09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Resubmissions

17-06-2024 17:37

240617-v7lpssxfke 10

14-06-2024 20:15

240614-y1wg7sthng 10

Analysis

max time kernel
288s
max time network
272s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

94c5b0443f1c39b71b22931509bf1985
SHA1

35cb27275187b8c0da72d00b8551aaf2c1059794
SHA256

7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
SHA512

a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
SSDEEP

49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1856	Autoupdate.exe
2040	TeraBox.exe
2040	TeraBox.exe
2904	TeraBoxRender.exe
1904	TeraBoxRender.exe
1960	TeraBoxRender.exe
2248	TeraBoxRender.exe
1800	TeraBoxRender.exe
2692	TeraBoxHost.exe
2692	TeraBoxHost.exe
2692	TeraBoxHost.exe
2040	TeraBox.exe
2040	TeraBox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	1856	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	1856	Autoupdate.exe
Token: SeManageVolumePrivilege	2692	TeraBoxHost.exe
Token: SeBackupPrivilege	2692	TeraBoxHost.exe
Token: SeSecurityPrivilege	2692	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2040	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2040	TeraBox.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2904	2040	TeraBox.exe	30
PID 2040 wrote to memory of 2904	2040	TeraBox.exe	30
PID 2040 wrote to memory of 2904	2040	TeraBox.exe	30
PID 2040 wrote to memory of 2904	2040	TeraBox.exe	30
PID 2040 wrote to memory of 1904	2040	TeraBox.exe	31
PID 2040 wrote to memory of 1904	2040	TeraBox.exe	31
PID 2040 wrote to memory of 1904	2040	TeraBox.exe	31
PID 2040 wrote to memory of 1904	2040	TeraBox.exe	31
PID 2040 wrote to memory of 2248	2040	TeraBox.exe	32
PID 2040 wrote to memory of 2248	2040	TeraBox.exe	32
PID 2040 wrote to memory of 2248	2040	TeraBox.exe	32
PID 2040 wrote to memory of 2248	2040	TeraBox.exe	32
PID 2040 wrote to memory of 1960	2040	TeraBox.exe	33
PID 2040 wrote to memory of 1960	2040	TeraBox.exe	33
PID 2040 wrote to memory of 1960	2040	TeraBox.exe	33
PID 2040 wrote to memory of 1960	2040	TeraBox.exe	33
PID 2040 wrote to memory of 1604	2040	TeraBox.exe	34
PID 2040 wrote to memory of 1604	2040	TeraBox.exe	34
PID 2040 wrote to memory of 1604	2040	TeraBox.exe	34
PID 2040 wrote to memory of 1604	2040	TeraBox.exe	34
PID 2040 wrote to memory of 1800	2040	TeraBox.exe	35
PID 2040 wrote to memory of 1800	2040	TeraBox.exe	35
PID 2040 wrote to memory of 1800	2040	TeraBox.exe	35
PID 2040 wrote to memory of 1800	2040	TeraBox.exe	35
PID 2040 wrote to memory of 2684	2040	TeraBox.exe	38
PID 2040 wrote to memory of 2684	2040	TeraBox.exe	38
PID 2040 wrote to memory of 2684	2040	TeraBox.exe	38
PID 2040 wrote to memory of 2684	2040	TeraBox.exe	38
PID 2040 wrote to memory of 2692	2040	TeraBox.exe	39
PID 2040 wrote to memory of 2692	2040	TeraBox.exe	39
PID 2040 wrote to memory of 2692	2040	TeraBox.exe	39
PID 2040 wrote to memory of 2692	2040	TeraBox.exe	39
PID 2040 wrote to memory of 2600	2040	TeraBox.exe	40
PID 2040 wrote to memory of 2600	2040	TeraBox.exe	40
PID 2040 wrote to memory of 2600	2040	TeraBox.exe	40
PID 2040 wrote to memory of 2600	2040	TeraBox.exe	40

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2032,17370345587928906423,5292855918133907991,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2040 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,17370345587928906423,5292855918133907991,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3000 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2032,17370345587928906423,5292855918133907991,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2032,17370345587928906423,5292855918133907991,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2032,17370345587928906423,5292855918133907991,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2040 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2040.0.2012680580\469949969 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.117" -PcGuid "TBIMXV2-O_52CA486079FD4C7C95376984318EDE11-C_0-D_4444303031302033202020202020202020202020-M_FAD28091DCF5-V_CB3172B4" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2040.0.2012680580\469949969 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.117" -PcGuid "TBIMXV2-O_52CA486079FD4C7C95376984318EDE11-C_0-D_4444303031302033202020202020202020202020-M_FAD28091DCF5-V_CB3172B4" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2040.1.2133886270\550061046 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.117" -PcGuid "TBIMXV2-O_52CA486079FD4C7C95376984318EDE11-C_0-D_4444303031302033202020202020202020202020-M_FAD28091DCF5-V_CB3172B4" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

Filesize
959B

MD5
d5e98140c51869fc462c8975620faa78

SHA1
07e032e020b72c3f192f0628a2593a19a70f069e

SHA256
5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

SHA512
9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

Filesize
192B

MD5
b6d075763d45f81df5d9a09e21e7d962

SHA1
03de8db6230ef5bab231b1679c94fa9408eeb220

SHA256
fab76e0cb9f08be5a8bee9e4a38460c957f12468220cb27c2225337d5e384f3a

SHA512
805f3f2b3eeff08913c1caed945c8866e9320da736223d4502b82300fa411ca93edc641938303586171ad00b0a6c083268db286377d8f3a30c04b9b6055d63e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
431a81e66a414fba23547bc82046f37a

SHA1
774c208e47bdd78d3ae040e318824f23fd2372f0

SHA256
ac156b43e111df3124d0cd8191607ad080f2e03bac2371869ee57c09133890ba

SHA512
dbcaf891c583883d9dca8951a82d8f234716c4b9c6aada11c11b7a273e141f1ee400e8e47ed756c769b442517838a773dad978c5db0969fcc1789e152b179e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
dfff77654d54109512d79ace7ea3add2

SHA1
92ba55b68ee3ee940520888038a75842a28404a2

SHA256
40caa424e17c75da041e2e90e47efd9a024d71ccd323043e633e08d3cc564751

SHA512
51c62e14d2ad4d0f3ff8d076b151ab9d95e57d12567ea8c55410a83024289d58e5cf692644ddb1042ccc3b338acaf382e7a629c8aee6d4b83b61180a19bab2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab280C.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36DA.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
memory/1856-0-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2040-46-0x0000000000D90000-0x00000000013F1000-memory.dmp

Filesize
6.4MB

Download
memory/2040-59-0x0000000000D90000-0x00000000013F1000-memory.dmp

Filesize
6.4MB

Download
memory/2040-1031-0x0000000000D90000-0x00000000013F1000-memory.dmp

Filesize
6.4MB

Download
memory/2692-1410-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2692-1422-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2692-1407-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2692-1412-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2692-1403-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2692-1408-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2692-1417-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2692-1415-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2692-1420-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2692-1405-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2692-1432-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2692-1438-0x0000000067F50000-0x000000006937C000-memory.dmp

Filesize
20.2MB

Download
memory/2692-1437-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2692-1435-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2692-1433-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2692-1430-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2692-1427-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2692-1425-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download