09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Resubmissions

17-06-2024 17:37

240617-v7lpssxfke 10

14-06-2024 20:15

240614-y1wg7sthng 10

Analysis

max time kernel
293s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

94c5b0443f1c39b71b22931509bf1985
SHA1

35cb27275187b8c0da72d00b8551aaf2c1059794
SHA256

7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
SHA512

a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
SSDEEP

49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{D3B2AF7A-D8B0-40D7-8E01-D853DAE52FF1}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1176	Autoupdate.exe
1176	Autoupdate.exe
2992	TeraBox.exe
2992	TeraBox.exe
2992	TeraBox.exe
2992	TeraBox.exe
3092	TeraBoxRender.exe
3092	TeraBoxRender.exe
3052	TeraBoxRender.exe
3052	TeraBoxRender.exe
2800	TeraBoxRender.exe
2800	TeraBoxRender.exe
1112	TeraBoxRender.exe
1112	TeraBoxRender.exe
3836	TeraBoxHost.exe
3836	TeraBoxHost.exe
3836	TeraBoxHost.exe
3836	TeraBoxHost.exe
3836	TeraBoxHost.exe
3836	TeraBoxHost.exe
5876	TeraBoxRender.exe
5876	TeraBoxRender.exe
5500	TeraBoxRender.exe
5500	TeraBoxRender.exe
5500	TeraBoxRender.exe
5500	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	1176	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	1176	Autoupdate.exe
Token: SeManageVolumePrivilege	3836	TeraBoxHost.exe
Token: SeBackupPrivilege	3836	TeraBoxHost.exe
Token: SeSecurityPrivilege	3836	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2992	TeraBox.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3092	2992	TeraBox.exe	97
PID 2992 wrote to memory of 3092	2992	TeraBox.exe	97
PID 2992 wrote to memory of 3092	2992	TeraBox.exe	97
PID 2992 wrote to memory of 3052	2992	TeraBox.exe	98
PID 2992 wrote to memory of 3052	2992	TeraBox.exe	98
PID 2992 wrote to memory of 3052	2992	TeraBox.exe	98
PID 2992 wrote to memory of 2640	2992	TeraBox.exe	100
PID 2992 wrote to memory of 2640	2992	TeraBox.exe	100
PID 2992 wrote to memory of 2640	2992	TeraBox.exe	100
PID 2992 wrote to memory of 1112	2992	TeraBox.exe	101
PID 2992 wrote to memory of 1112	2992	TeraBox.exe	101
PID 2992 wrote to memory of 1112	2992	TeraBox.exe	101
PID 2992 wrote to memory of 2800	2992	TeraBox.exe	102
PID 2992 wrote to memory of 2800	2992	TeraBox.exe	102
PID 2992 wrote to memory of 2800	2992	TeraBox.exe	102
PID 2992 wrote to memory of 4036	2992	TeraBox.exe	103
PID 2992 wrote to memory of 4036	2992	TeraBox.exe	103
PID 2992 wrote to memory of 4036	2992	TeraBox.exe	103
PID 2992 wrote to memory of 3836	2992	TeraBox.exe	106
PID 2992 wrote to memory of 3836	2992	TeraBox.exe	106
PID 2992 wrote to memory of 3836	2992	TeraBox.exe	106
PID 2992 wrote to memory of 5876	2992	TeraBox.exe	107
PID 2992 wrote to memory of 5876	2992	TeraBox.exe	107
PID 2992 wrote to memory of 5876	2992	TeraBox.exe	107
PID 2992 wrote to memory of 6036	2992	TeraBox.exe	108
PID 2992 wrote to memory of 6036	2992	TeraBox.exe	108
PID 2992 wrote to memory of 6036	2992	TeraBox.exe	108
PID 2992 wrote to memory of 5500	2992	TeraBox.exe	111
PID 2992 wrote to memory of 5500	2992	TeraBox.exe	111
PID 2992 wrote to memory of 5500	2992	TeraBox.exe	111

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,5100367357725557737,8302755330923770947,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2492 /prefetch:2
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2604,5100367357725557737,8302755330923770947,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2972 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,5100367357725557737,8302755330923770947,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,5100367357725557737,8302755330923770947,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2992.0.1029108418\817908556 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.115" -PcGuid "TBIMXV2-O_20A81EDC7CB14FCE996EE7929BF337D1-C_0-D_DD00013-M_FEF50CB5D633-V_9BAD2E92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2992.0.1029108418\817908556 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.115" -PcGuid "TBIMXV2-O_20A81EDC7CB14FCE996EE7929BF337D1-C_0-D_DD00013-M_FEF50CB5D633-V_9BAD2E92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,5100367357725557737,8302755330923770947,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5876
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2992.1.1254045106\1679433349 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.115" -PcGuid "TBIMXV2-O_20A81EDC7CB14FCE996EE7929BF337D1-C_0-D_DD00013-M_FEF50CB5D633-V_9BAD2E92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:6036
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,5100367357725557737,8302755330923770947,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=852 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
be26d87000268b0b14c9e7de5dcc9af2

SHA1
c45af62784e5779ee76ad11af09d68133ae02733

SHA256
c0ec80c1fb46d2110fe7a1385270470aced4ec8e5bb1a4c0bd9782d70459c842

SHA512
ebe1d16b40a3071c65ef9e7c84a7f960f78016d63a3242788d75c467d420fe87dea35875b065f9883ac7721d5557cd93e0451988f7544dbd179b2f2912b6d974

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000055

Filesize
203KB

MD5
99916ce0720ed460e59d3fbd24d55be2

SHA1
d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

SHA256
07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

SHA512
8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
2aebe4fc774c8ac41be0cf8b7d971e90

SHA1
a9d0131e15ab0262b60efa666728684d87f62554

SHA256
28c031240cc404cf0a32e50d4884c8d128ee18d47697282f8a5878b5d3be98d8

SHA512
217c3e85d5e430139f3e2bfef14e4747351c5a9d88e6d164ddd2e4005af5212e9c67941e8f7edd81411445884d5e6c35de50123b6134bba94102d232a8a08c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
a254e053078bbd79354ea90deaddb509

SHA1
dd902346387aa78399be7b2f87340610e0d86cf3

SHA256
3155540004290115487a825a27e67cd6a91db9e035b8d0d128db17701c346028

SHA512
ab9374e837dfac9843f059c9b57a48b46efd15cc7417a1f300b776df1e334abc5ddf971108b54b41545f92fbf086721ed9654a847a61c4bf0a7bda34a557d9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
4109c63834235da94f3e00f95184fd8f

SHA1
0157f56c4ed31a25bc58758b8ee8cfb8c3125e2f

SHA256
48d25428d67618067686458bf09a35a5a41e0aa5364d09d73dbf012857c418d8

SHA512
6d5c7ced2c0012e91f334b177e942ebd6577c13333c3054574c4b14e016f8875c1756ff2f6e3fcd8c6cc9ecc59b4727f270120c1787272e10ad879fd27d00fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe592cb3.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
memory/2992-30-0x0000000000110000-0x0000000000771000-memory.dmp

Filesize
6.4MB

Download
memory/2992-10-0x000000000011A000-0x000000000011B000-memory.dmp

Filesize
4KB

Download
memory/2992-350-0x0000000000110000-0x0000000000771000-memory.dmp

Filesize
6.4MB

Download
memory/3836-276-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3836-280-0x0000000065950000-0x0000000066D7C000-memory.dmp

Filesize
20.2MB

Download
memory/3836-271-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3836-272-0x0000000001470000-0x0000000001471000-memory.dmp

Filesize
4KB

Download
memory/3836-273-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/3836-274-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/3836-275-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/3836-278-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download