506d8b5ad8a2c3b60fa66f7c8e6d0f56a9e33d6a8b440a6c74c6c247c148358a2afe1bb3de28db495387424e735b571e15e2509158c6cae57d7ae9f3b23e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3569.tmp\ioSpecial.ini

Filesize
1KB

MD5
6e4dd49f480b6743655151178a0d3e27

SHA1
3ed6db720f419fb68f9d89b87e6ccad3069e77b0

SHA256
920ece0e58e683964cfe97acf94fbf68e6b545243625fc1c33666d0242e7893a

SHA512
93fad9b225e835b73348ddb5422a14ef575e5b1a7738d70a1f7ee30be0f8f7dc1ec9669fae6bd856161c332a98efb8474fb95439c7cd8f6982e040981e4001ed

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\presets.json

Filesize
362KB

MD5
896744217ce8c5eba843c34cd7275c2c

SHA1
693ebcdef3137f4b54ccb81412afe396822768a7

SHA256
eee6fe1ebc50c8d5550413005a23f126abab52ceb04b63291b92a44160eebc12

SHA512
50d380362e40ca494202852d492ae53d4671bd4d92325783b2334617b48c233efbf5fe958aad4c1f495bb5ca0c62a67e9ead07ccbe9d807a42e80fb49ffb12dc

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
abe74b6c6764579e01cc1a2bc0c2cb4a

SHA1
c0d4339c7e4101c466ef3bf8cf7fcca21e825308

SHA256
972afdb2f387d0f9786668868433e8146738d0d6b9905edc46f3e2acf495e478

SHA512
ab0dd5b85554d6e58450303f348289404621b4c167b1cb620e5637d888015bb12ac1865faca2923e1ee10eb5b704665aae09d4eb67092dfbc662e83283cfc5cf

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
6d33b052a07a6ce403da89debcf3901a

SHA1
52dc17ba26ba5f07489c308ded6db0ec866b7d5a

SHA256
783efd21ccaf933dbc8f0ea4e34e86d7edb41a3c2c0f1ea2418189437ff1e979

SHA512
be74f6991d6957cd7b0688dab94dfdd02811743b2a4d2bf2ef39907c7312b5dcbf21de7aae7ba7d2edfde2e84b853c3f8f67b8274344128c7f4b8f7fc6b614b7

Download Submit
C:\Users\Public\Desktop\HandBrake.lnk

Filesize
880B

MD5
989f9d701949fe232780992679292052

SHA1
4a6f6e467f257dc389fda93315bcdd5d2531798a

SHA256
4bae4b2a907b6a2473a38af1cf54bb0706af312e682bced0c1daf0d3cf4e3049

SHA512
a218772b66d6171f2a4fdecb58d6787e844b05eeafb8d5cb36d1c9ffa99bd2570c51b40dc716bf30c0df354581f6e718bae77e959f7392aeed2e9ea99fc01c78

Download Submit
memory/1960-331-0x00007FFC050E0000-0x00007FFC0AAA9000-memory.dmp

Filesize
89.8MB

Download
memory/3200-205-0x00007FFC1AB60000-0x00007FFC1B05E000-memory.dmp

Filesize
5.0MB

Download
memory/3200-330-0x0000016429060000-0x0000016429518000-memory.dmp

Filesize
4.7MB

Download
memory/3200-317-0x0000016429000000-0x0000016429053000-memory.dmp

Filesize
332KB

Download
memory/3200-322-0x0000016425B80000-0x0000016425BD3000-memory.dmp

Filesize
332KB

Download
memory/3200-326-0x00000164295B0000-0x0000016429638000-memory.dmp

Filesize
544KB

Download
memory/3200-325-0x0000016429060000-0x0000016429518000-memory.dmp

Filesize
4.7MB

Download
memory/3200-321-0x00007FFC050E0000-0x00007FFC0AAA9000-memory.dmp

Filesize
89.8MB

Download
memory/3200-293-0x0000016428930000-0x00000164289FE000-memory.dmp

Filesize
824KB

Download
memory/3200-218-0x0000016427910000-0x000001642791D000-memory.dmp

Filesize
52KB

Download
memory/3200-335-0x00007FFC1AB60000-0x00007FFC1B05E000-memory.dmp

Filesize
5.0MB

Download
memory/3200-212-0x0000016427840000-0x0000016427883000-memory.dmp

Filesize
268KB

Download
memory/3200-215-0x0000016405600000-0x000001640565A000-memory.dmp

Filesize
360KB

Download
memory/3200-209-0x0000016427920000-0x00000164279F2000-memory.dmp

Filesize
840KB

Download
memory/3200-206-0x0000016427C90000-0x00000164280D0000-memory.dmp

Filesize
4.2MB

Download
memory/3200-202-0x0000000180000000-0x00000001802B4000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads