Resubmissions

29-02-2024 21:17

240229-z5c24acg6v 10

Analysis

  • max time kernel
    266s
  • max time network
    290s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-02-2024 21:17

General

  • Target

    TeraBox.exe

  • Size

    6.8MB

  • MD5

    bce254dbffa461fd2257839b34b81b15

  • SHA1

    e554d9d8d4775d5b5eb8bb1a2cf1cbedd53b38dc

  • SHA256

    15a8c8ad6f8b99f758b82843d92a110616df6dd71a4c20873817db69e9b5008a

  • SHA512

    3376c40fa1115cffe8da2b7ff2d5b3242d00b6353f0268b3e39abcc72742691e9be2392b0760b74e8a4c722c25e10f816f651082dfefe915a1c7ee2cc1398fcb

  • SSDEEP

    98304:0VvTm0B0w8uOMSdQUpB5hHZVTbJGpkVShIsIM8iKqUU8CJ:gvTm64JMIp5T0kVSXIM8iKbCJ

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2016,13776948000187697950,1365698248914729327,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2056 /prefetch:2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1880
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,13776948000187697950,1365698248914729327,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2584 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2448
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2016,13776948000187697950,1365698248914729327,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2016,13776948000187697950,1365698248914729327,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:280
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
      2⤵
        PID:2072
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2016,13776948000187697950,1365698248914729327,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2056 /prefetch:2
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:836
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
        -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.564.0.2087054396\618625034 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.200" -PcGuid "TBIMXV2-O_32942DEDA01A4443B163D636F6133A04-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_5DF70FE9" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
        2⤵
          PID:1716
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.564.0.2087054396\618625034 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.200" -PcGuid "TBIMXV2-O_32942DEDA01A4443B163D636F6133A04-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_5DF70FE9" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1916
        • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
          "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 20194 -unlogin
          2⤵
            PID:2296
          • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
            "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.564.1.1097705591\242907283 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.200" -PcGuid "TBIMXV2-O_32942DEDA01A4443B163D636F6133A04-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_5DF70FE9" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
            2⤵
              PID:1028

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

            Filesize

            959B

            MD5

            d5e98140c51869fc462c8975620faa78

            SHA1

            07e032e020b72c3f192f0628a2593a19a70f069e

            SHA256

            5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

            SHA512

            9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            67KB

            MD5

            753df6889fd7410a2e9fe333da83a429

            SHA1

            3c425f16e8267186061dd48ac1c77c122962456e

            SHA256

            b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

            SHA512

            9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

            Filesize

            192B

            MD5

            1681db86175b49f893c82b41385e3381

            SHA1

            9b0df7bb3f3baabb96594e8af0785d46d905c137

            SHA256

            beeaf3c8c2fd5419ace7ff6263a769f784b2dfb7179a7792118c1325e9ceac6d

            SHA512

            2d7dc870fa5435f253005ae3ea8ed82c054faa89b68590f0e2ec98b070bf9bb9ff50ff28881339334b4a05410611e64fb72cb7f2235f1407234adf2e235fa598

          • C:\Users\Admin\AppData\Local\Temp\CabFE2F.tmp

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\TarFFCB.tmp

            Filesize

            175KB

            MD5

            dd73cead4b93366cf3465c8cd32e2796

            SHA1

            74546226dfe9ceb8184651e920d1dbfb432b314e

            SHA256

            a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

            SHA512

            ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

          • C:\Users\Admin\AppData\Local\Temp\TeraBox_status

            Filesize

            112B

            MD5

            aae526e030a73fad9c13e34c91802195

            SHA1

            ec2d1400465731fa25caa4c868ccb8d0445be65b

            SHA256

            d8fef1082d8de3baf310eece996609d6e6a24877913aa0b53e7052ce67f6f4f5

            SHA512

            2441b5c3ea1cfa61b122bc358d77c1e497ba6057bd2d8385be6aa7771560acfa5749d5a1797e4e8c6a0aefe9315f81904a13b201e45686e8004cdb9cd762cc6d

          • memory/564-24-0x0000000000B70000-0x0000000000B71000-memory.dmp

            Filesize

            4KB

          • memory/564-10-0x0000000000360000-0x0000000000A44000-memory.dmp

            Filesize

            6.9MB

          • memory/564-93-0x0000000004040000-0x0000000004080000-memory.dmp

            Filesize

            256KB

          • memory/564-27-0x0000000003200000-0x0000000003201000-memory.dmp

            Filesize

            4KB

          • memory/564-43-0x0000000003200000-0x0000000003201000-memory.dmp

            Filesize

            4KB

          • memory/564-20-0x0000000000360000-0x0000000000A44000-memory.dmp

            Filesize

            6.9MB

          • memory/564-13-0x0000000000B70000-0x0000000000B71000-memory.dmp

            Filesize

            4KB

          • memory/564-29-0x0000000004040000-0x0000000004080000-memory.dmp

            Filesize

            256KB

          • memory/1028-1851-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/1028-1850-0x0000000001020000-0x00000000010C0000-memory.dmp

            Filesize

            640KB

          • memory/1028-1849-0x0000000001020000-0x00000000010C0000-memory.dmp

            Filesize

            640KB

          • memory/1916-1731-0x0000000000470000-0x0000000000471000-memory.dmp

            Filesize

            4KB

          • memory/1916-1753-0x00000000004B0000-0x00000000004B1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1728-0x0000000000460000-0x0000000000461000-memory.dmp

            Filesize

            4KB

          • memory/1916-1729-0x0000000000470000-0x0000000000471000-memory.dmp

            Filesize

            4KB

          • memory/1916-1727-0x0000000067950000-0x0000000068D7C000-memory.dmp

            Filesize

            20.2MB

          • memory/1916-1733-0x0000000000470000-0x0000000000471000-memory.dmp

            Filesize

            4KB

          • memory/1916-1736-0x0000000000480000-0x0000000000481000-memory.dmp

            Filesize

            4KB

          • memory/1916-1738-0x0000000000480000-0x0000000000481000-memory.dmp

            Filesize

            4KB

          • memory/1916-1741-0x0000000000490000-0x0000000000491000-memory.dmp

            Filesize

            4KB

          • memory/1916-1743-0x0000000000490000-0x0000000000491000-memory.dmp

            Filesize

            4KB

          • memory/1916-1746-0x00000000004A0000-0x00000000004A1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1748-0x00000000004A0000-0x00000000004A1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1751-0x00000000004B0000-0x00000000004B1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1725-0x0000000000460000-0x0000000000461000-memory.dmp

            Filesize

            4KB

          • memory/1916-1765-0x00000000004C0000-0x00000000004C1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1767-0x00000000004C0000-0x00000000004C1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1769-0x00000000004C0000-0x00000000004C1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1770-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

            Filesize

            4KB

          • memory/1916-1723-0x0000000000460000-0x0000000000461000-memory.dmp

            Filesize

            4KB

          • memory/1916-1847-0x0000000001020000-0x00000000010C0000-memory.dmp

            Filesize

            640KB

          • memory/1916-1720-0x0000000001020000-0x00000000010C0000-memory.dmp

            Filesize

            640KB

          • memory/1916-1721-0x0000000000440000-0x0000000000441000-memory.dmp

            Filesize

            4KB

          • memory/1916-1719-0x0000000001020000-0x00000000010C0000-memory.dmp

            Filesize

            640KB

          • memory/1916-1853-0x0000000067950000-0x0000000068D7C000-memory.dmp

            Filesize

            20.2MB

          • memory/2072-40-0x00000000000F0000-0x00000000000F1000-memory.dmp

            Filesize

            4KB

          • memory/2296-1856-0x0000000000350000-0x0000000000351000-memory.dmp

            Filesize

            4KB