Analysis

  • max time kernel
    102s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 07:13

General

  • Target

    Procentdelene.exe

  • Size

    870KB

  • MD5

    68786837fdc79d05d4d183f7e4dd1546

  • SHA1

    a28c215c0c5c807f05e44063fbaf69526cf7f3b7

  • SHA256

    1eb25e230346fb5ff10dfd8daad216200205b958046fb2729b8666ba2f18f2a9

  • SHA512

    24af354f735e24ced6c4fa83e72d7a10ea97fefb6b09201b5b2d91b2a5b97d5cace1c44624e06168a81672c68db0fdb0c41b40020beaf7e66967c73002bd0284

  • SSDEEP

    24576:GFMMMMMMMMMMj9sbv93+MEySx9KNQ6SW/AJIoK:GFMMMMMMMMMMjY+MEycKm69/AU

Malware Config

Signatures

  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe
    "C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe
      "C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 440
        3⤵
        • Program crash
        PID:2348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5868 -ip 5868
    1⤵
      PID:5476

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nsb70BC.tmp\System.dll

            Filesize

            11KB

            MD5

            9625d5b1754bc4ff29281d415d27a0fd

            SHA1

            80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

            SHA256

            c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

            SHA512

            dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

          • memory/3188-25-0x00000000035B0000-0x00000000042F0000-memory.dmp

            Filesize

            13.2MB

          • memory/3188-26-0x0000000010004000-0x0000000010005000-memory.dmp

            Filesize

            4KB

          • memory/3188-27-0x00000000035B0000-0x00000000042F0000-memory.dmp

            Filesize

            13.2MB