Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2024 16:33

General

  • Target

    TeraBox.exe

  • Size

    6.8MB

  • MD5

    cd2539c928a77b46c37a9b4da821fa97

  • SHA1

    a8445e7cd4fc1083f7aa464f5adf9374aefeaa5d

  • SHA256

    74eb8cb2e07ff1eee37441cddb6563bc298da45a738f4f32513da5a82a164bb5

  • SHA512

    82ad8f18409419d52bee433e51929a9d16375ebc12d2ac2d8d9b592783f813e531d052394d5fcdbd4bad6d04993653f8ac7840c6a3048ea30dc8ca7d54ee142f

  • SSDEEP

    98304:8zWVnRcmVlL/Evm5yvvF1wFCIxmKkVaekszxlWPl3JE/nP:6WVnR3KvLH8C49kVaeLdlWwn

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2612 /prefetch:2
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:4488
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2772 /prefetch:8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3236
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3840
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3596
    • C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
      "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
      2⤵
        PID:2544
      • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
        -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.988.0.509910715\1162017225 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.30" -PcGuid "TBIMXV2-O_11764094D0CA456E9891EA4243B161D2-C_0-D_QM00013-M_4643CEF3E9DE-V_556DE958" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
        2⤵
          PID:1248
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.988.0.509910715\1162017225 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.30" -PcGuid "TBIMXV2-O_11764094D0CA456E9891EA4243B161D2-C_0-D_QM00013-M_4643CEF3E9DE-V_556DE958" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4528
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3576
        • C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
          "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.988.1.1491316297\1895423684 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.30" -PcGuid "TBIMXV2-O_11764094D0CA456E9891EA4243B161D2-C_0-D_QM00013-M_4643CEF3E9DE-V_556DE958" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
          2⤵
            PID:2336
          • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
            "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd a0044 -unlogin
            2⤵
              PID:1872
            • C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
              "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3716 /prefetch:2
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4244

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

            Filesize

            22KB

            MD5

            50e940a33557749e8967787951b0b1f3

            SHA1

            5569074d7d12835f7f4a04b93f1b91b3b3da3500

            SHA256

            4a0fe43edb114b8df1ea5088966f71c35091e89a96894738cc61dbe59fe63559

            SHA512

            4011d8a6619d9b9c002dbbea6cc70db7dc894760ad9938ecf63f32e717d49b9e4f983a411d31e2cb6a30aede455ebe60db74aa2f22497667793635b2b33f56b0

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000056

            Filesize

            198KB

            MD5

            cda68ffa26095220a82ae0a7eaea5f57

            SHA1

            e892d887688790ddd8f0594607b539fc6baa9e40

            SHA256

            f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

            SHA512

            84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

            Filesize

            48B

            MD5

            0fc7e183dcc4e05b382fefee33abb6b8

            SHA1

            48e391c252ff3b027bb2db1f955d84d6f03ffb00

            SHA256

            b666525be4dd7bdc1b3df8a506e3193cb6a0745da5399c13b1f8eb29fc48f6a9

            SHA512

            9a0ee23144f60d7f97536da656737278cd878637b55b7b5a0a7c817c0f83ddb7e11662c901a4a58ecb0927fb9971d30086d142ebabd586a20542e5bdb7fc8b37

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

            Filesize

            624B

            MD5

            40a79941e05d1cf25727a8fc9596fc1b

            SHA1

            9b91e809bc27cfe4e630c4e4434b7ec4e480f382

            SHA256

            16649116920f2fc9bf84e700537b673a50cd324337fb94c6c5149a75558fb281

            SHA512

            5d4b6ac784a52f2362387267a8bce47512a25a56ffc7f2844d7a099f2819ca848a2b9b3d47cc77e7becd5c562c678d54c687a7881c7c4f53f587d81c888f5af6

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

            Filesize

            1KB

            MD5

            4da8ef0b702d76e61395831e10396ba3

            SHA1

            40e8cfa15fe42beef0f1eaac807318172cf9548f

            SHA256

            c2e5b67685c4b5721fe0c6e15f7eadbd56b0bdde472072ef8951dbe249fe3d23

            SHA512

            03de5a740b3f7838daf94602450211f481a4d19955c3d8c850f2f94ff5246435c98b435ffe1ef239bbbaca5753e5df66f1b1a927886dbd70d5e76e84f53ad39c

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58845e.TMP

            Filesize

            59B

            MD5

            78bfcecb05ed1904edce3b60cb5c7e62

            SHA1

            bf77a7461de9d41d12aa88fba056ba758793d9ce

            SHA256

            c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

            SHA512

            2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

          • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\CURRENT

            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

          • C:\Users\Admin\AppData\Local\Temp\TeraBox_status

            Filesize

            113B

            MD5

            8274b422f3a22f678f76607b2a8a6575

            SHA1

            4c8b70f7a3ba120fbc70640f1bd029643f6ff7ac

            SHA256

            2f2a23b1837793099440d34b1b128049914586bd34ef1063a7741ae9fff8e778

            SHA512

            f9b45a43df7393bc95357fe244da6cc84be421e693e0183bb5371ccc1f5a4b92f1691917bc80a542587747fa6b6f6d7302573a8f55025692c97ddb8d25bc8c89

          • memory/988-10-0x0000000000EC0000-0x00000000015A5000-memory.dmp

            Filesize

            6.9MB

          • memory/988-39-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

            Filesize

            64KB

          • memory/988-347-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

            Filesize

            64KB

          • memory/988-346-0x0000000000EC0000-0x00000000015A5000-memory.dmp

            Filesize

            6.9MB

          • memory/988-29-0x0000000000EC0000-0x00000000015A5000-memory.dmp

            Filesize

            6.9MB

          • memory/2336-323-0x0000000000A40000-0x0000000000AE0000-memory.dmp

            Filesize

            640KB

          • memory/2336-370-0x0000000000A40000-0x0000000000AE0000-memory.dmp

            Filesize

            640KB

          • memory/2336-324-0x0000000000A40000-0x0000000000AE0000-memory.dmp

            Filesize

            640KB

          • memory/4528-286-0x0000000065290000-0x00000000666BC000-memory.dmp

            Filesize

            20.2MB

          • memory/4528-288-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

            Filesize

            4KB

          • memory/4528-287-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

            Filesize

            4KB

          • memory/4528-348-0x0000000000A40000-0x0000000000AE0000-memory.dmp

            Filesize

            640KB

          • memory/4528-349-0x0000000065290000-0x00000000666BC000-memory.dmp

            Filesize

            20.2MB

          • memory/4528-284-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

            Filesize

            4KB

          • memory/4528-283-0x00000000010F0000-0x00000000010F1000-memory.dmp

            Filesize

            4KB

          • memory/4528-285-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

            Filesize

            4KB

          • memory/4528-282-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

            Filesize

            4KB

          • memory/4528-280-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

            Filesize

            4KB

          • memory/4528-88-0x0000000000A40000-0x0000000000AE0000-memory.dmp

            Filesize

            640KB

          • memory/4528-79-0x0000000000A40000-0x0000000000AE0000-memory.dmp

            Filesize

            640KB