Analysis
-
max time kernel
84s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.scr
Resource
win10v2004-20220414-en
General
-
Target
TNT Original Invoice.scr
-
Size
48KB
-
MD5
45439e2dfdd3b1f54b4952a46b487fa4
-
SHA1
d8becaffacaf238a8abe233bff210963d0d36e1e
-
SHA256
bac78784a96599a619b48b9998c449d213cd113bda215a0b6fe11e358e336785
-
SHA512
38532b48e6e71907fbd569e4e3ee71322f019368efa1db89f39f9a7b0dd5440859c9b824f6d2f0bda4c7c63ea95547f003c3db3fd571b41ffd75fdf07ea225bf
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1gKqCSICYGIrZRanQX1uIQYJBckKa2fUb
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4700-132-0x0000000000000000-mapping.dmp family_guloader behavioral2/memory/4700-136-0x0000000000D00000-0x0000000000E00000-memory.dmp family_guloader -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
TNT Original Invoice.scrRegAsm.exepid process 3948 TNT Original Invoice.scr 4700 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 3948 set thread context of 4700 3948 TNT Original Invoice.scr RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
TNT Original Invoice.scrpid process 3948 TNT Original Invoice.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT Original Invoice.scrpid process 3948 TNT Original Invoice.scr -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 3948 wrote to memory of 4700 3948 TNT Original Invoice.scr RegAsm.exe PID 3948 wrote to memory of 4700 3948 TNT Original Invoice.scr RegAsm.exe PID 3948 wrote to memory of 4700 3948 TNT Original Invoice.scr RegAsm.exe PID 3948 wrote to memory of 4700 3948 TNT Original Invoice.scr RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3948-133-0x00000000021E0000-0x00000000021E8000-memory.dmpFilesize
32KB
-
memory/3948-134-0x00007FF841690000-0x00007FF841885000-memory.dmpFilesize
2.0MB
-
memory/3948-135-0x00000000771C0000-0x0000000077363000-memory.dmpFilesize
1.6MB
-
memory/3948-139-0x00000000021E0000-0x00000000021E8000-memory.dmpFilesize
32KB
-
memory/3948-140-0x00000000771C0000-0x0000000077363000-memory.dmpFilesize
1.6MB
-
memory/4700-132-0x0000000000000000-mapping.dmp
-
memory/4700-136-0x0000000000D00000-0x0000000000E00000-memory.dmpFilesize
1024KB
-
memory/4700-137-0x00007FF841690000-0x00007FF841885000-memory.dmpFilesize
2.0MB
-
memory/4700-138-0x00000000771C0000-0x0000000077363000-memory.dmpFilesize
1.6MB