271de5aed87a398dedf889c16d7927e90f07facb4774a073cd4f365073fe51f8

Resubmissions

29-02-2024 21:17

240229-z5c24acg6v 10

Analysis

max time kernel
144s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

bfd3f90367cb5f536047cfaee9567e79
SHA1

86f1868b487d73dce0745f8b49edd23b014f88bc
SHA256

ecac497288f8e37a5ed5dab2369c11c6945aae4fbf397963d112e4b7f6d8755b
SHA512

010b8da2ed872d52c80c10a796c1cf9108a687b4626a7d69db6e39ca969935a162f9772de7647d88a9259c3249015a5b4d3fd986b13092fb7854161feede0186
SSDEEP

49152:47L6oPOReVwkTVcXj/SZTLvIkP4qghxZ3fw58hG7UBu:47NQeZVcX7aIFqgnZvSZ

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{7A75AF3D-7047-4459-A49C-964A65740482}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4172	Autoupdate.exe
4172	Autoupdate.exe
1752	TeraBox.exe
1752	TeraBox.exe
1752	TeraBox.exe
1752	TeraBox.exe
4300	TeraBoxRender.exe
4300	TeraBoxRender.exe
3992	TeraBoxRender.exe
3992	TeraBoxRender.exe
3888	TeraBoxRender.exe
3888	TeraBoxRender.exe
3416	TeraBoxRender.exe
3416	TeraBoxRender.exe
3884	TeraBoxRender.exe
3884	TeraBoxRender.exe
4484	TeraBoxHost.exe
4484	TeraBoxHost.exe
4484	TeraBoxHost.exe
4484	TeraBoxHost.exe
4484	TeraBoxHost.exe
4484	TeraBoxHost.exe
4000	TeraBoxRender.exe
4000	TeraBoxRender.exe
4000	TeraBoxRender.exe
4000	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	4172	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	4172	Autoupdate.exe
Token: SeManageVolumePrivilege	4484	TeraBoxHost.exe
Token: SeBackupPrivilege	4484	TeraBoxHost.exe
Token: SeSecurityPrivilege	4484	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1752	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1752	TeraBox.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4300	1752	TeraBox.exe	93
PID 1752 wrote to memory of 4300	1752	TeraBox.exe	93
PID 1752 wrote to memory of 4300	1752	TeraBox.exe	93
PID 1752 wrote to memory of 3992	1752	TeraBox.exe	94
PID 1752 wrote to memory of 3992	1752	TeraBox.exe	94
PID 1752 wrote to memory of 3992	1752	TeraBox.exe	94
PID 1752 wrote to memory of 3416	1752	TeraBox.exe	95
PID 1752 wrote to memory of 3416	1752	TeraBox.exe	95
PID 1752 wrote to memory of 3416	1752	TeraBox.exe	95
PID 1752 wrote to memory of 3888	1752	TeraBox.exe	96
PID 1752 wrote to memory of 3888	1752	TeraBox.exe	96
PID 1752 wrote to memory of 3888	1752	TeraBox.exe	96
PID 1752 wrote to memory of 2480	1752	TeraBox.exe	97
PID 1752 wrote to memory of 2480	1752	TeraBox.exe	97
PID 1752 wrote to memory of 2480	1752	TeraBox.exe	97
PID 1752 wrote to memory of 4336	1752	TeraBox.exe	99
PID 1752 wrote to memory of 4336	1752	TeraBox.exe	99
PID 1752 wrote to memory of 4336	1752	TeraBox.exe	99
PID 1752 wrote to memory of 4484	1752	TeraBox.exe	100
PID 1752 wrote to memory of 4484	1752	TeraBox.exe	100
PID 1752 wrote to memory of 4484	1752	TeraBox.exe	100
PID 1752 wrote to memory of 3884	1752	TeraBox.exe	101
PID 1752 wrote to memory of 3884	1752	TeraBox.exe	101
PID 1752 wrote to memory of 3884	1752	TeraBox.exe	101
PID 1752 wrote to memory of 3448	1752	TeraBox.exe	102
PID 1752 wrote to memory of 3448	1752	TeraBox.exe	102
PID 1752 wrote to memory of 3448	1752	TeraBox.exe	102
PID 1752 wrote to memory of 4000	1752	TeraBox.exe	105
PID 1752 wrote to memory of 4000	1752	TeraBox.exe	105
PID 1752 wrote to memory of 4000	1752	TeraBox.exe	105

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,5387704533468246243,17865042859466378296,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2500 /prefetch:2
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,5387704533468246243,17865042859466378296,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3992
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,5387704533468246243,17865042859466378296,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3416
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,5387704533468246243,17865042859466378296,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1752.0.869909457\583131481 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.65" -PcGuid "TBIMXV2-O_2E08DF1FDABC4068A8C26602BD99C7F1-C_0-D_QM00013-M_C2C57F2727CB-V_7BD44977" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1752.0.869909457\583131481 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.65" -PcGuid "TBIMXV2-O_2E08DF1FDABC4068A8C26602BD99C7F1-C_0-D_QM00013-M_C2C57F2727CB-V_7BD44977" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,5387704533468246243,17865042859466378296,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3884
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1752.1.842785292\1598290937 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.65" -PcGuid "TBIMXV2-O_2E08DF1FDABC4068A8C26602BD99C7F1-C_0-D_QM00013-M_C2C57F2727CB-V_7BD44977" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,5387704533468246243,17865042859466378296,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4428 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
d4bac15b6e5d9529b788a740d89998b8

SHA1
5728b6ed899338f0339a9d2561f048133583c6f8

SHA256
4a6ec6eb1580ba1678317d934a2191c4283565c2d1a6372d9d0d5f478a3dabe2

SHA512
7685ca4b40f33603e08dfa002bd094dce878b4960309c99b902c0730781dd5891cf6b098d1e6644c67dc1c2d7e64ca4336aada6fe89bc7108d74572300e25487

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000053

Filesize
195KB

MD5
89d79dbf26a3c2e22ddd95766fe3173d

SHA1
f38fd066eef4cf4e72a934548eafb5f6abb00b53

SHA256
367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69

SHA512
ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
3afecaf99df58babc9dee745ed654123

SHA1
2a75f03cf5cb609b7923945d79ce8423609caf73

SHA256
6017399d87faffe8731734f8f0ccfd6ebf31109ceba620c3a790fdb94df8b1de

SHA512
f0571bebdc08181865c17cbcad8405eca30106ab6b7d704d5b83a608252ccc2a520b63775dc909eb35167137574cd47aa320f2b5f526c74b7e195cd8d2736adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe581539.TMP

Filesize
48B

MD5
c94eccf2d1608a129862949ccbeb3f9a

SHA1
9fb97bdabeea8ceba4515516a0daac9e4e74a661

SHA256
e84eaab615c8248b4945dea4ee911fe17bb284143d32d7d010438f84a7fa858a

SHA512
640f3b533989b853792d3d08210ce53af24207133a8f9ae56d685a73cfd498b466f1660438dd3809e61796cfb4eb176a2c6334762e4ea983e6c2d1f704a3c900

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
329d933f16d60b49189dc9f9e24a4d9f

SHA1
1c0c9f0952d16c2392fe643cd28c9d2da1708db8

SHA256
5633dd39e19edf4686b26a09cb4d6feccb76b398f35ac1aed4c4a8c75d6b5038

SHA512
bb5d83b8b1f669782e057ccd4bebf50e089f90e9ed2c6ceb2acb9e238978c85f0e2e1065020c18c20bb48759812edba2b2c790897e65c68306aacde34a38d6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe587e62.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/1752-31-0x00000000044B0000-0x00000000044C0000-memory.dmp

Filesize
64KB

Download
memory/1752-10-0x0000000000FB0000-0x0000000001694000-memory.dmp

Filesize
6.9MB

Download
memory/1752-485-0x00000000044B0000-0x00000000044C0000-memory.dmp

Filesize
64KB

Download
memory/1752-484-0x000000000AA20000-0x000000000AA21000-memory.dmp

Filesize
4KB

Download
memory/1752-483-0x0000000000FB0000-0x0000000001694000-memory.dmp

Filesize
6.9MB

Download
memory/1752-28-0x000000000AA20000-0x000000000AA21000-memory.dmp

Filesize
4KB

Download
memory/3448-365-0x0000000000420000-0x00000000004C0000-memory.dmp

Filesize
640KB

Download
memory/3448-368-0x0000000000420000-0x00000000004C0000-memory.dmp

Filesize
640KB

Download
memory/4484-283-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/4484-292-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/4484-289-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/4484-291-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/4484-290-0x00000000653C0000-0x00000000667EC000-memory.dmp

Filesize
20.2MB

Download
memory/4484-486-0x0000000000420000-0x00000000004C0000-memory.dmp

Filesize
640KB

Download
memory/4484-487-0x00000000653C0000-0x00000000667EC000-memory.dmp

Filesize
20.2MB

Download
memory/4484-286-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/4484-284-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/4484-285-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4484-75-0x0000000000420000-0x00000000004C0000-memory.dmp

Filesize
640KB

Download