Overview
overview
10Static
static
4TeraBox_sl....1.exe
windows7-x64
10TeraBox_sl....1.exe
windows10-2004-x64
4$PLUGINSDI...UI.dll
windows7-x64
3$PLUGINSDI...UI.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...sW.dll
windows7-x64
3$PLUGINSDI...sW.dll
windows10-2004-x64
3$TEMP/kernel.dll
windows7-x64
1$TEMP/kernel.dll
windows10-2004-x64
1AppUtil.dll
windows7-x64
1AppUtil.dll
windows10-2004-x64
1AutoUpdate...il.dll
windows7-x64
3AutoUpdate...il.dll
windows10-2004-x64
3AutoUpdate...te.exe
windows7-x64
1AutoUpdate...te.exe
windows10-2004-x64
1BugReport.exe
windows7-x64
3BugReport.exe
windows10-2004-x64
5Bull140U.dll
windows7-x64
1Bull140U.dll
windows10-2004-x64
1ChromeNati...st.exe
windows7-x64
1ChromeNati...st.exe
windows10-2004-x64
1HelpUtility.exe
windows7-x64
1HelpUtility.exe
windows10-2004-x64
1TeraBox.exe
windows7-x64
5TeraBox.exe
windows10-2004-x64
5TeraBoxHost.exe
windows7-x64
1TeraBoxHost.exe
windows10-2004-x64
1TeraBoxRender.exe
windows7-x64
1TeraBoxRender.exe
windows10-2004-x64
1TeraBoxWebService.exe
windows7-x64
1TeraBoxWebService.exe
windows10-2004-x64
1Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 20:26
Behavioral task
behavioral1
Sample
TeraBox_sl_b_1.31.0.1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
TeraBox_sl_b_1.31.0.1.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NsisInstallUI.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NsisInstallUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsProcessW.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsProcessW.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$TEMP/kernel.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$TEMP/kernel.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
AppUtil.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
AppUtil.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
AutoUpdate/AutoUpdateUtil.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
AutoUpdate/AutoUpdateUtil.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
AutoUpdate/Autoupdate.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
AutoUpdate/Autoupdate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
BugReport.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
BugReport.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Bull140U.dll
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
Bull140U.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
ChromeNativeMessagingHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
ChromeNativeMessagingHost.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
HelpUtility.exe
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
HelpUtility.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
TeraBox.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TeraBox.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
TeraBoxHost.exe
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
TeraBoxHost.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
TeraBoxRender.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
TeraBoxRender.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
TeraBoxWebService.exe
Resource
win7-20240611-en
Behavioral task
behavioral32
Sample
TeraBoxWebService.exe
Resource
win10v2004-20240508-en
General
-
Target
AutoUpdate/Autoupdate.exe
-
Size
2.8MB
-
MD5
94c5b0443f1c39b71b22931509bf1985
-
SHA1
35cb27275187b8c0da72d00b8551aaf2c1059794
-
SHA256
7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
-
SHA512
a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
-
SSDEEP
49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1244 Autoupdate.exe 1932 TeraBox.exe 1932 TeraBox.exe 2856 TeraBoxRender.exe 1344 TeraBoxRender.exe 1976 TeraBoxRender.exe 288 TeraBoxRender.exe 1376 TeraBoxRender.exe 2044 TeraBoxHost.exe 2044 TeraBoxHost.exe 2044 TeraBoxHost.exe 1932 TeraBox.exe 1932 TeraBox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1244 Autoupdate.exe Token: SeIncreaseQuotaPrivilege 1244 Autoupdate.exe Token: SeAssignPrimaryTokenPrivilege 1244 Autoupdate.exe Token: SeManageVolumePrivilege 2044 TeraBoxHost.exe Token: SeBackupPrivilege 2044 TeraBoxHost.exe Token: SeSecurityPrivilege 2044 TeraBoxHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1932 TeraBox.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1932 TeraBox.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2856 1932 TeraBox.exe 30 PID 1932 wrote to memory of 2856 1932 TeraBox.exe 30 PID 1932 wrote to memory of 2856 1932 TeraBox.exe 30 PID 1932 wrote to memory of 2856 1932 TeraBox.exe 30 PID 1932 wrote to memory of 1344 1932 TeraBox.exe 31 PID 1932 wrote to memory of 1344 1932 TeraBox.exe 31 PID 1932 wrote to memory of 1344 1932 TeraBox.exe 31 PID 1932 wrote to memory of 1344 1932 TeraBox.exe 31 PID 1932 wrote to memory of 1976 1932 TeraBox.exe 32 PID 1932 wrote to memory of 1976 1932 TeraBox.exe 32 PID 1932 wrote to memory of 1976 1932 TeraBox.exe 32 PID 1932 wrote to memory of 1976 1932 TeraBox.exe 32 PID 1932 wrote to memory of 288 1932 TeraBox.exe 33 PID 1932 wrote to memory of 288 1932 TeraBox.exe 33 PID 1932 wrote to memory of 288 1932 TeraBox.exe 33 PID 1932 wrote to memory of 288 1932 TeraBox.exe 33 PID 1932 wrote to memory of 1924 1932 TeraBox.exe 34 PID 1932 wrote to memory of 1924 1932 TeraBox.exe 34 PID 1932 wrote to memory of 1924 1932 TeraBox.exe 34 PID 1932 wrote to memory of 1924 1932 TeraBox.exe 34 PID 1932 wrote to memory of 1376 1932 TeraBox.exe 35 PID 1932 wrote to memory of 1376 1932 TeraBox.exe 35 PID 1932 wrote to memory of 1376 1932 TeraBox.exe 35 PID 1932 wrote to memory of 1376 1932 TeraBox.exe 35 PID 1932 wrote to memory of 1188 1932 TeraBox.exe 38 PID 1932 wrote to memory of 1188 1932 TeraBox.exe 38 PID 1932 wrote to memory of 1188 1932 TeraBox.exe 38 PID 1932 wrote to memory of 1188 1932 TeraBox.exe 38 PID 1932 wrote to memory of 2044 1932 TeraBox.exe 39 PID 1932 wrote to memory of 2044 1932 TeraBox.exe 39 PID 1932 wrote to memory of 2044 1932 TeraBox.exe 39 PID 1932 wrote to memory of 2044 1932 TeraBox.exe 39 PID 1932 wrote to memory of 2088 1932 TeraBox.exe 40 PID 1932 wrote to memory of 2088 1932 TeraBox.exe 40 PID 1932 wrote to memory of 2088 1932 TeraBox.exe 40 PID 1932 wrote to memory of 2088 1932 TeraBox.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\TeraBox.exeC:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2040 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3040 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:13⤵
- Suspicious behavior: EnumeratesProcesses
PID:288
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"3⤵PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2180 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1932.0.553451165\183935057 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 13⤵PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1932.0.553451165\183935057 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1932.1.611277149\88016828 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 13⤵PID:2088
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
959B
MD5d5e98140c51869fc462c8975620faa78
SHA107e032e020b72c3f192f0628a2593a19a70f069e
SHA2565c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA5129bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
Filesize192B
MD530d17002ebac0bc81c334d87e78701c3
SHA1a2660ec8742ab940e7e705facf8755e5d27cc448
SHA256339dbe16c9f733f045d704eca04a4f43c267b15b4d0504e37fc2a99ecea41387
SHA512119bcca827ea93cb8fed73d74d9d0bd1e0e1090f082869ad2cf4a19e1cb50755f57ba737f49213a74c7c727a1830cad351e054a5ce7f6f6bf13c4d1a18286287
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588d5656f316cc8d64011d101924abcba
SHA11175e853790bfe6406f9905b471f488be2738a72
SHA2564e4b1dc183b156e84f0b769408788d08b45ef9ded4ed461a9c43b4669c4943c3
SHA512b815a68500e39b343f5377994dd27963515a394e9663688ce904e6a8023cb1b838feb0ca08131f118b5f05b7c6c388f0565d8bba1aba267a84896e73e70b343c
-
Filesize
164B
MD5718e0118cbf9724812a82f0f790a6821
SHA1bd2e9f045255c3805349aed979b2e57ee340340c
SHA2560b3d0c699349b77605b4cf8f0641fd517eeeda73b721e5a57b75eb54d271de7a
SHA512e0da1d77d94afb258402ab04ff0478322f51b7736abc662783ca7841432920ef91326620932725dc5923547a112abbbe58ae6cbe8dcf4086e0add28bf5f219ae
-
Filesize
67KB
MD52d3dcf90f6c99f47e7593ea250c9e749
SHA151be82be4a272669983313565b4940d4b1385237
SHA2568714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA5129c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5
-
Filesize
160KB
MD57186ad693b8ad9444401bd9bcd2217c2
SHA15c28ca10a650f6026b0df4737078fa4197f3bac1
SHA2569a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b