Analysis Report TNTNumber1062324.PDF.exe

Overview

General Information

Sample Name: TNTNumber1062324.PDF.exe
Analysis ID: 358491
MD5: 90524c4f4816eb22693e92212b8cab6c
SHA1: b10d499c6aedcc0c0a3cf728a609466824a73d19
SHA256: adea37317bf08b2dbb86164c609b0ee2eec3ccd6ef0e82c1c46d8447623e5899
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: TNTNumber1062324.PDF.exe Virustotal: Detection: 42% Perma Link
Source: TNTNumber1062324.PDF.exe ReversingLabs: Detection: 31%

Compliance:

barindex
Uses 32bit PE files
Source: TNTNumber1062324.PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: TNTNumber1062324.PDF.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: TNTNumber1062324.PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TNTNumber1062324.PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TNTNumber1062324.PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: TNTNumber1062324.PDF.exe, 00000000.00000000.635376844.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSEMICHORIC.exe vs TNTNumber1062324.PDF.exe
Source: TNTNumber1062324.PDF.exe, 00000010.00000000.974522307.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSEMICHORIC.exe vs TNTNumber1062324.PDF.exe
Source: TNTNumber1062324.PDF.exe Binary or memory string: OriginalFilenameSEMICHORIC.exe vs TNTNumber1062324.PDF.exe
Uses 32bit PE files
Source: TNTNumber1062324.PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe File created: C:\Users\user\AppData\Local\Temp\~DF66CD68291135151C.TMP Jump to behavior
Source: TNTNumber1062324.PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TNTNumber1062324.PDF.exe Virustotal: Detection: 42%
Source: TNTNumber1062324.PDF.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe 'C:\Users\user\Desktop\TNTNumber1062324.PDF.exe'
Source: unknown Process created: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe 'C:\Users\user\Desktop\TNTNumber1062324.PDF.exe'
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process created: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe 'C:\Users\user\Desktop\TNTNumber1062324.PDF.exe' Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: TNTNumber1062324.PDF.exe PID: 6072, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: TNTNumber1062324.PDF.exe PID: 6072, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_005639B6 push esp; retf 16_2_005639BD

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: TNTNumber1062324.PDF.exe
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566967 16_2_00566967
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_0056693A 16_2_0056693A
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_005669DA 16_2_005669DA
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_005669FA 16_2_005669FA
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_0056699E 16_2_0056699E
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566A55 16_2_00566A55
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566A2E 16_2_00566A2E
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566AD5 16_2_00566AD5
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566AEB 16_2_00566AEB
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566A97 16_2_00566A97
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566A82 16_2_00566A82
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566ABD 16_2_00566ABD
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566B57 16_2_00566B57
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566B12 16_2_00566B12
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566B2A 16_2_00566B2A
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_005613D6 16_2_005613D6
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 000000000050671A second address: 000000000050671A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0CB43B82D8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F0CB43B82A7h 0x0000002e jmp 00007F0CB43B82E2h 0x00000030 test bh, FFFFFFFDh 0x00000033 call 00007F0CB43B8304h 0x00000038 call 00007F0CB43B82E8h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 0000000000504040 second address: 0000000000504040 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: TNTNumber1062324.PDF.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 0000000000506B17 second address: 0000000000506A69 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [edi+14h], 10h 0x0000000f je 00007F0CB4C91679h 0x00000011 jmp 00007F0CB4C91642h 0x00000013 cmp cx, ax 0x00000016 cmp dword ptr [edi+14h], 20h 0x0000001a je 00007F0CB4C9165Eh 0x0000001c cmp dword ptr [edi+14h], 40h 0x00000020 je 00007F0CB4C91658h 0x00000022 cmp dword ptr [edi+14h], 02h 0x00000026 je 00007F0CB4C91652h 0x00000028 cmp dword ptr [edi+14h], 04h 0x0000002c je 00007F0CB4C9164Ch 0x0000002e jmp 00007F0CB4C91642h 0x00000030 cmp dx, dx 0x00000033 jmp 00007F0CB4C914D1h 0x00000038 jmp 00007F0CB4C91642h 0x0000003a nop 0x0000003b jmp 00007F0CB4C91642h 0x0000003d test ah, dh 0x0000003f jmp 00007F0CB4C91642h 0x00000041 pushad 0x00000042 mov eax, 00000055h 0x00000047 cpuid 0x00000049 popad 0x0000004a add esi, 00001000h 0x00000050 jmp 00007F0CB4C91642h 0x00000052 pushad 0x00000053 lfence 0x00000056 rdtsc
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 000000000050671A second address: 000000000050671A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0CB43B82D8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F0CB43B82A7h 0x0000002e jmp 00007F0CB43B82E2h 0x00000030 test bh, FFFFFFFDh 0x00000033 call 00007F0CB43B8304h 0x00000038 call 00007F0CB43B82E8h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 000000000050673A second address: 000000000050673A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0CB4C91C4Ah 0x0000001d popad 0x0000001e call 00007F0CB4C9170Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 0000000000503FCF second address: 0000000000504040 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F0CB43B90DAh 0x00000010 call 00007F0CB43B74E3h 0x00000015 pop dword ptr [ebp+000000B8h] 0x0000001b jmp 00007F0CB43B82E2h 0x0000001d test cx, bx 0x00000020 jmp 00007F0CB43B82E2h 0x00000022 test bh, bh 0x00000024 push dword ptr fs:[000000C0h] 0x0000002b jmp 00007F0CB43B82E2h 0x0000002d pushad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 0000000000504040 second address: 0000000000504040 instructions:
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe RDTSC instruction interceptor: First address: 0000000000566B17 second address: 0000000000566A69 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [edi+14h], 10h 0x0000000f je 00007F0CB43B8319h 0x00000011 jmp 00007F0CB43B82E2h 0x00000013 cmp cx, ax 0x00000016 cmp dword ptr [edi+14h], 20h 0x0000001a je 00007F0CB43B82FEh 0x0000001c cmp dword ptr [edi+14h], 40h 0x00000020 je 00007F0CB43B82F8h 0x00000022 cmp dword ptr [edi+14h], 02h 0x00000026 je 00007F0CB43B82F2h 0x00000028 cmp dword ptr [edi+14h], 04h 0x0000002c je 00007F0CB43B82ECh 0x0000002e jmp 00007F0CB43B82E2h 0x00000030 cmp dx, dx 0x00000033 jmp 00007F0CB43B8171h 0x00000038 jmp 00007F0CB43B82E2h 0x0000003a nop 0x0000003b jmp 00007F0CB43B82E2h 0x0000003d test ah, dh 0x0000003f jmp 00007F0CB43B82E2h 0x00000041 pushad 0x00000042 mov eax, 00000055h 0x00000047 cpuid 0x00000049 popad 0x0000004a add esi, 00001000h 0x00000050 jmp 00007F0CB43B82E2h 0x00000052 pushad 0x00000053 lfence 0x00000056 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00560C52 rdtsc 16_2_00560C52
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: TNTNumber1062324.PDF.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process Stats: CPU usage > 90% for more than 60s
Hides threads from debuggers
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00560C52 rdtsc 16_2_00560C52
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00563447 mov eax, dword ptr fs:[00000030h] 16_2_00563447
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00563445 mov eax, dword ptr fs:[00000030h] 16_2_00563445
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00562555 mov eax, dword ptr fs:[00000030h] 16_2_00562555
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00561D16 mov eax, dword ptr fs:[00000030h] 16_2_00561D16
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_0056250E mov eax, dword ptr fs:[00000030h] 16_2_0056250E
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00562522 mov eax, dword ptr fs:[00000030h] 16_2_00562522
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566F5D mov eax, dword ptr fs:[00000030h] 16_2_00566F5D
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566F79 mov eax, dword ptr fs:[00000030h] 16_2_00566F79
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_0056631E mov eax, dword ptr fs:[00000030h] 16_2_0056631E
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566F1F mov eax, dword ptr fs:[00000030h] 16_2_00566F1F
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566F0E mov eax, dword ptr fs:[00000030h] 16_2_00566F0E
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00565B34 mov eax, dword ptr fs:[00000030h] 16_2_00565B34
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566F39 mov eax, dword ptr fs:[00000030h] 16_2_00566F39
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566321 mov eax, dword ptr fs:[00000030h] 16_2_00566321
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566FCA mov eax, dword ptr fs:[00000030h] 16_2_00566FCA
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Code function: 16_2_00566FAF mov eax, dword ptr fs:[00000030h] 16_2_00566FAF
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe Process created: C:\Users\user\Desktop\TNTNumber1062324.PDF.exe 'C:\Users\user\Desktop\TNTNumber1062324.PDF.exe' Jump to behavior
Source: TNTNumber1062324.PDF.exe, 00000010.00000002.1161753697.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: TNTNumber1062324.PDF.exe, 00000010.00000002.1161753697.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: TNTNumber1062324.PDF.exe, 00000010.00000002.1161753697.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: TNTNumber1062324.PDF.exe, 00000010.00000002.1161753697.0000000000FB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358491 Sample: TNTNumber1062324.PDF.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected GuLoader 2->13 15 Sigma detected: Suspicious Double Extension 2->15 17 4 other signatures 2->17 6 TNTNumber1062324.PDF.exe 1 2->6         started        process3 signatures4 19 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->19 21 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 6->21 23 Tries to detect Any.run 6->23 25 3 other signatures 6->25 9 TNTNumber1062324.PDF.exe 6->9         started        process5
No contacted IP infos