Overview

overview

7

Static

static

3

HandBrake-...UI.exe

windows10-2004-x64

7

HandBrake-...UI.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HandBrake-1.8.2-x86_64-Win_GUI.exe

  • Size

    22.7MB

  • MD5

    2c7968a6e1d5425e0c2c5b2a688ee9b1

  • SHA1

    ca6a865ce5dce0f8571536d0aa774c775e8ce2b5

  • SHA256

    e4c3c965ed05492f73fa261d2e2560ed9f0506474956eefab176c44ee709a1ab

  • SHA512

    ddb92d9aed2aa8bbd6bbcfcbf95dcfe7e3ae25c9699fe85e00a74db58884661e9cbbb435b07cf54c3d31f8630aa74fadab074fce6fe450dab4dcae84915ed90a

  • SSDEEP

    393216:HxvBKL2n0yyPxwn1aYFptjxLBrZHyRiZtHzHGkX1tzgJWWql3JMQtXCdyIU6Gitd:HtULwt1ao9LbHDtHqqBOIC0IU6GiFfJ

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HandBrake-1.8.2-x86_64-Win_GUI.exe
    "C:\Users\Admin\AppData\Local\Temp\HandBrake-1.8.2-x86_64-Win_GUI.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3620
  • C:\Program Files\HandBrake\HandBrake.exe
    "C:\Program Files\HandBrake\HandBrake.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\HandBrake\HandBrake.exe
    Filesize

    34.8MB

    MD5

    f3e1f308a1ce0c271b6b48e43cf395ad

    SHA1

    471dd45bb737355cd022bef0c850336541260428

    SHA256

    15bc21d9aa2d18d0e393b8205a190175ec0388a4fc1a9ccfee79b0e21d439a86

    SHA512

    e04f039b52a71ea2da236d035d8bb2426cf7b1ad6ffd6aa2470f643b64a46acfd47a62073724512af77a5a959cce9a36d01127cf04b63bd3cf58caf1f8cccd20

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk
    Filesize

    898B

    MD5

    7456450c661c9a32b6f74a1635d2c5a8

    SHA1

    72409b1d4f1f672343acb1f082126de0eef2a4ef

    SHA256

    605850041015332aac0460e30794c15d4593949e16e7b3be0dcc0f0bb8a17885

    SHA512

    c823c20d9ee82adbbb61507c469db2fb58b77a695fec49ce90924c7cf9fd03f9b0b138a04d6ab45e8a8860218f3f9ab7bc53725a0cc1255a5e27e3bb7bc90bd8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nspDDDE.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    d095b082b7c5ba4665d40d9c5042af6d

    SHA1

    2220277304af105ca6c56219f56f04e894b28d27

    SHA256

    b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

    SHA512

    61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nspDDDE.tmp\System.dll
    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nspDDDE.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    c5d7d97876bfc6ed6a52b69932a68cdc

    SHA1

    6daa67d79a7d148a9fc924ad3920cf065b8b5e36

    SHA256

    62fdc4ba66b5f37e2d15ca213fb97cda6134733541459e170f627d954e719a03

    SHA512

    c1eec52b9b959524c83dc5f33d991d889324c1b4c9e6f6ef8227c41fd9fc369c6ad4c292e8120b2b47f98a6ea60958907b3a98faa2faf6df833f16ea11a038ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nspDDDE.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    13798d8223441bfce2f7a0c5b3b54294

    SHA1

    590f70446811e043ff671e92faee1355696d7ae2

    SHA256

    0bca8057248c1281253ee470a335a2a1366ac9daeb50551ac8416e47178704d4

    SHA512

    ff1a04ce05d50a2235cf910fbe5871dc30b98913b1dfad461ec3d3dfaeb2590d07b0b065fab1512c72e9d3a113c7a79a6ee7341cd972b44259540f85edc2c234

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nspDDDE.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    4aeafe746b7ab0ca588e938f3e0144f0

    SHA1

    25e747baab776f6cdd1499a9a86badc4049c0c0b

    SHA256

    07e991ed705812d5ce6f1d57756a588fae7ee5e150de1f6b75f7ad96c84cc9e2

    SHA512

    2c375df2a57145433d869c9107a19b14d636f5e0ff41ccccecd65eb2ae4cd1eef158364889de01da4ba348a3043f6aa08c13d4de05255f69aee9552e28afb8c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\HandBrake\settings.json
    Filesize

    2KB

    MD5

    de40757a36e015d9eb3dc7aed8cef37d

    SHA1

    31dd43faaab695ac116ae67244a4b4b4eda0ea74

    SHA256

    1954a590ff49c36d1d7d3d5b804ae81bb1dc0bdcc05992072a3b0b9c34fbbf19

    SHA512

    6b785c49dc318a3411313a6be82da2361258a7a76a7cde57de390a636ec93bec4500fe44b0ffa5dbcca256ae0efe4ea9998ab02237fe704eac11598e6235d01a

    Download Submit

  • C:\Users\Public\Desktop\HandBrake.lnk
    Filesize

    880B

    MD5

    1cef389ba9dc2f5d93ee88966a3fe686

    SHA1

    f90dcd53122112506a42db0b2eaa68b3c038d977

    SHA256

    d69f5354ed900b0df938a5c646f0c3bc659d44fe5b859f702d9a6cb9329fa3e9

    SHA512

    bccdce58bb0f39a1e91a25b278c6290c4957485d541ce9a398f99c00354383e167f38563f82e8e92fd281a3e9a4ab48b7e537e36ceae0f3390c65bc0e4c62764

    Download Submit

  • memory/4904-276-0x00007FFA470B0000-0x00007FFA4C86F000-memory.dmp

    Filesize

    87.7MB

    Download

  • memory/4904-346-0x00007FFA470B0000-0x00007FFA4C86F000-memory.dmp

    Filesize

    87.7MB

    Download