9ed5767db68fb669b3f18a0565cae471ee3800b94a187c4512e5a6691797c511

Resubmissions

27-11-2024 20:39

241127-zfpdtszjes 6

27-11-2024 20:33

25-11-2024 22:14

25-11-2024 20:57

28-09-2024 18:21

Analysis

max time kernel
114s
max time network
129s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-11-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

eec7155c48e1715f5d4eb489b01b717e
SHA1

6e054c9389e20930779e3a3e33250813d4f1115e
SHA256

8b0d7c1ab782922b44e283f958697dd2e3b427b8a6def2efabac3dd380b0fe9f
SHA512

c7c57bf484d90fcaf9b32fd35d435cbac5c64575dbc099f26d069ef8904c0c865bf0b4b72fcbbde335c701f07a9974bd7df8444879caf9fe230e05fe33c9a88e
SSDEEP

49152:Y7L6oPOReVwkTVcXj/SZTLvIkP4qghnX+fw58hG7UBg:Y7NQeZVcX7aIFqgJXMS3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxWebService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3785588363-1079601362-4184885025-1000\{A6B31097-C6E0-4CF6-B905-3DC768571E9D}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3356	Autoupdate.exe
3356	Autoupdate.exe
2088	TeraBox.exe
2088	TeraBox.exe
2088	TeraBox.exe
2088	TeraBox.exe
4772	TeraBoxRender.exe
4772	TeraBoxRender.exe
4404	TeraBoxRender.exe
4404	TeraBoxRender.exe
1180	TeraBoxRender.exe
1180	TeraBoxRender.exe
1076	TeraBoxRender.exe
1076	TeraBoxRender.exe
2748	TeraBoxRender.exe
2748	TeraBoxRender.exe
3200	TeraBoxHost.exe
3200	TeraBoxHost.exe
3200	TeraBoxHost.exe
3200	TeraBoxHost.exe
3200	TeraBoxHost.exe
3200	TeraBoxHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	3356	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	3356	Autoupdate.exe
Token: SeManageVolumePrivilege	3200	TeraBoxHost.exe
Token: SeBackupPrivilege	3200	TeraBoxHost.exe
Token: SeSecurityPrivilege	3200	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2088	TeraBox.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4772	2088	TeraBox.exe	81
PID 2088 wrote to memory of 4772	2088	TeraBox.exe	81
PID 2088 wrote to memory of 4772	2088	TeraBox.exe	81
PID 2088 wrote to memory of 4404	2088	TeraBox.exe	82
PID 2088 wrote to memory of 4404	2088	TeraBox.exe	82
PID 2088 wrote to memory of 4404	2088	TeraBox.exe	82
PID 2088 wrote to memory of 1076	2088	TeraBox.exe	83
PID 2088 wrote to memory of 1076	2088	TeraBox.exe	83
PID 2088 wrote to memory of 1076	2088	TeraBox.exe	83
PID 2088 wrote to memory of 1180	2088	TeraBox.exe	84
PID 2088 wrote to memory of 1180	2088	TeraBox.exe	84
PID 2088 wrote to memory of 1180	2088	TeraBox.exe	84
PID 2088 wrote to memory of 1512	2088	TeraBox.exe	85
PID 2088 wrote to memory of 1512	2088	TeraBox.exe	85
PID 2088 wrote to memory of 1512	2088	TeraBox.exe	85
PID 2088 wrote to memory of 3024	2088	TeraBox.exe	91
PID 2088 wrote to memory of 3024	2088	TeraBox.exe	91
PID 2088 wrote to memory of 3024	2088	TeraBox.exe	91
PID 2088 wrote to memory of 3200	2088	TeraBox.exe	92
PID 2088 wrote to memory of 3200	2088	TeraBox.exe	92
PID 2088 wrote to memory of 3200	2088	TeraBox.exe	92
PID 2088 wrote to memory of 2748	2088	TeraBox.exe	93
PID 2088 wrote to memory of 2748	2088	TeraBox.exe	93
PID 2088 wrote to memory of 2748	2088	TeraBox.exe	93
PID 2088 wrote to memory of 3572	2088	TeraBox.exe	96
PID 2088 wrote to memory of 3572	2088	TeraBox.exe	96
PID 2088 wrote to memory of 3572	2088	TeraBox.exe	96

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
- C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
  C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2624,8492164889686850255,11183066353844517785,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2636 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2624,8492164889686850255,11183066353844517785,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2800 /prefetch:8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2624,8492164889686850255,11183066353844517785,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2624,8492164889686850255,11183066353844517785,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2088.0.1753169996\957023458 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.133" -PcGuid "TBIMXV2-O_00634B616A764045B0C1B77910F85621-C_0-D_232138804165-M_4E032CE8E4CD-V_D92E4ACC" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2088.0.1753169996\957023458 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.133" -PcGuid "TBIMXV2-O_00634B616A764045B0C1B77910F85621-C_0-D_232138804165-M_4E032CE8E4CD-V_D92E4ACC" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2624,8492164889686850255,11183066353844517785,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.19044;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2088.1.1495142395\275716633 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.133" -PcGuid "TBIMXV2-O_00634B616A764045B0C1B77910F85621-C_0-D_232138804165-M_4E032CE8E4CD-V_D92E4ACC" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Filesize
164B

MD5
d2b822e231f51c5a1f1005233a895a22

SHA1
2842018931769aa5b2e112cc4cd24291f7a3b761

SHA256
870e7917331575d562ae89bcf9bd8fa20bc141f61180df47413c0abb8fe614c9

SHA512
aab004c635728bf2c3f33aec76391ffb7723d953fc6d4f829f074e8c90d0f9074d06ab310c76b2037b1f4cf58edd9b35d3f6a5b21f10af277710a477fd6de84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000018

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
c8e33b22b4c0af5baf1ed090b70ed964

SHA1
11eed3d152be73762664cd737a85ad38673e5542

SHA256
eaa6f7f03173566799ebd0c13569c5fb9b9f1b27682b081bbcca0e495e5be955

SHA512
513d4634144f8f5e21326f1cc2dafd46a1b001cbfbc07f543351827aa07410b520087dbc03a2b35b10a6590e5c5ab145ee3a0f162917620bfc42f43354c20365

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5832a4.TMP

Filesize
48B

MD5
69fe217c561e4351d9fbb41367ae58dd

SHA1
467df0b792ec1293303fd8245a6bd8a860f862c9

SHA256
77b8531f98b6ab5c361b1078b04f1db7ebd4d48e0f3d0ae9151b9233cb9c0fe0

SHA512
b651776127c4f1090a8610c6c967480d8d8c94eaf73cc0cd54fde436f963df8ea5ad799a0ac4f76a72e8f1d444864467a31f3dffd145d619d8d55bd4fad20729

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
ef5c8d2fffe96faca5c8fcf0c87efd05

SHA1
644b53861e273680ba6a9ecf7e08dd8eb2c0edcf

SHA256
4e69a69e347ccc855d1f69d43af154027617aee6886155ef1b2bae9b10edf2f0

SHA512
d9f940cdd396a6fdf0a4921b4a0c668495bce1ac4d19a9b6ecb729237c0c35d27f0a6de51a77d74e286aae27f4fb0abee65a16d1a43a4fa863fff9261e933d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58e00a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/2088-217-0x0000000075750000-0x0000000075840000-memory.dmp

Filesize
960KB

Download
memory/2088-11-0x0000000075750000-0x0000000075840000-memory.dmp

Filesize
960KB

Download
memory/2088-130-0x0000000075750000-0x0000000075840000-memory.dmp

Filesize
960KB

Download
memory/2088-31-0x0000000075750000-0x0000000075840000-memory.dmp

Filesize
960KB

Download
memory/2088-10-0x0000000075771000-0x0000000075772000-memory.dmp

Filesize
4KB

Download
memory/3200-174-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/3200-172-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/3200-171-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/3200-170-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/3200-176-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/3200-177-0x00000000652F0000-0x000000006671C000-memory.dmp

Filesize
20.2MB

Download
memory/3200-173-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/3200-175-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download