09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

94c5b0443f1c39b71b22931509bf1985
SHA1

35cb27275187b8c0da72d00b8551aaf2c1059794
SHA256

7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
SHA512

a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
SSDEEP

49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{D3FB7F77-3B77-44C4-9EAE-FA87CEFEB645}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5084	Autoupdate.exe
5084	Autoupdate.exe
3852	TeraBox.exe
3852	TeraBox.exe
3852	TeraBox.exe
3852	TeraBox.exe
460	TeraBoxRender.exe
460	TeraBoxRender.exe
1036	TeraBoxRender.exe
1036	TeraBoxRender.exe
4160	TeraBoxRender.exe
4160	TeraBoxRender.exe
4464	TeraBoxRender.exe
4464	TeraBoxRender.exe
868	TeraBoxRender.exe
868	TeraBoxRender.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	5084	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	5084	Autoupdate.exe
Token: SeManageVolumePrivilege	1516	TeraBoxHost.exe
Token: SeBackupPrivilege	1516	TeraBoxHost.exe
Token: SeSecurityPrivilege	1516	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3852	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3852	TeraBox.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 460	3852	TeraBox.exe	87
PID 3852 wrote to memory of 460	3852	TeraBox.exe	87
PID 3852 wrote to memory of 460	3852	TeraBox.exe	87
PID 3852 wrote to memory of 1036	3852	TeraBox.exe	88
PID 3852 wrote to memory of 1036	3852	TeraBox.exe	88
PID 3852 wrote to memory of 1036	3852	TeraBox.exe	88
PID 3852 wrote to memory of 2380	3852	TeraBox.exe	89
PID 3852 wrote to memory of 2380	3852	TeraBox.exe	89
PID 3852 wrote to memory of 2380	3852	TeraBox.exe	89
PID 3852 wrote to memory of 4464	3852	TeraBox.exe	90
PID 3852 wrote to memory of 4464	3852	TeraBox.exe	90
PID 3852 wrote to memory of 4464	3852	TeraBox.exe	90
PID 3852 wrote to memory of 4160	3852	TeraBox.exe	91
PID 3852 wrote to memory of 4160	3852	TeraBox.exe	91
PID 3852 wrote to memory of 4160	3852	TeraBox.exe	91
PID 3852 wrote to memory of 4492	3852	TeraBox.exe	92
PID 3852 wrote to memory of 4492	3852	TeraBox.exe	92
PID 3852 wrote to memory of 4492	3852	TeraBox.exe	92
PID 3852 wrote to memory of 868	3852	TeraBox.exe	93
PID 3852 wrote to memory of 868	3852	TeraBox.exe	93
PID 3852 wrote to memory of 868	3852	TeraBox.exe	93
PID 3852 wrote to memory of 4708	3852	TeraBox.exe	96
PID 3852 wrote to memory of 4708	3852	TeraBox.exe	96
PID 3852 wrote to memory of 4708	3852	TeraBox.exe	96
PID 3852 wrote to memory of 1516	3852	TeraBox.exe	99
PID 3852 wrote to memory of 1516	3852	TeraBox.exe	99
PID 3852 wrote to memory of 1516	3852	TeraBox.exe	99
PID 3852 wrote to memory of 4948	3852	TeraBox.exe	101
PID 3852 wrote to memory of 4948	3852	TeraBox.exe	101
PID 3852 wrote to memory of 4948	3852	TeraBox.exe	101
PID 3852 wrote to memory of 1284	3852	TeraBox.exe	104
PID 3852 wrote to memory of 1284	3852	TeraBox.exe	104
PID 3852 wrote to memory of 1284	3852	TeraBox.exe	104

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2504 /prefetch:2
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:460
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3040 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3852.0.1182109868\1714830166 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3852.0.1182109868\1714830166 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3852.1.1257223808\60635573 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3916 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
115B

MD5
72b65264d8979d98bd19cc98c7dd5c30

SHA1
3be7106007fa698dcf8b62bcd17d25a5702ab958

SHA256
b022346d5511f83bcde7ead672a0ec6b5ca5df3a3eed9a9ac3803257b44ea893

SHA512
e14136fcf9806ae2e13c76d7ae4e89f7387d5b09310783b306d42e244271ad15e1cd8a8b8c2b55a73babbad8477b994574b85792244622d220f1e03c8d6c4461

Download Submit
memory/1516-54-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1516-55-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1516-56-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/1516-57-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1516-58-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/1516-59-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1516-60-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/1516-61-0x00000000657B0000-0x0000000066BDC000-memory.dmp

Filesize
20.2MB

Download
memory/3852-8-0x0000000000C2A000-0x0000000000C2B000-memory.dmp

Filesize
4KB

Download
memory/3852-28-0x0000000000C20000-0x0000000001281000-memory.dmp

Filesize
6.4MB

Download
memory/3852-91-0x0000000000C20000-0x0000000001281000-memory.dmp

Filesize
6.4MB

Download