9ed5767db68fb669b3f18a0565cae471ee3800b94a187c4512e5a6691797c511

Resubmissions

27-11-2024 20:39

241127-zfpdtszjes 6

27-11-2024 20:33

25-11-2024 22:14

25-11-2024 20:57

28-09-2024 18:21

Analysis

max time kernel
114s
max time network
125s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-11-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

eec7155c48e1715f5d4eb489b01b717e
SHA1

6e054c9389e20930779e3a3e33250813d4f1115e
SHA256

8b0d7c1ab782922b44e283f958697dd2e3b427b8a6def2efabac3dd380b0fe9f
SHA512

c7c57bf484d90fcaf9b32fd35d435cbac5c64575dbc099f26d069ef8904c0c865bf0b4b72fcbbde335c701f07a9974bd7df8444879caf9fe230e05fe33c9a88e
SSDEEP

49152:Y7L6oPOReVwkTVcXj/SZTLvIkP4qghnX+fw58hG7UBg:Y7NQeZVcX7aIFqgJXMS3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxWebService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3495501434-311648039-2993076821-1000\{9A7D26EB-A0C7-4C55-AF68-91C00AB72628}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5116	Autoupdate.exe
5116	Autoupdate.exe
1500	TeraBox.exe
1500	TeraBox.exe
1500	TeraBox.exe
1500	TeraBox.exe
2136	TeraBoxRender.exe
2136	TeraBoxRender.exe
2424	TeraBoxRender.exe
2424	TeraBoxRender.exe
3092	TeraBoxRender.exe
3092	TeraBoxRender.exe
2776	TeraBoxRender.exe
2776	TeraBoxRender.exe
3788	TeraBoxHost.exe
3788	TeraBoxHost.exe
3788	TeraBoxHost.exe
3788	TeraBoxHost.exe
3788	TeraBoxHost.exe
3788	TeraBoxHost.exe
4608	TeraBoxRender.exe
4608	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	5116	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	5116	Autoupdate.exe
Token: SeManageVolumePrivilege	3788	TeraBoxHost.exe
Token: SeBackupPrivilege	3788	TeraBoxHost.exe
Token: SeSecurityPrivilege	3788	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1500	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1500	TeraBox.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2136	1500	TeraBox.exe	81
PID 1500 wrote to memory of 2136	1500	TeraBox.exe	81
PID 1500 wrote to memory of 2136	1500	TeraBox.exe	81
PID 1500 wrote to memory of 2424	1500	TeraBox.exe	82
PID 1500 wrote to memory of 2424	1500	TeraBox.exe	82
PID 1500 wrote to memory of 2424	1500	TeraBox.exe	82
PID 1500 wrote to memory of 2776	1500	TeraBox.exe	83
PID 1500 wrote to memory of 2776	1500	TeraBox.exe	83
PID 1500 wrote to memory of 2776	1500	TeraBox.exe	83
PID 1500 wrote to memory of 3092	1500	TeraBox.exe	84
PID 1500 wrote to memory of 3092	1500	TeraBox.exe	84
PID 1500 wrote to memory of 3092	1500	TeraBox.exe	84
PID 1500 wrote to memory of 2752	1500	TeraBox.exe	85
PID 1500 wrote to memory of 2752	1500	TeraBox.exe	85
PID 1500 wrote to memory of 2752	1500	TeraBox.exe	85
PID 1500 wrote to memory of 952	1500	TeraBox.exe	91
PID 1500 wrote to memory of 952	1500	TeraBox.exe	91
PID 1500 wrote to memory of 952	1500	TeraBox.exe	91
PID 1500 wrote to memory of 3788	1500	TeraBox.exe	92
PID 1500 wrote to memory of 3788	1500	TeraBox.exe	92
PID 1500 wrote to memory of 3788	1500	TeraBox.exe	92
PID 1500 wrote to memory of 4608	1500	TeraBox.exe	95
PID 1500 wrote to memory of 4608	1500	TeraBox.exe	95
PID 1500 wrote to memory of 4608	1500	TeraBox.exe	95
PID 1500 wrote to memory of 4268	1500	TeraBox.exe	96
PID 1500 wrote to memory of 4268	1500	TeraBox.exe	96
PID 1500 wrote to memory of 4268	1500	TeraBox.exe	96

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,4197051522618315919,887555905947315126,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2612 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,4197051522618315919,887555905947315126,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2988 /prefetch:8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,4197051522618315919,887555905947315126,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,4197051522618315919,887555905947315126,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1500.0.866464340\698593954 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.200" -PcGuid "TBIMXV2-O_729C32291CAC42DEAD72E300162CF9B5-C_0-D_232138804165-M_D61134EACE76-V_80460A83" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1500.0.866464340\698593954 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.200" -PcGuid "TBIMXV2-O_729C32291CAC42DEAD72E300162CF9B5-C_0-D_232138804165-M_D61134EACE76-V_80460A83" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,4197051522618315919,887555905947315126,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1500.1.334479707\1181130593 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.200" -PcGuid "TBIMXV2-O_729C32291CAC42DEAD72E300162CF9B5-C_0-D_232138804165-M_D61134EACE76-V_80460A83" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
9c7f426bef2e396b083ec07839b8b2d4

SHA1
5f44df6904af5a801e034bfa71cf6d816deeb26e

SHA256
3e325d0914103966227452a3ab78a5860c96ee98b1bce3ad268d79baf843ab9d

SHA512
a65400313946ab8e0fc6d78995582cc4f08a2f495cff1c136a8eaae3064cf9fd4c5310c0d7632ecf2cb54db38613433079775189df9a31c7a6d5235157e56454

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\57b99354-be2a-413c-9679-7328a9d4fec0.tmp

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000018

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
707b213a704382fff67256fbffe9c802

SHA1
61663e614feca97bbda3df25aeec5fd9981f97a3

SHA256
cf6f7283b1ae1602df55cc33e8477190c45e5baa641cad9f086c5352d5d13ba9

SHA512
32fd3c434602a8626c472a114922c4614d95ddec41aa5cd0caaedfd3d3a8545d2cba73fda9e2ec33ae5b2d2037544ac644cdf2a38f16e8ca87766f23d934a0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5821fa.TMP

Filesize
48B

MD5
65bc0d02c6765a73d037f67043fb31e5

SHA1
4c13268b311011eace9375d15df3aaa08a782410

SHA256
8a45c14163793359bf12b8c9ba2aeef3854e85b65048da77a7384a44a8d29071

SHA512
9a1e48b8de91c614893dda96ccc7f590096967a7005c7deb8e5800ca02b92ae10df4e5b5f4f603567736750c66580313173743dc7286685037f03b322d067088

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
a93ee6be8b25d8a81be0ba185b3ae488

SHA1
0d94fe248a5d6d597b4a0fa6fead0f1f6335b4f6

SHA256
2a1e36d21a59c2fe420b46b7fdfe25763e38f4306936c9798931756fb64ed182

SHA512
1cfd76c80dfe55ea86dfaf154f3c2290a1737249f57f4acdde4b91d517d22171fb95335714236ac16dfa28be5851c3e5f917ed79c31e43b055afbd479ee16d5d

Download Submit
memory/1500-158-0x0000000075C70000-0x0000000075D60000-memory.dmp

Filesize
960KB

Download
memory/1500-10-0x0000000075C91000-0x0000000075C92000-memory.dmp

Filesize
4KB

Download
memory/1500-29-0x0000000075C70000-0x0000000075D60000-memory.dmp

Filesize
960KB

Download
memory/1500-69-0x0000000075C70000-0x0000000075D60000-memory.dmp

Filesize
960KB

Download
memory/1500-11-0x0000000075C70000-0x0000000075D60000-memory.dmp

Filesize
960KB

Download
memory/3788-146-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/3788-151-0x00000000650E0000-0x000000006650C000-memory.dmp

Filesize
20.2MB

Download
memory/3788-150-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/3788-148-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/3788-149-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/3788-144-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/3788-147-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/3788-145-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download