09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Analysis

max time kernel
145s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

94c5b0443f1c39b71b22931509bf1985
SHA1

35cb27275187b8c0da72d00b8551aaf2c1059794
SHA256

7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
SHA512

a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
SSDEEP

49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{395D24F2-0AAE-465E-9628-426FF0317612}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4364	Autoupdate.exe
4364	Autoupdate.exe
4672	TeraBox.exe
4672	TeraBox.exe
4672	TeraBox.exe
4672	TeraBox.exe
2312	TeraBoxRender.exe
2312	TeraBoxRender.exe
4484	TeraBoxRender.exe
4484	TeraBoxRender.exe
3384	TeraBoxRender.exe
3384	TeraBoxRender.exe
1148	TeraBoxRender.exe
1148	TeraBoxRender.exe
3952	TeraBoxHost.exe
3952	TeraBoxHost.exe
3952	TeraBoxHost.exe
3952	TeraBoxHost.exe
3952	TeraBoxHost.exe
3952	TeraBoxHost.exe
3900	TeraBoxRender.exe
3900	TeraBoxRender.exe
2712	TeraBoxRender.exe
2712	TeraBoxRender.exe
2712	TeraBoxRender.exe
2712	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4364	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	4364	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	4364	Autoupdate.exe
Token: SeManageVolumePrivilege	3952	TeraBoxHost.exe
Token: SeBackupPrivilege	3952	TeraBoxHost.exe
Token: SeSecurityPrivilege	3952	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4672	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4672	TeraBox.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2312	4672	TeraBox.exe	86
PID 4672 wrote to memory of 2312	4672	TeraBox.exe	86
PID 4672 wrote to memory of 2312	4672	TeraBox.exe	86
PID 4672 wrote to memory of 4484	4672	TeraBox.exe	87
PID 4672 wrote to memory of 4484	4672	TeraBox.exe	87
PID 4672 wrote to memory of 4484	4672	TeraBox.exe	87
PID 4672 wrote to memory of 1148	4672	TeraBox.exe	88
PID 4672 wrote to memory of 1148	4672	TeraBox.exe	88
PID 4672 wrote to memory of 1148	4672	TeraBox.exe	88
PID 4672 wrote to memory of 3384	4672	TeraBox.exe	89
PID 4672 wrote to memory of 3384	4672	TeraBox.exe	89
PID 4672 wrote to memory of 3384	4672	TeraBox.exe	89
PID 4672 wrote to memory of 3752	4672	TeraBox.exe	90
PID 4672 wrote to memory of 3752	4672	TeraBox.exe	90
PID 4672 wrote to memory of 3752	4672	TeraBox.exe	90
PID 4672 wrote to memory of 2568	4672	TeraBox.exe	92
PID 4672 wrote to memory of 2568	4672	TeraBox.exe	92
PID 4672 wrote to memory of 2568	4672	TeraBox.exe	92
PID 4672 wrote to memory of 3952	4672	TeraBox.exe	93
PID 4672 wrote to memory of 3952	4672	TeraBox.exe	93
PID 4672 wrote to memory of 3952	4672	TeraBox.exe	93
PID 4672 wrote to memory of 3900	4672	TeraBox.exe	94
PID 4672 wrote to memory of 3900	4672	TeraBox.exe	94
PID 4672 wrote to memory of 3900	4672	TeraBox.exe	94
PID 4672 wrote to memory of 1588	4672	TeraBox.exe	95
PID 4672 wrote to memory of 1588	4672	TeraBox.exe	95
PID 4672 wrote to memory of 1588	4672	TeraBox.exe	95
PID 4672 wrote to memory of 2712	4672	TeraBox.exe	98
PID 4672 wrote to memory of 2712	4672	TeraBox.exe	98
PID 4672 wrote to memory of 2712	4672	TeraBox.exe	98

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2484,7656127922170392856,10220518316643822560,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2632 /prefetch:2
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2484,7656127922170392856,10220518316643822560,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2820 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2484,7656127922170392856,10220518316643822560,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2484,7656127922170392856,10220518316643822560,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    PID:3752
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4672.0.1679060253\301566013 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.134" -PcGuid "TBIMXV2-O_24419685C74042A5A8D722B08271D99E-C_0-D_DD00013-M_CEC55C810519-V_0C7B4B7B" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:2568
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4672.0.1679060253\301566013 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.134" -PcGuid "TBIMXV2-O_24419685C74042A5A8D722B08271D99E-C_0-D_DD00013-M_CEC55C810519-V_0C7B4B7B" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2484,7656127922170392856,10220518316643822560,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4672.1.1339444939\578448459 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.134" -PcGuid "TBIMXV2-O_24419685C74042A5A8D722B08271D99E-C_0-D_DD00013-M_CEC55C810519-V_0C7B4B7B" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2484,7656127922170392856,10220518316643822560,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4816 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
23161041eea2263ce4aec476306496c5

SHA1
9d0df82af832d4dd8bfcef06598e2965e188cbb8

SHA256
0a4239164e236ef6244867223a44e286a3357876d911ff488eab3d1e0f054472

SHA512
1537e7e9d8a5e53b6bf6c5c7ee80370f4df473deee13d523bf69b518e2a56f1837fc1c12b785cf52ce02a3c65c82627b99fa8397d6edb51f2b2d45675e326c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000055

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
43ed2185f112458f4c498e1f0833214d

SHA1
bf99b83f9de97787dc932057836019206ed37c30

SHA256
ff681dc173c463bf4eadf090eb437c2cce58e775fdad98874a5deae8ec131143

SHA512
f189894c78ccde5ac47a745fd3db498f0c1a42e9fbdc04074263a18730f45977bc09fb6efdf3c4cffa4de95f95c4cae5fe84b464e73d05464a05d0ad734e3276

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5882e7.TMP

Filesize
48B

MD5
0e61858e61cf76fc6fd6875374d1c8f8

SHA1
8a2d9c828cee50e5f5068551b9b5d11961c4c673

SHA256
09e4de5dabcae73ed3bf4a5c8381775107396e9fc35e3300781275ed90e4ec63

SHA512
21c5590bb0b7ebda376b325bf07ee2ce628eac1dcf059bd304e9fef0ea7127cec203f0b330885560550af70a45a3029774029e5b479b47bdec1a4370aaf98168

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
63b2c96807403424d4336df60032dfcf

SHA1
d8ea7546d5a01632f867ee61846808e4cb6e16db

SHA256
a569e54ccdb8a9cb093aad6a739b17fa0053dedc9cfe67a04597f600f4840ef4

SHA512
659448c96f89cec3c4ccf6a90586dced3c7645b92e2efc50a529aa776011cac208479ca0528302d328265ada306797281208ce518f3573dcfa4b3ff6ab58dfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58ea6b.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
memory/3952-289-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3952-286-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3952-285-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3952-294-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3952-295-0x0000000065260000-0x000000006668C000-memory.dmp

Filesize
20.2MB

Download
memory/3952-287-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3952-288-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3952-290-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4672-346-0x0000000000690000-0x0000000000CF1000-memory.dmp

Filesize
6.4MB

Download
memory/4672-10-0x000000000069A000-0x000000000069B000-memory.dmp

Filesize
4KB

Download
memory/4672-39-0x0000000000690000-0x0000000000CF1000-memory.dmp

Filesize
6.4MB

Download