09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Analysis

max time kernel
594s
max time network
452s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

94c5b0443f1c39b71b22931509bf1985
SHA1

35cb27275187b8c0da72d00b8551aaf2c1059794
SHA256

7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
SHA512

a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
SSDEEP

49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{5C149380-D2DA-40CC-ADB3-4943F2AEC6B5}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2112	Autoupdate.exe
2112	Autoupdate.exe
3268	TeraBox.exe
3268	TeraBox.exe
3268	TeraBox.exe
3268	TeraBox.exe
3068	TeraBoxRender.exe
3068	TeraBoxRender.exe
3536	TeraBoxRender.exe
3536	TeraBoxRender.exe
3032	TeraBoxRender.exe
3032	TeraBoxRender.exe
3200	TeraBoxRender.exe
3200	TeraBoxRender.exe
3756	TeraBoxHost.exe
3756	TeraBoxHost.exe
3756	TeraBoxHost.exe
3756	TeraBoxHost.exe
3756	TeraBoxHost.exe
3756	TeraBoxHost.exe
2496	TeraBoxRender.exe
2496	TeraBoxRender.exe
1540	TeraBoxRender.exe
1540	TeraBoxRender.exe
1540	TeraBoxRender.exe
1540	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	2112	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	2112	Autoupdate.exe
Token: SeManageVolumePrivilege	3756	TeraBoxHost.exe
Token: SeBackupPrivilege	3756	TeraBoxHost.exe
Token: SeSecurityPrivilege	3756	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3268	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3268	TeraBox.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3068	3268	TeraBox.exe	86
PID 3268 wrote to memory of 3068	3268	TeraBox.exe	86
PID 3268 wrote to memory of 3068	3268	TeraBox.exe	86
PID 3268 wrote to memory of 4120	3268	TeraBox.exe	87
PID 3268 wrote to memory of 4120	3268	TeraBox.exe	87
PID 3268 wrote to memory of 4120	3268	TeraBox.exe	87
PID 3268 wrote to memory of 3032	3268	TeraBox.exe	88
PID 3268 wrote to memory of 3032	3268	TeraBox.exe	88
PID 3268 wrote to memory of 3032	3268	TeraBox.exe	88
PID 3268 wrote to memory of 3200	3268	TeraBox.exe	89
PID 3268 wrote to memory of 3200	3268	TeraBox.exe	89
PID 3268 wrote to memory of 3200	3268	TeraBox.exe	89
PID 3268 wrote to memory of 3536	3268	TeraBox.exe	90
PID 3268 wrote to memory of 3536	3268	TeraBox.exe	90
PID 3268 wrote to memory of 3536	3268	TeraBox.exe	90
PID 3268 wrote to memory of 3640	3268	TeraBox.exe	96
PID 3268 wrote to memory of 3640	3268	TeraBox.exe	96
PID 3268 wrote to memory of 3640	3268	TeraBox.exe	96
PID 3268 wrote to memory of 3756	3268	TeraBox.exe	98
PID 3268 wrote to memory of 3756	3268	TeraBox.exe	98
PID 3268 wrote to memory of 3756	3268	TeraBox.exe	98
PID 3268 wrote to memory of 3652	3268	TeraBox.exe	100
PID 3268 wrote to memory of 3652	3268	TeraBox.exe	100
PID 3268 wrote to memory of 3652	3268	TeraBox.exe	100
PID 3268 wrote to memory of 2496	3268	TeraBox.exe	103
PID 3268 wrote to memory of 2496	3268	TeraBox.exe	103
PID 3268 wrote to memory of 2496	3268	TeraBox.exe	103
PID 3268 wrote to memory of 1540	3268	TeraBox.exe	113
PID 3268 wrote to memory of 1540	3268	TeraBox.exe	113
PID 3268 wrote to memory of 1540	3268	TeraBox.exe	113

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2568,10551558263653610832,11116433261708729819,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2580 /prefetch:2
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2568,10551558263653610832,11116433261708729819,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4548 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2568,10551558263653610832,11116433261708729819,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2568,10551558263653610832,11116433261708729819,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3268.0.1676269295\595415760 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.225" -PcGuid "TBIMXV2-O_D7CEB83E01F04657ACF3580FCE560DB8-C_0-D_DD00013-M_46C99DBF4093-V_4B3CA004" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:3640
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3268.0.1676269295\595415760 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.225" -PcGuid "TBIMXV2-O_D7CEB83E01F04657ACF3580FCE560DB8-C_0-D_DD00013-M_46C99DBF4093-V_4B3CA004" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3268.1.17141257\1066914424 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.225" -PcGuid "TBIMXV2-O_D7CEB83E01F04657ACF3580FCE560DB8-C_0-D_DD00013-M_46C99DBF4093-V_4B3CA004" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2568,10551558263653610832,11116433261708729819,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2568,10551558263653610832,11116433261708729819,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4144 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
4fbbd1a8e749610727bb75e514c9e6fe

SHA1
11380c8b4f4f067a11ba3aba86d8abda4bd8bdef

SHA256
b06ac3a94e9fd100ddb769d66baa26cdee82c7a1f55f273dd5cbc6c4f090f580

SHA512
46f74d7da4f5ca10d98b4c11e1bbdfee5cd4f0a39073bd7718e7fc706f078d1fdf88df3ea3be0b7ee974301b957f791d1eb1f2b75d23963b9fcbe63c7f1e9034

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000052

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
9373022f6dadf7e0bb6e420adbc9aa8b

SHA1
866e4071bf0fde1a08d24d4b0ccf58ef3663f940

SHA256
27239129a86ab675cedb7da4b2641e2184aa150acd5f26bad3b4d1f24225d3cf

SHA512
8788c54167915091cdfac0cb94544b9627f42e95329cc98bfc7fd68782444a8a59a5816c9a196d6d0ace279fd6142a751f64244a3949a72a08cf608ec236e416

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe58490a.TMP

Filesize
48B

MD5
0cf88d0cdedd424d13782f4c87c17580

SHA1
f06ed6259f7194743ac0bb1e4f016328017b746f

SHA256
3681440f57c3e73b127ee94aa3d880c061820b71ae6aaede8a55993ec4a00556

SHA512
8609e8dad282a9b7e467e2168f084fd8538ed58862773620f11c6358e92b1f54fa37f6f3f31b241ad572e79e1b02e7d39149a9a9c737d0bd3cb26f3f0d0ca6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
fe5933047a7f642999392dc47ebd9c0b

SHA1
51dae4280c00cbc65d58187c44c45bf99eeebf31

SHA256
54b94dedf0007dd729508ae551817591d7f3d4c13741f59d7f704ac08092447e

SHA512
138cb8f0321c728d5cc971a1b1309931224170ec2559b137a6c43e1a86bd45d28251ebd0623b398bc9cdeebcd4957111e3f422bf42afab3bda3cf826a846fea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58b11b.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
memory/3268-28-0x0000000000620000-0x0000000000C81000-memory.dmp

Filesize
6.4MB

Download
memory/3268-10-0x000000000062A000-0x000000000062B000-memory.dmp

Filesize
4KB

Download
memory/3268-339-0x0000000000620000-0x0000000000C81000-memory.dmp

Filesize
6.4MB

Download
memory/3756-71-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3756-78-0x0000000065C20000-0x000000006704C000-memory.dmp

Filesize
20.2MB

Download
memory/3756-76-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3756-75-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3756-72-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3756-74-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3756-73-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3756-70-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download