9ed5767db68fb669b3f18a0565cae471ee3800b94a187c4512e5a6691797c511

Resubmissions

27-11-2024 20:39

241127-zfpdtszjes 6

27-11-2024 20:33

25-11-2024 22:14

25-11-2024 20:57

28-09-2024 18:21

Analysis

max time kernel
115s
max time network
122s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-11-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

eec7155c48e1715f5d4eb489b01b717e
SHA1

6e054c9389e20930779e3a3e33250813d4f1115e
SHA256

8b0d7c1ab782922b44e283f958697dd2e3b427b8a6def2efabac3dd380b0fe9f
SHA512

c7c57bf484d90fcaf9b32fd35d435cbac5c64575dbc099f26d069ef8904c0c865bf0b4b72fcbbde335c701f07a9974bd7df8444879caf9fe230e05fe33c9a88e
SSDEEP

49152:Y7L6oPOReVwkTVcXj/SZTLvIkP4qghnX+fw58hG7UBg:Y7NQeZVcX7aIFqgJXMS3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxWebService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-641261377-2215826147-608237349-1000\{A4037F92-31AB-496C-8B3D-2416DDD627A9}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
216	Autoupdate.exe
216	Autoupdate.exe
2928	TeraBox.exe
2928	TeraBox.exe
2928	TeraBox.exe
2928	TeraBox.exe
4792	TeraBoxRender.exe
4792	TeraBoxRender.exe
644	TeraBoxRender.exe
644	TeraBoxRender.exe
3116	TeraBoxRender.exe
3116	TeraBoxRender.exe
4076	TeraBoxRender.exe
4076	TeraBoxRender.exe
3704	TeraBoxHost.exe
3704	TeraBoxHost.exe
3704	TeraBoxHost.exe
3704	TeraBoxHost.exe
784	TeraBoxRender.exe
784	TeraBoxRender.exe
3704	TeraBoxHost.exe
3704	TeraBoxHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	216	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	216	Autoupdate.exe
Token: SeManageVolumePrivilege	3704	TeraBoxHost.exe
Token: SeBackupPrivilege	3704	TeraBoxHost.exe
Token: SeSecurityPrivilege	3704	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2928	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2928	TeraBox.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4792	2928	TeraBox.exe	83
PID 2928 wrote to memory of 4792	2928	TeraBox.exe	83
PID 2928 wrote to memory of 4792	2928	TeraBox.exe	83
PID 2928 wrote to memory of 644	2928	TeraBox.exe	84
PID 2928 wrote to memory of 644	2928	TeraBox.exe	84
PID 2928 wrote to memory of 644	2928	TeraBox.exe	84
PID 2928 wrote to memory of 4076	2928	TeraBox.exe	85
PID 2928 wrote to memory of 4076	2928	TeraBox.exe	85
PID 2928 wrote to memory of 4076	2928	TeraBox.exe	85
PID 2928 wrote to memory of 3116	2928	TeraBox.exe	86
PID 2928 wrote to memory of 3116	2928	TeraBox.exe	86
PID 2928 wrote to memory of 3116	2928	TeraBox.exe	86
PID 2928 wrote to memory of 2812	2928	TeraBox.exe	87
PID 2928 wrote to memory of 2812	2928	TeraBox.exe	87
PID 2928 wrote to memory of 2812	2928	TeraBox.exe	87
PID 2928 wrote to memory of 2824	2928	TeraBox.exe	91
PID 2928 wrote to memory of 2824	2928	TeraBox.exe	91
PID 2928 wrote to memory of 2824	2928	TeraBox.exe	91
PID 2928 wrote to memory of 3704	2928	TeraBox.exe	92
PID 2928 wrote to memory of 3704	2928	TeraBox.exe	92
PID 2928 wrote to memory of 3704	2928	TeraBox.exe	92
PID 2928 wrote to memory of 784	2928	TeraBox.exe	93
PID 2928 wrote to memory of 784	2928	TeraBox.exe	93
PID 2928 wrote to memory of 784	2928	TeraBox.exe	93
PID 2928 wrote to memory of 2088	2928	TeraBox.exe	96
PID 2928 wrote to memory of 2088	2928	TeraBox.exe	96
PID 2928 wrote to memory of 2088	2928	TeraBox.exe	96

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2616,11373394385625870564,17589159225896539949,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2500 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2616,11373394385625870564,17589159225896539949,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3032 /prefetch:8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:644
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2616,11373394385625870564,17589159225896539949,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2616,11373394385625870564,17589159225896539949,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2928.0.623235037\1989758467 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.168" -PcGuid "TBIMXV2-O_DA0CBA2BC4504195BAC158F8C77AA22E-C_0-D_232138804165-M_F2F0875071CF-V_8367E034" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2928.0.623235037\1989758467 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.168" -PcGuid "TBIMXV2-O_DA0CBA2BC4504195BAC158F8C77AA22E-C_0-D_232138804165-M_F2F0875071CF-V_8367E034" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2616,11373394385625870564,17589159225896539949,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:784
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2928.1.710520075\547020203 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.168" -PcGuid "TBIMXV2-O_DA0CBA2BC4504195BAC158F8C77AA22E-C_0-D_232138804165-M_F2F0875071CF-V_8367E034" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
363f9c0b72fb242c939d52f35ddc2b58

SHA1
7f2b0a1478c476624673b45d1813d2185703450e

SHA256
3cffa8f18cf164557516cf82babe1a5a491e86e9e09830ccbf08d57dcbf03b59

SHA512
9df7d8d1b930489440b3e899e719c15adf6bd07d382ceb4fdd3636d85254be51dc44da0545d90a8a01dc660cc7d37c0536afe85d85397492930060b99c66cf14

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000017

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
69c37f8b920ffa6ed638e819980cb0ff

SHA1
43c2a5951e75ff87b70281e4e2e835f9ebb317ee

SHA256
4620668e5ba5f18fda2802dbbc2ef7a71179bee8f5ad7a594b38272a9123ac48

SHA512
c19d9b9177558e2a231f8f3365b8db27655bb18c9207cfad03fe9ec7d6a544481d5f88e8e9a4639b3e4332cae966874d6698b6e52ba4ba953bf51f69e5cc9eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe58178a.TMP

Filesize
48B

MD5
8c72d0df671a5a54b89f711c6407e29e

SHA1
03cc204ae20259f7ff1623992e6f4d10d4bd65ab

SHA256
964176f26ef6f5aaee54e65ef1cb8e6e6a5a28b0c0f0653f714305db2737a25a

SHA512
0d8dee8db11514df8b0d8f39501e914895558cf1244e1b74868539bab50f996cf444f66b52f23131b27680b9f4e651f31c0cd80be7c333f947275b58e2476e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
71e008cb96e262f29c3c0219f2c5f29c

SHA1
d5a151853ed04e622e38e392ba3ebc7a090f35dd

SHA256
824ad5b402ea6dc8cf6774c9d5f11d67ca2976c1bd53d1b5a341cc0a40a4137c

SHA512
7c87f86e8b5b905ba73f67a876e90e9845a726881f690b57b540f2e063d8e4f95c58809e7c281b57968c392b8b14e3613e5cebbaad2896355b5d0b7e4427d371

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58ca6f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/2928-223-0x0000000076F80000-0x0000000077070000-memory.dmp

Filesize
960KB

Download
memory/2928-11-0x0000000076F80000-0x0000000077070000-memory.dmp

Filesize
960KB

Download
memory/2928-173-0x0000000076F80000-0x0000000077070000-memory.dmp

Filesize
960KB

Download
memory/2928-31-0x0000000076F80000-0x0000000077070000-memory.dmp

Filesize
960KB

Download
memory/2928-10-0x0000000076FA1000-0x0000000076FA2000-memory.dmp

Filesize
4KB

Download
memory/3704-184-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3704-183-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3704-182-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3704-181-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3704-180-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3704-190-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3704-191-0x0000000065910000-0x0000000066D3C000-memory.dmp

Filesize
20.2MB

Download
memory/3704-185-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download