Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2024 16:33

General

  • Target

    AutoUpdate/Autoupdate.exe

  • Size

    2.8MB

  • MD5

    8ccf980ea54f3605d4360645416ad152

  • SHA1

    99231ce34e0ff68dd417c2246a5ca71d147f96fe

  • SHA256

    40a650cb5d37d6a5b3d8674f50ae3f6e243ac80f595f64d0b72f97854d5f20df

  • SHA512

    644c51032536934bf1ebce9c93e97d201f18fffd21d31fb083853c7084c8fc63a35c02907bf91be0301805103a892c3f03164f5543daa976b22788b364be1a21

  • SSDEEP

    49152:x7L6oPOReVwkTVcXj/SZTLvIkP4qghgZnfw58hG7UB:x7NQeZVcX7aIFqgiZfS

Score
1/10

Malware Config

Signatures

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
      C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2592 /prefetch:2
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1480
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2992 /prefetch:8
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3332
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4992
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2232
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
        "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
        3⤵
          PID:1728
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4392.0.1622583539\948058461 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.127" -PcGuid "TBIMXV2-O_1BFC62DE894E4412891C1A105917C0CC-C_0-D_QM00013-M_CE289885E65A-V_936711F3" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          3⤵
            PID:1044
          • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
            "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4392.0.1622583539\948058461 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.127" -PcGuid "TBIMXV2-O_1BFC62DE894E4412891C1A105917C0CC-C_0-D_QM00013-M_CE289885E65A-V_936711F3" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3604
          • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
            "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4392.1.1315457311\1560588648 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.127" -PcGuid "TBIMXV2-O_1BFC62DE894E4412891C1A105917C0CC-C_0-D_QM00013-M_CE289885E65A-V_936711F3" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
            3⤵
              PID:1216
            • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
              "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4228
            • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
              "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4920 /prefetch:2
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:700

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

          Filesize

          164B

          MD5

          3f12717aebc906157bc092b8a6d54d23

          SHA1

          ea83d10d3df3f2c1265042f5bae8ec69d8bb522f

          SHA256

          5f2c28229e5a0b634f12fb49e87509cb326da271f8d6ae6609f24f7b1f9688a3

          SHA512

          8d2a876b553455229811ad96337c7e0e7753b4b0da7b0f279fd3661ba5dd66521dcaf3dd0267f179d3f872af3c81b65e8dfc86dab6be62459fa65765e502254a

        • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000056

          Filesize

          198KB

          MD5

          cda68ffa26095220a82ae0a7eaea5f57

          SHA1

          e892d887688790ddd8f0594607b539fc6baa9e40

          SHA256

          f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

          SHA512

          84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

        • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

          Filesize

          624B

          MD5

          b2fd1e3657286da576372b2e5a2dcb23

          SHA1

          7b7f8627733e4d88742b604bfbc3cf0dbcebd615

          SHA256

          53dd28037deb7219f0872ca77ef677570193c850f08504d29f473f4d8d3cc9ad

          SHA512

          566df1f251b11bde85f98c5b8efa3534553ad0b9a3100225733dc1ec07ce60f8ed0dbb518f3a637d83c25971d26406432da830c27948a0f62a31512d4b75c29c

        • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5805b8.TMP

          Filesize

          48B

          MD5

          620ae08b49d4e1d0d111e79d3a951aa5

          SHA1

          776fec2c3b8c1b48f639d73f564fe3fe37b688cd

          SHA256

          401337f580042d8dec3c6451e2b9d7d7c470817c053fd4462c84bb281e76eb1a

          SHA512

          7aed0af7f02b9206b5bff5c761a063352c71e4e82bb172ea78cecdccc538fa3b90aaf4a02f4de83bec8d4b2c5e6cdfcf93c615f9ba1e89d7a95c401f23b85c74

        • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

          Filesize

          1KB

          MD5

          91d8c03fefb04c9ce22929fe3158eeb2

          SHA1

          0020d50463910a9d02bfa5999c9e040d685e5a70

          SHA256

          a0c3d6b8d7f5853fd3f37bf39620ea70e7a68b817220ee8d0d53a6224840bc9a

          SHA512

          decf35dc1457b65c465aa4cc0798eead5fcad2c35e4737a2fa84098597a9c633b841a061441e6482eb1798b35f91a3a5d82cdf6e4095c871fe3bb32451523cd7

        • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58726c.TMP

          Filesize

          59B

          MD5

          78bfcecb05ed1904edce3b60cb5c7e62

          SHA1

          bf77a7461de9d41d12aa88fba056ba758793d9ce

          SHA256

          c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

          SHA512

          2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

        • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\CURRENT

          Filesize

          16B

          MD5

          46295cac801e5d4857d09837238a6394

          SHA1

          44e0fa1b517dbf802b18faf0785eeea6ac51594b

          SHA256

          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

          SHA512

          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

        • memory/1216-298-0x0000000000C00000-0x0000000000CA0000-memory.dmp

          Filesize

          640KB

        • memory/1216-357-0x0000000000C00000-0x0000000000CA0000-memory.dmp

          Filesize

          640KB

        • memory/3604-282-0x00000000018A0000-0x00000000018A1000-memory.dmp

          Filesize

          4KB

        • memory/3604-71-0x0000000000C00000-0x0000000000CA0000-memory.dmp

          Filesize

          640KB

        • memory/3604-281-0x0000000001890000-0x0000000001891000-memory.dmp

          Filesize

          4KB

        • memory/3604-70-0x0000000000C00000-0x0000000000CA0000-memory.dmp

          Filesize

          640KB

        • memory/3604-283-0x0000000003360000-0x0000000003361000-memory.dmp

          Filesize

          4KB

        • memory/3604-284-0x0000000003370000-0x0000000003371000-memory.dmp

          Filesize

          4KB

        • memory/3604-279-0x00000000014C0000-0x00000000014C1000-memory.dmp

          Filesize

          4KB

        • memory/3604-278-0x00000000014B0000-0x00000000014B1000-memory.dmp

          Filesize

          4KB

        • memory/3604-280-0x0000000064F00000-0x000000006632C000-memory.dmp

          Filesize

          20.2MB

        • memory/3604-277-0x00000000014A0000-0x00000000014A1000-memory.dmp

          Filesize

          4KB

        • memory/3604-352-0x0000000000C00000-0x0000000000CA0000-memory.dmp

          Filesize

          640KB

        • memory/3604-354-0x0000000064F00000-0x000000006632C000-memory.dmp

          Filesize

          20.2MB

        • memory/4392-351-0x00000000048C0000-0x00000000048D0000-memory.dmp

          Filesize

          64KB

        • memory/4392-350-0x0000000000AD0000-0x00000000011B5000-memory.dmp

          Filesize

          6.9MB

        • memory/4392-10-0x0000000000AD0000-0x00000000011B5000-memory.dmp

          Filesize

          6.9MB

        • memory/4392-31-0x00000000048C0000-0x00000000048D0000-memory.dmp

          Filesize

          64KB

        • memory/4392-28-0x000000000AAF0000-0x000000000AAF1000-memory.dmp

          Filesize

          4KB