Analysis

  • max time kernel
    145s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2024 16:33

General

  • Target

    AutoUpdate/Autoupdate.exe

  • Size

    2.8MB

  • MD5

    8ccf980ea54f3605d4360645416ad152

  • SHA1

    99231ce34e0ff68dd417c2246a5ca71d147f96fe

  • SHA256

    40a650cb5d37d6a5b3d8674f50ae3f6e243ac80f595f64d0b72f97854d5f20df

  • SHA512

    644c51032536934bf1ebce9c93e97d201f18fffd21d31fb083853c7084c8fc63a35c02907bf91be0301805103a892c3f03164f5543daa976b22788b364be1a21

  • SSDEEP

    49152:x7L6oPOReVwkTVcXj/SZTLvIkP4qghgZnfw58hG7UB:x7NQeZVcX7aIFqgiZfS

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
      C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2056 /prefetch:2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1936
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2988 /prefetch:8
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1912
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2016
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1664
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
        3⤵
          PID:2792
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2056 /prefetch:2
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2376
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2556.0.807421580\114554819 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.62" -PcGuid "TBIMXV2-O_376CB45BCF2D470891199764E179DFAA-C_0-D_4d51303031302033202020202020202020202020-M_5ABF6C2465D5-V_8C4D6F22" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          3⤵
            PID:1732
          • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
            "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2556.0.807421580\114554819 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.62" -PcGuid "TBIMXV2-O_376CB45BCF2D470891199764E179DFAA-C_0-D_4d51303031302033202020202020202020202020-M_5ABF6C2465D5-V_8C4D6F22" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:320
          • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
            "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2556.1.420704371\487507376 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.62" -PcGuid "TBIMXV2-O_376CB45BCF2D470891199764E179DFAA-C_0-D_4d51303031302033202020202020202020202020-M_5ABF6C2465D5-V_8C4D6F22" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
            3⤵
              PID:1936

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

          Filesize

          959B

          MD5

          d5e98140c51869fc462c8975620faa78

          SHA1

          07e032e020b72c3f192f0628a2593a19a70f069e

          SHA256

          5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

          SHA512

          9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

          Filesize

          192B

          MD5

          fb5c1efeaad7a48f1be1e624884fb025

          SHA1

          11d228fe79deb203aa2f95f19b158cc0e31691ac

          SHA256

          e0bb5e07198bd3324f94f5109d59f5f130be468687bf7c952fd8c1e0fe7d6cd5

          SHA512

          2130ca5a5caad12f277447c2680550f45bdd99fb8f38b55da5d33fe2c5c58ed2d2ade4e7f81e5ce4f2cad74b355253ffe42dc72feaa1cb64fa1f6e5dd10bce7b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          c98d8a861330ef320569e1197002a769

          SHA1

          4e44c2feea1ebf77828ab3250392bdc85c15f879

          SHA256

          ed010f6597d8042e960be6c6d5fb0c23ba8c1de7d56563cd56f1299719a565ee

          SHA512

          5fe110dfa19f2982c62930b343349796a694aeb4d9d9bf46bb227ee0804c004754751614ad14cab8575bee315ff1fa7a6fc099540bd87e97f70aa14c4a9fe001

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          17b5988bdae67fbad89bb5f898d5dda5

          SHA1

          233c11ec290223233464252c8daad86efd437ca5

          SHA256

          8e20ad6023910e46617a95ca23b84aed416886c6409966cb99afa51bee63a271

          SHA512

          2e2d96d8849a338de88b5c5e8d5986658b8f72939220391a50cc4d45f24a7ebde0f6771ccb646af3252975640413e7ab6650a37b1281ca9ed8664523eecb576d

        • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

          Filesize

          164B

          MD5

          833901be7cae0bad61dcb3737fb347b8

          SHA1

          fc59c331de8952bbd92fbbd0008ffd886444108d

          SHA256

          4c87299bfd8a39708489ed0bd70e71045d81f73add2373c17028077f2ada0df3

          SHA512

          50965243768050282e2d96293b58b120f5c4cb833184495a9223982d860fd27e1f1516e861a03dd4790a4c0d0cf859ee93a72af3577acf79650799c2ab847bfd

        • C:\Users\Admin\AppData\Local\Temp\Tar31CF.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • memory/320-1750-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

        • memory/320-1725-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

        • memory/320-1871-0x00000000682D0000-0x00000000696FC000-memory.dmp

          Filesize

          20.2MB

        • memory/320-1870-0x0000000000BE0000-0x0000000000C80000-memory.dmp

          Filesize

          640KB

        • memory/320-1755-0x0000000000300000-0x0000000000301000-memory.dmp

          Filesize

          4KB

        • memory/320-1748-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

        • memory/320-1762-0x0000000077980000-0x0000000077981000-memory.dmp

          Filesize

          4KB

        • memory/320-1760-0x0000000000310000-0x0000000000311000-memory.dmp

          Filesize

          4KB

        • memory/320-1758-0x0000000000310000-0x0000000000311000-memory.dmp

          Filesize

          4KB

        • memory/320-1756-0x0000000000310000-0x0000000000311000-memory.dmp

          Filesize

          4KB

        • memory/320-1723-0x0000000000BE0000-0x0000000000C80000-memory.dmp

          Filesize

          640KB

        • memory/320-1722-0x0000000000BE0000-0x0000000000C80000-memory.dmp

          Filesize

          640KB

        • memory/320-1724-0x00000000000C0000-0x00000000000C1000-memory.dmp

          Filesize

          4KB

        • memory/320-1753-0x0000000000300000-0x0000000000301000-memory.dmp

          Filesize

          4KB

        • memory/320-1728-0x00000000682D0000-0x00000000696FC000-memory.dmp

          Filesize

          20.2MB

        • memory/320-1727-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

        • memory/320-1730-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

        • memory/320-1731-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

        • memory/320-1733-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

        • memory/320-1735-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

        • memory/320-1738-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

        • memory/320-1740-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

        • memory/320-1743-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

        • memory/320-1745-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

        • memory/1936-1869-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

        • memory/1936-1868-0x0000000000BE0000-0x0000000000C80000-memory.dmp

          Filesize

          640KB

        • memory/2212-0-0x0000000000700000-0x0000000000701000-memory.dmp

          Filesize

          4KB

        • memory/2556-68-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

          Filesize

          256KB

        • memory/2556-1720-0x0000000005C20000-0x0000000005E20000-memory.dmp

          Filesize

          2.0MB

        • memory/2556-1719-0x0000000005C20000-0x0000000005E20000-memory.dmp

          Filesize

          2.0MB

        • memory/2556-853-0x0000000002E90000-0x0000000002E91000-memory.dmp

          Filesize

          4KB

        • memory/2556-780-0x00000000002F0000-0x00000000009D5000-memory.dmp

          Filesize

          6.9MB

        • memory/2556-52-0x00000000002F0000-0x00000000009D5000-memory.dmp

          Filesize

          6.9MB

        • memory/2556-53-0x0000000002E90000-0x0000000002E91000-memory.dmp

          Filesize

          4KB

        • memory/2556-66-0x0000000002E90000-0x0000000002E91000-memory.dmp

          Filesize

          4KB

        • memory/2792-97-0x0000000000080000-0x0000000000081000-memory.dmp

          Filesize

          4KB