Resubmissions

28-03-2024 13:35

240328-qvvdysfd4s 4

21-03-2024 15:21

240321-srcqvaed68 10

Analysis

  • max time kernel
    161s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 15:21

General

  • Target

    TeraBox.exe

  • Size

    6.8MB

  • MD5

    cd2539c928a77b46c37a9b4da821fa97

  • SHA1

    a8445e7cd4fc1083f7aa464f5adf9374aefeaa5d

  • SHA256

    74eb8cb2e07ff1eee37441cddb6563bc298da45a738f4f32513da5a82a164bb5

  • SHA512

    82ad8f18409419d52bee433e51929a9d16375ebc12d2ac2d8d9b592783f813e531d052394d5fcdbd4bad6d04993653f8ac7840c6a3048ea30dc8ca7d54ee142f

  • SSDEEP

    98304:8zWVnRcmVlL/Evm5yvvF1wFCIxmKkVaekszxlWPl3JE/nP:6WVnR3KvLH8C49kVaeLdlWwn

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2580,4573586279396183325,4725466110660039078,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2588 /prefetch:2
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:3080
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2580,4573586279396183325,4725466110660039078,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2964 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3464
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2580,4573586279396183325,4725466110660039078,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3784
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2580,4573586279396183325,4725466110660039078,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4444
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
      2⤵
        PID:2248
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
        -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3680.0.1611596548\747849993 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.169" -PcGuid "TBIMXV2-O_611DD72374F342F89D2B92A74F22CAD2-C_0-D_QM00013-M_DA5F53B51256-V_583E72F0" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
        2⤵
          PID:3528
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3680.0.1611596548\747849993 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.169" -PcGuid "TBIMXV2-O_611DD72374F342F89D2B92A74F22CAD2-C_0-D_QM00013-M_DA5F53B51256-V_583E72F0" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3516
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3680.1.1251637800\1008612856 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.169" -PcGuid "TBIMXV2-O_611DD72374F342F89D2B92A74F22CAD2-C_0-D_QM00013-M_DA5F53B51256-V_583E72F0" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          2⤵
            PID:1192
          • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
            "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2580,4573586279396183325,4725466110660039078,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3956
          • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
            "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 601fe -unlogin
            2⤵
              PID:2384

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

            Filesize

            22KB

            MD5

            50e940a33557749e8967787951b0b1f3

            SHA1

            5569074d7d12835f7f4a04b93f1b91b3b3da3500

            SHA256

            4a0fe43edb114b8df1ea5088966f71c35091e89a96894738cc61dbe59fe63559

            SHA512

            4011d8a6619d9b9c002dbbea6cc70db7dc894760ad9938ecf63f32e717d49b9e4f983a411d31e2cb6a30aede455ebe60db74aa2f22497667793635b2b33f56b0

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_00003d

            Filesize

            196KB

            MD5

            813c1b41e435242e7365a4bcd7adcf23

            SHA1

            2d25e1564eaf93455640413b95646b3f88f9075b

            SHA256

            70cb2151ee4ef83195855d29819491a23c5eafee2e72b7ffd9041b35363d1542

            SHA512

            268c4fa1797700a205e37e716c1472592ad6242344645c703ab1ab8d4d68452c3ccce7cdc4d56a0b42d4061bdc793f1c79dffc397f038133387b94b2a1f4051e

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

            Filesize

            624B

            MD5

            7ac8526122a771d2cc74644c93f1babe

            SHA1

            4a3df661aeb1f9a1716194949b3ec0624f34fe6b

            SHA256

            f2a2f7198f448dd1ca154a185e368530706e71fee696db16e4167419c373fa53

            SHA512

            582559522918a6b219315d7ca3137bdc5111242cb7d030cda32b61b13a1d3a81bacd37fc298fd2de477bfb99d2d525cf471b4543a6751c751a99ac01f5e57c31

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5a6766.TMP

            Filesize

            48B

            MD5

            9d66007c6cc3616fba97b340f4b8bad1

            SHA1

            5a8cc0db364cbc8d1c475ef2e565e1ea75272e98

            SHA256

            7f5982caf5be892fe0786951c28a344c11c9b85b83664f0974d9228630ccebba

            SHA512

            ad4377c3db5f1236d8736c6b0510fe72b30f179690e9dec19ad0441933d7c8a351f212964f11f215dea2484d2f6e6b1ddccb411207badb09d1b9fb8ee4655604

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

            Filesize

            59B

            MD5

            2800881c775077e1c4b6e06bf4676de4

            SHA1

            2873631068c8b3b9495638c865915be822442c8b

            SHA256

            226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

            SHA512

            e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe5a10f9.TMP

            Filesize

            59B

            MD5

            78bfcecb05ed1904edce3b60cb5c7e62

            SHA1

            bf77a7461de9d41d12aa88fba056ba758793d9ce

            SHA256

            c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

            SHA512

            2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

          • C:\Users\Admin\AppData\Local\Temp\TeraBox_status

            Filesize

            114B

            MD5

            f46e91a09df3ea237149dac8767924c4

            SHA1

            d216238f57b8291492e97668fe47fe003ca440e4

            SHA256

            1298dad68b435ebaa645df4beacf42baf7d4fd8185d14d3e01bc8e9a8e914f26

            SHA512

            bd40f328a081428a5e7c34bd2cfcd45cc2e3a58eab2981d6ed53a08ec35dba9200abbac595b0428d979284ab25bc9d2f0217593d381fba06727797ee915e294a

          • memory/1192-240-0x0000000000680000-0x0000000000720000-memory.dmp

            Filesize

            640KB

          • memory/3516-63-0x0000000000680000-0x0000000000720000-memory.dmp

            Filesize

            640KB

          • memory/3516-375-0x0000000000680000-0x0000000000720000-memory.dmp

            Filesize

            640KB

          • memory/3516-230-0x0000000064CD0000-0x00000000660FC000-memory.dmp

            Filesize

            20.2MB

          • memory/3516-228-0x0000000000C60000-0x0000000000C61000-memory.dmp

            Filesize

            4KB

          • memory/3516-229-0x0000000000C70000-0x0000000000C71000-memory.dmp

            Filesize

            4KB

          • memory/3516-233-0x0000000000C80000-0x0000000000C81000-memory.dmp

            Filesize

            4KB

          • memory/3516-226-0x0000000000C10000-0x0000000000C11000-memory.dmp

            Filesize

            4KB

          • memory/3516-64-0x0000000000680000-0x0000000000720000-memory.dmp

            Filesize

            640KB

          • memory/3516-376-0x0000000064CD0000-0x00000000660FC000-memory.dmp

            Filesize

            20.2MB

          • memory/3516-224-0x0000000000C00000-0x0000000000C01000-memory.dmp

            Filesize

            4KB

          • memory/3516-227-0x0000000000C50000-0x0000000000C51000-memory.dmp

            Filesize

            4KB

          • memory/3516-223-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

            Filesize

            4KB

          • memory/3680-28-0x0000000004C10000-0x0000000004C20000-memory.dmp

            Filesize

            64KB

          • memory/3680-7-0x0000000000A10000-0x00000000010F5000-memory.dmp

            Filesize

            6.9MB

          • memory/3680-346-0x0000000004C10000-0x0000000004C20000-memory.dmp

            Filesize

            64KB

          • memory/3680-27-0x0000000004C00000-0x0000000004C01000-memory.dmp

            Filesize

            4KB

          • memory/3680-26-0x0000000000A10000-0x00000000010F5000-memory.dmp

            Filesize

            6.9MB