e4c3c965ed05492f73fa261d2e2560ed9f0506474956eefab176c44ee709a1ab

Analysis

max time kernel
33s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HandBrake-1.8.2-x86_64-Win_GUI.exe
Size

22.7MB
MD5

2c7968a6e1d5425e0c2c5b2a688ee9b1
SHA1

ca6a865ce5dce0f8571536d0aa774c775e8ce2b5
SHA256

e4c3c965ed05492f73fa261d2e2560ed9f0506474956eefab176c44ee709a1ab
SHA512

ddb92d9aed2aa8bbd6bbcfcbf95dcfe7e3ae25c9699fe85e00a74db58884661e9cbbb435b07cf54c3d31f8630aa74fadab074fce6fe450dab4dcae84915ed90a
SSDEEP

393216:HxvBKL2n0yyPxwn1aYFptjxLBrZHyRiZtHzHGkX1tzgJWWql3JMQtXCdyIU6Gitd:HtULwt1ao9LbHDtHqqBOIC0IU6GiFfJ

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1356	HandBrake.exe

Loads dropped DLL 4 IoCs

pid	Process
3724	HandBrake-1.8.2-x86_64-Win_GUI.exe
3724	HandBrake-1.8.2-x86_64-Win_GUI.exe
3724	HandBrake-1.8.2-x86_64-Win_GUI.exe
1356	HandBrake.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\HandBrake\HandBrake.Worker.exe	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\HandBrake.exe	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\hb.dll	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\portable.ini.template	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\doc\COPYING	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\uninst.exe	HandBrake-1.8.2-x86_64-Win_GUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HandBrake-1.8.2-x86_64-Win_GUI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\1A46400F-4C81-802A-C2C1-1E9A687A9340\\Icon.png"	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\CustomActivator = "{1a46400f-4c81-802a-c2c1-1e9a687a9340}"	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\AppId = "{1a46400f-4c81-802a-c2c1-1e9a687a9340}"	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\RunAs = "Interactive User"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe	HandBrake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\Has7.0.1Fix = "1"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}\LocalServer32\ = "\"C:\\Program Files\\HandBrake\\HandBrake.exe\" -ToastActivated"	HandBrake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\IconBackgroundColor = "FFDDDDDD"	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\CLSID	HandBrake.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\CLSID\{1a46400f-4c81-802a-c2c1-1e9a687a9340}	HandBrake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/HandBrake/HandBrake.exe\DisplayName = "HandBrake"	HandBrake.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	HandBrake.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1356	HandBrake.exe

C:\Users\Admin\AppData\Local\Temp\HandBrake-1.8.2-x86_64-Win_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\HandBrake-1.8.2-x86_64-Win_GUI.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3724

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HandBrake\HandBrake.exe

Filesize
34.8MB

MD5
f3e1f308a1ce0c271b6b48e43cf395ad

SHA1
471dd45bb737355cd022bef0c850336541260428

SHA256
15bc21d9aa2d18d0e393b8205a190175ec0388a4fc1a9ccfee79b0e21d439a86

SHA512
e04f039b52a71ea2da236d035d8bb2426cf7b1ad6ffd6aa2470f643b64a46acfd47a62073724512af77a5a959cce9a36d01127cf04b63bd3cf58caf1f8cccd20

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk

Filesize
898B

MD5
a7bc87283b365f6f054eb8137532b2ff

SHA1
4b9529331fbba736fee06e0f0468f52a067210c7

SHA256
4ecb0eeca45b2924d16669a65781dc780b3a75417add6ece67d53b946e268f3c

SHA512
1e2300fc1270a9e587fc8396cdd4cece2097492a163be299d1440a33b63b27d639b953e09b230e14cc8ae9bce73dca4010257b0f661a6e758998828a64b7adb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8945.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8945.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8945.tmp\ioSpecial.ini

Filesize
1KB

MD5
b4c0b56e5b3651be7429766ed4ff2519

SHA1
d045d456df494b40e82fc2e92b40f9e5dc46ec36

SHA256
61f8bca369f67a660670d476fd9148447b069dc20c1a24e6b8bed99b177c23b0

SHA512
c5c9cf5a600b8f162fcd3fcc47d755e399eda99b274f9b1ac5b019fb670a6a969eaac71d3bdb8bdefd68b3509a9812c16f9142d750b5b18707fe0f2cd643f2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8945.tmp\ioSpecial.ini

Filesize
1KB

MD5
03b4afbc26aa250d8fe5a683875688f7

SHA1
2cad9388101cade266e3472c4aed359f79ce0033

SHA256
345ee332df4a6ed15bdd8ccef5b42eacc18cdf52f3dc22f752dddddb6489252d

SHA512
dd0f19541b82f63de2b859206c8e94aeff89cb600b8e50c44173290e8f441727c89b7d26d6632bdc537cdfc42a30132e05c47dd80fa7314d48bd449079ff470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8945.tmp\ioSpecial.ini

Filesize
1KB

MD5
cf8f804f85a4e4a8683528f8e36aa1c9

SHA1
b37fc7c118d36d9f7670dd942ed0e029e1a43d9c

SHA256
b2e5fbe4f944fc3c6f557d86a676f980d9f4e0ef6b2c43dfef2217d748c44802

SHA512
d6fe0ebcfbaf9e8571ad9c836cc70cd3d1bdadc315f08f9d52fe37ad5702812a438c46801a33aa0378b3fc6dbde8db5f15fdf1a2aa3078ebe2510b828682823b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8945.tmp\ioSpecial.ini

Filesize
1KB

MD5
a892a5b5d8525827b4d9f81ef0fed296

SHA1
86fcef022c6480bd66cf1ab9dc427cdfc345b84a

SHA256
97e26b42fac59e5e2fb20d7f5850c0e15e23c7165b9f9656a861f831a3d6217c

SHA512
158d168b18b3b84c901915c9885c3abfe06515cc161e550221464482c98ae887350e2575872813485386be090ca2dd2f52cc6817f7d90a3909821fd3be93287a

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
6229aa4d4fe58ad2afa48f771cca9058

SHA1
bf3be98fa3fe877dab2c652aec61c431de2176b7

SHA256
bc699640b8a381f2acc07de65d67f6129ea229b93c112404730fcc380f17d8f7

SHA512
704afe5bc5dfef2c57f044ab1d1dac4f0747fb14b53017f3543475ea3efe663d0c02dd73e8584b55b2be48c20369e049bc972fdfe801296853a608262b6c4051

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
56fbe00b465a9d99fe3594a93dd39ede

SHA1
04d49052362a342e03d92e14e26f8c834cedb561

SHA256
90c416cc130075fa9b633896147ca6b524226ffa9351c15f64406cc30abc3b0f

SHA512
05fbf83312cf2c0da2de05b0f1472efe5b0a67bf8c58abdb943d76c99de0fa7ca8d26b01cef832fd399d5fcaea68657f1e87c150f1e086b5466053c754ab085b

Download Submit
C:\Users\Public\Desktop\HandBrake.lnk

Filesize
880B

MD5
6376bf5add6ac7c350601f2af6580fd8

SHA1
23e502be3298aa708aca419e23dd930732ad535e

SHA256
9adf86f10d595368ada0c8bf03901baa92729503ac09a19954f36b1c0ab06508

SHA512
fa327ead6de5b5524c8012def209f849a7aea39df4add596046adde627367bcf22edb12b0b4c4708a6c0af13f14e81f55caa957a93e1d2c804d4b3f52b3d5d28

Download Submit
memory/1356-345-0x00007FFAAEE40000-0x00007FFAB45FF000-memory.dmp

Filesize
87.7MB

Download