e4c3c965ed05492f73fa261d2e2560ed9f0506474956eefab176c44ee709a1ab

General

Target

HandBrake-1.8.2-x86_64-Win_GUI.exe
Size

22.7MB
MD5

2c7968a6e1d5425e0c2c5b2a688ee9b1
SHA1

ca6a865ce5dce0f8571536d0aa774c775e8ce2b5
SHA256

e4c3c965ed05492f73fa261d2e2560ed9f0506474956eefab176c44ee709a1ab
SHA512

ddb92d9aed2aa8bbd6bbcfcbf95dcfe7e3ae25c9699fe85e00a74db58884661e9cbbb435b07cf54c3d31f8630aa74fadab074fce6fe450dab4dcae84915ed90a
SSDEEP

393216:HxvBKL2n0yyPxwn1aYFptjxLBrZHyRiZtHzHGkX1tzgJWWql3JMQtXCdyIU6Gitd:HtULwt1ao9LbHDtHqqBOIC0IU6GiFfJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2300	HandBrake.exe

Loads dropped DLL 4 IoCs

pid	Process
5812	HandBrake-1.8.2-x86_64-Win_GUI.exe
5812	HandBrake-1.8.2-x86_64-Win_GUI.exe
5812	HandBrake-1.8.2-x86_64-Win_GUI.exe
2300	HandBrake.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\HandBrake\HandBrake.Worker.exe	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\HandBrake.exe	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\hb.dll	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\portable.ini.template	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\doc\COPYING	HandBrake-1.8.2-x86_64-Win_GUI.exe
File created	C:\Program Files\HandBrake\uninst.exe	HandBrake-1.8.2-x86_64-Win_GUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HandBrake-1.8.2-x86_64-Win_GUI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HandBrake.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HandBrake.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	HandBrake.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	HandBrake.exe

C:\Users\Admin\AppData\Local\Temp\HandBrake-1.8.2-x86_64-Win_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\HandBrake-1.8.2-x86_64-Win_GUI.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5812

C:\Program Files\HandBrake\HandBrake.exe
"C:\Program Files\HandBrake\HandBrake.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HandBrake\HandBrake.exe

Filesize
34.8MB

MD5
f3e1f308a1ce0c271b6b48e43cf395ad

SHA1
471dd45bb737355cd022bef0c850336541260428

SHA256
15bc21d9aa2d18d0e393b8205a190175ec0388a4fc1a9ccfee79b0e21d439a86

SHA512
e04f039b52a71ea2da236d035d8bb2426cf7b1ad6ffd6aa2470f643b64a46acfd47a62073724512af77a5a959cce9a36d01127cf04b63bd3cf58caf1f8cccd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\ioSpecial.ini

Filesize
1KB

MD5
e236992f24866e8fc6722057b3d14979

SHA1
bbbce82191fcd47dcd8f8545020e8aed1bc6fb00

SHA256
71e171215eacaa8fc6f6ad99656de61d0eaee5b9d9d7994fc52d94d4c725957d

SHA512
205aedb4f6486447058305a994bbfb5b342890a394d3d0e702b24c1fb1c4f1a2375f52c8fe2f8681bc421599e0338f8cbbab4b0f50cb57eddc3ab6cc49fc5c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\ioSpecial.ini

Filesize
1KB

MD5
a9b3a156c9b500dc835a6ef411d885e5

SHA1
22d07d9fcf5e7b00de7cc8fce5ef8b0abc75df69

SHA256
8f4166111dfe01c603ce59c2b61ce0ec82a03a3f414e93907cf518f47c106179

SHA512
722d0f2ce513101e9af06ace8345ba300bd0651d03f6cffc295284248c2546330dd1feed55d1c0343adacddb95874fc9d200803adf8a7bd0b08d603275be9d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\ioSpecial.ini

Filesize
1KB

MD5
205a29bbe80ee8e0cb385446a4f8a4de

SHA1
ffa30c7158da15b71dc31cfc35171d729f91c01a

SHA256
2caf462b96e81b7303e3f0f7f09ebcc7589aff75e4eec21ea441622b66589566

SHA512
b22064fdc08b362fa409d0be77971632dadcaed4070810b625903bf4eaffa6ed190d13eb05018cb56fb41c4b6bfac7de86d998e0112d6148ade17c9658be7b0e

Download Submit
C:\Users\Admin\AppData\Roaming\HandBrake\settings.json

Filesize
2KB

MD5
94d95baa93ea2c258c1d4dbbaedc47b4

SHA1
9f42b202f3208dcd7da74473bcb01fea42716f3e

SHA256
ee7c48e1880156e3ebf47eadf6736bfe64040884cf8f4cdaf7f16fa433b570ae

SHA512
9e123c3c2f4cc5a5585f019aca11ade45b656e886af8030a3debc341d0299c34de4f1572a017b013dbcca2a666e9c141bfa9dbf33a8e35740c27ea4cf0f6b5a6

Download Submit

Analysis

Sharing