09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Analysis

max time kernel
17s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoUpdate/Autoupdate.exe
Size

2.8MB
MD5

94c5b0443f1c39b71b22931509bf1985
SHA1

35cb27275187b8c0da72d00b8551aaf2c1059794
SHA256

7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
SHA512

a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
SSDEEP

49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

Processes:

TeraBoxRender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{EA3240DA-AD49-41E7-9B38-61DB1D8FE83B}	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Autoupdate.exeTeraBox.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exe

pid	process
4768	Autoupdate.exe
4768	Autoupdate.exe
3120	TeraBox.exe
3120	TeraBox.exe
3120	TeraBox.exe
3120	TeraBox.exe
4252	TeraBoxRender.exe
4252	TeraBoxRender.exe
432	TeraBoxRender.exe
432	TeraBoxRender.exe
2400	TeraBoxRender.exe
2400	TeraBoxRender.exe
5096	TeraBoxRender.exe
5096	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Autoupdate.exe

description pid process

Token: SeDebugPrivilege 4768 Autoupdate.exe
Token: SeIncreaseQuotaPrivilege 4768 Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege 4768 Autoupdate.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TeraBox.exe

pid process

3120 TeraBox.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

TeraBox.exe

pid process

3120 TeraBox.exe

description	pid	process
Token: SeDebugPrivilege	4768	Autoupdate.exe
Token: SeIncreaseQuotaPrivilege	4768	Autoupdate.exe
Token: SeAssignPrimaryTokenPrivilege	4768	Autoupdate.exe

pid	process
3120	TeraBox.exe

pid	process
3120	TeraBox.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

TeraBox.exe

description	pid	process	target process
PID 3120 wrote to memory of 4252	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 4252	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 4252	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 432	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 432	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 432	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 3048	3120	TeraBox.exe	TeraBoxWebService.exe
PID 3120 wrote to memory of 3048	3120	TeraBox.exe	TeraBoxWebService.exe
PID 3120 wrote to memory of 3048	3120	TeraBox.exe	TeraBoxWebService.exe
PID 3120 wrote to memory of 5096	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 5096	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 5096	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 2400	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 2400	3120	TeraBox.exe	TeraBoxRender.exe
PID 3120 wrote to memory of 2400	3120	TeraBox.exe	TeraBoxRender.exe

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,4891713641100355134,17185425372873863011,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2612 /prefetch:2
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,4891713641100355134,17185425372873863011,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3088 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
3⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,4891713641100355134,17185425372873863011,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,4891713641100355134,17185425372873863011,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3120.0.221480552\849736101 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.181" -PcGuid "TBIMXV2-O_0BCCC98050D944D7834B9CCB7964E586-C_0-D_DD00013-M_FA8F9E8C279D-V_50F51BF8" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3120.0.221480552\849736101 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.181" -PcGuid "TBIMXV2-O_0BCCC98050D944D7834B9CCB7964E586-C_0-D_DD00013-M_FA8F9E8C279D-V_50F51BF8" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3120.1.1632673368\419707479 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.181" -PcGuid "TBIMXV2-O_0BCCC98050D944D7834B9CCB7964E586-C_0-D_DD00013-M_FA8F9E8C279D-V_50F51BF8" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,4891713641100355134,17185425372873863011,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
3⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,4891713641100355134,17185425372873863011,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4812 /prefetch:2
3⤵
PID:4764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini
Filesize
164B

MD5
6c8c15503374b81aa3333e557e384a15

SHA1
ba3d1c4055e2e138034b2dab2ae6c04bf8800f00

SHA256
2394225d5b03473c4e5e40b887aad4942b4c7811d2218cf69203ec65e7b45c92

SHA512
4ef4e4b6881dda9964a916e151efff84db2ea3bf0140f8ea9771faffbb79e7d9957977211dcdf482b69c361ea6ffe96e74dc6723dcc789f964b6c0543a63ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000055
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index
Filesize
624B

MD5
2d47e7c860f00818f2b99920a73178b3

SHA1
822179c1dc884399c81750a73692c6574d1c9121

SHA256
fb5799544640981c7f3d23842336157c0fa0b05a1e10c15cf06e67724d6b2567

SHA512
85faea4e9e3fa35929a3f5336cc88d9fa6461932ec83b60881bfb911cb032eeb2b6ef207f51f947218f8e00381429588128e48594409c6d3bb57a84fee4071b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe586741.TMP
Filesize
48B

MD5
2df6d62340f91bcf1bf4cc15577cd0f9

SHA1
519383b625eea027c6d75aed86fd7c606f1696f6

SHA256
605cca05e171b217a087af045145b51ae20399904f1a09a09e5b67127a620ef0

SHA512
ea380c9cabd7ae551c990ef09765b74b34255e7004ffec686035c9434aa2f6eea7b3173c7ef8e4e7994f6e7c134b07918e3e28b2b7c8a2303da53be7e36c24f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State
Filesize
59B

MD5
4bf40875c4a013e74e8285ce033dd7d7

SHA1
6702d3f707393770fbf9550e118a4b2e4eb289ed

SHA256
757ec562e86f7e5da285f173e2facaec9b19dadbbbde3ba3bd6ef48d004fc4c4

SHA512
bbb5d5dc8983454ba0a394a530be044496ab3a13038f5dc5d805f6012c5952253258ccae726ef0f7edf77156503d5287c01472f39bb00082049b9669c4831c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State
Filesize
1KB

MD5
44ec1ebf48c7962caa3b8b96e76ca54f

SHA1
b025c32e1389d702725be3363c10cb8bd84fe8ff

SHA256
55090b705872d34754abddd3a6949e91a27fc41f27a879748dd43b1de1eef72a

SHA512
5f95c5a69aa26ad355dcf9ff0c8a5a689aaa73530da422627f79285fde9cbd5bd9e492b6afa32a9fc2f458ebbacb0e923e75aa50fc4ebe62b8f1a050d82557b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe57fde8.TMP
Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
memory/2192-283-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2192-282-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2192-293-0x0000000065A00000-0x0000000066E2C000-memory.dmp

Filesize
20.2MB

Download
memory/2192-281-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2192-284-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2192-285-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2192-289-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2192-286-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3120-355-0x00000000009E0000-0x0000000001041000-memory.dmp

Filesize
6.4MB

Download
memory/3120-10-0x00000000009EA000-0x00000000009EB000-memory.dmp

Filesize
4KB

Download
memory/3120-30-0x00000000009E0000-0x0000000001041000-memory.dmp

Filesize
6.4MB

Download