Analysis Report TNT Delivery Document.exe

Overview

General Information

Sample Name: TNT Delivery Document.exe
Analysis ID: 358381
MD5: cbaf832b5ff679eb876d12d89d337231
SHA1: b95263edbe7c523e7d51396093209c187919257b
SHA256: 0b725a075b7e61c937650e5f643b40858563fa2f296e37f7d75d60ab35c28a33
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: TNT Delivery Document.exe Virustotal: Detection: 39% Perma Link
Source: TNT Delivery Document.exe ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: TNT Delivery Document.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: TNT Delivery Document.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: TNT Delivery Document.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D037D NtSetInformationThread, 2_2_020D037D
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D03A3 NtSetInformationThread, 2_2_020D03A3
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D1BCA NtWriteVirtualMemory, 2_2_020D1BCA
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D4575 NtProtectVirtualMemory, 2_2_020D4575
Detected potential crypto function
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403C44 2_2_00403C44
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403845 2_2_00403845
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403812 2_2_00403812
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040343E 2_2_0040343E
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004034D5 2_2_004034D5
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004038DC 2_2_004038DC
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040348C 2_2_0040348C
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403896 2_2_00403896
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040357E 2_2_0040357E
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403522 2_2_00403522
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403926 2_2_00403926
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004031EE 2_2_004031EE
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004031A1 2_2_004031A1
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004035B8 2_2_004035B8
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403650 2_2_00403650
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403604 2_2_00403604
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403A04 2_2_00403A04
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040323B 2_2_0040323B
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004032CC 2_2_004032CC
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004036D7 2_2_004036D7
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403287 2_2_00403287
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403A8B 2_2_00403A8B
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403693 2_2_00403693
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403B5E 2_2_00403B5E
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040335F 2_2_0040335F
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403773 2_2_00403773
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403B11 2_2_00403B11
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040331C 2_2_0040331C
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_0040373A 2_2_0040373A
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004033F6 2_2_004033F6
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004037FD 2_2_004037FD
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00403BA1 2_2_00403BA1
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004033A3 2_2_004033A3
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004037BE 2_2_004037BE
PE file contains strange resources
Source: TNT Delivery Document.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: TNT Delivery Document.exe, 00000002.00000002.498209731.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDitikeres4.exe vs TNT Delivery Document.exe
Source: TNT Delivery Document.exe, 00000002.00000002.535385883.00000000020A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs TNT Delivery Document.exe
Source: TNT Delivery Document.exe Binary or memory string: OriginalFilenameDitikeres4.exe vs TNT Delivery Document.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: TNT Delivery Document.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal96.rans.troj.evad.winEXE@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_01
Source: TNT Delivery Document.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TNT Delivery Document.exe Virustotal: Detection: 39%
Source: TNT Delivery Document.exe ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Users\user\Desktop\TNT Delivery Document.exe 'C:\Users\user\Desktop\TNT Delivery Document.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\TNT Delivery Document.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\TNT Delivery Document.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6392, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00408812 pushad ; iretd 2_2_0040881A
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004038DC push 0FE1DEC2h; retn E1DEh 2_2_0040396B
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_004080EF push es; ret 2_2_00408116
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00405894 pushad ; retf 2_2_00405895
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00404DAE push edx; ret 2_2_00404DB0
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_00408B53 pushfd ; ret 2_2_00408B56
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D0236 pushad ; retf 2_2_020D023D
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D4249 push eax; iretd 2_2_020D4270
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D426B push eax; iretd 2_2_020D4270
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D4271 push esi; iretd 2_2_020D4274
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D4285 push ecx; iretd 2_2_020D429C
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D42A7 push esi; iretd 2_2_020D42B4
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D3F36 push es; retf 2_2_020D3F56
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D3768 push es; iretd 2_2_020D379C
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D377D push es; iretd 2_2_020D379C
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D377F push es; iretd 2_2_020D379C
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D03CB push FFFFFFE9h; iretd 2_2_020D03E6
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D347A pushad ; retf 2_2_020D346E
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D148B push edi; retf 2_2_020D1532
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D14F7 push edi; retf 2_2_020D1532
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D1507 push edi; retf 2_2_020D1532
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D151D push edi; retf 2_2_020D1532
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D1572 push edi; retf 2_2_020D1532
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Code function: 2_2_020D45AE push esi; iretd 2_2_020D45B8
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D1F67 second address: 00000000020D1F67 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FABAC75B868h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp al, al 0x0000001f cmp bh, 00000064h 0x00000022 pop ecx 0x00000023 test cx, AFDEh 0x00000028 add edi, edx 0x0000002a dec ecx 0x0000002b cmp ecx, 00000000h 0x0000002e jne 00007FABAC75B849h 0x00000030 push ecx 0x00000031 call 00007FABAC75B886h 0x00000036 call 00007FABAC75B878h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D218D second address: 00000000020D218D instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D47CB second address: 00000000020D47CB instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D33C7 second address: 00000000020D33C7 instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D3489 second address: 00000000020D3489 instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D1DFF second address: 00000000020D1DFF instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\TNT Delivery Document.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\TNT Delivery Document.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 0000000E.00000002.494187486.0000000000D00000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D1F67 second address: 00000000020D1F67 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FABAC75B868h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp al, al 0x0000001f cmp bh, 00000064h 0x00000022 pop ecx 0x00000023 test cx, AFDEh 0x00000028 add edi, edx 0x0000002a dec ecx 0x0000002b cmp ecx, 00000000h 0x0000002e jne 00007FABAC75B849h 0x00000030 push ecx 0x00000031 call 00007FABAC75B886h 0x00000036 call 00007FABAC75B878h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D2074 second address: 00000000020D2074 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FABACBD10D3h 0x0000001d popad 0x0000001e call 00007FABACBCF648h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D218D second address: 00000000020D218D instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D47CB second address: 00000000020D47CB instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D0623 second address: 00000000020D067E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ah, 00000013h 0x0000000e add edi, 04h 0x00000011 push edi 0x00000012 cmp dl, bl 0x00000014 jmp 00007FABAC75B89Ch 0x00000016 push 0003E800h 0x0000001b pushad 0x0000001c mov esi, 000000CAh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D067E second address: 00000000020D3CFB instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add edi, 04h 0x00000006 cmp esi, F1A58B31h 0x0000000c push edi 0x0000000d push 00000003h 0x0000000f cmp eax, ebx 0x00000011 push 00000030h 0x00000013 cmp dl, dl 0x00000015 test cl, cl 0x00000017 push dword ptr [ebp+0000009Ch] 0x0000001d push eax 0x0000001e cmp ax, bx 0x00000021 call 00007FABACBD35DAh 0x00000026 call 00007FABACBCF625h 0x0000002b pop ebx 0x0000002c sub ebx, 05h 0x0000002f inc ebx 0x00000030 dec ebx 0x00000031 xor edx, edx 0x00000033 mov eax, ebx 0x00000035 mov ecx, 00000004h 0x0000003a div ecx 0x0000003c cmp edx, 00000000h 0x0000003f jne 00007FABACBCF611h 0x00000041 dec ebx 0x00000042 xor edx, edx 0x00000044 mov eax, ebx 0x00000046 mov ecx, 00000004h 0x0000004b div ecx 0x0000004d cmp edx, 00000000h 0x00000050 jne 00007FABACBCF611h 0x00000052 movd mm3, ebx 0x00000055 jmp 00007FABACBCF636h 0x00000057 cmp edx, eax 0x00000059 jmp 00007FABACBCF636h 0x0000005b test al, bl 0x0000005d pop eax 0x0000005e movd mm1, eax 0x00000061 call 00007FABACBCEC6Ch 0x00000066 pushad 0x00000067 lfence 0x0000006a rdtsc
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D0825 second address: 00000000020D087F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ah, FFFFFFE8h 0x0000000e mov ecx, dword ptr [ebp+1Ch] 0x00000011 cmp dl, bl 0x00000013 jmp 00007FABAC75B89Ch 0x00000015 mov edx, D034FC62h 0x0000001a pushad 0x0000001b mov esi, 00000077h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D33C7 second address: 00000000020D33C7 instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D3489 second address: 00000000020D3489 instructions:
Source: C:\Users\user\Desktop\TNT Delivery Document.exe RDTSC instruction interceptor: First address: 00000000020D1DFF second address: 00000000020D1DFF instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D00ACB rdtsc 14_2_00D00ACB
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RegAsm.exe, 0000000E.00000002.494187486.0000000000D00000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D00ACB rdtsc 14_2_00D00ACB
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D01E93 mov eax, dword ptr fs:[00000030h] 14_2_00D01E93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D03E81 mov eax, dword ptr fs:[00000030h] 14_2_00D03E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D03EB0 mov eax, dword ptr fs:[00000030h] 14_2_00D03EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D038A5 mov eax, dword ptr fs:[00000030h] 14_2_00D038A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D035D3 mov eax, dword ptr fs:[00000030h] 14_2_00D035D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D00FBA mov eax, dword ptr fs:[00000030h] 14_2_00D00FBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D0151D mov eax, dword ptr fs:[00000030h] 14_2_00D0151D

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TNT Delivery Document.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\TNT Delivery Document.exe' Jump to behavior
Source: RegAsm.exe, 0000000E.00000002.524161760.0000000001540000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: RegAsm.exe, 0000000E.00000002.524161760.0000000001540000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000E.00000002.524161760.0000000001540000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000000E.00000002.524161760.0000000001540000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 14_2_00D02220 cpuid 14_2_00D02220
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358381 Sample: TNT Delivery Document.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 96 14 Potential malicious icon found 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected GuLoader 2->18 20 5 other signatures 2->20 7 TNT Delivery Document.exe 1 2->7         started        process3 signatures4 22 Writes to foreign memory regions 7->22 24 Tries to detect Any.run 7->24 26 Hides threads from debuggers 7->26 10 RegAsm.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started       
No contacted IP infos