Analysis
-
max time kernel
102s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/07/2025, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
Procentdelene.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
Procentdelene.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
General
-
Target
Procentdelene.exe
-
Size
870KB
-
MD5
68786837fdc79d05d4d183f7e4dd1546
-
SHA1
a28c215c0c5c807f05e44063fbaf69526cf7f3b7
-
SHA256
1eb25e230346fb5ff10dfd8daad216200205b958046fb2729b8666ba2f18f2a9
-
SHA512
24af354f735e24ced6c4fa83e72d7a10ea97fefb6b09201b5b2d91b2a5b97d5cace1c44624e06168a81672c68db0fdb0c41b40020beaf7e66967c73002bd0284
-
SSDEEP
24576:GFMMMMMMMMMMj9sbv93+MEySx9KNQ6SW/AJIoK:GFMMMMMMMMMMjY+MEycKm69/AU
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 3188 Procentdelene.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3188 Procentdelene.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2348 5868 WerFault.exe 78 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Procentdelene.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Procentdelene.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3188 Procentdelene.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3188 wrote to memory of 5868 3188 Procentdelene.exe 78 PID 3188 wrote to memory of 5868 3188 Procentdelene.exe 78 PID 3188 wrote to memory of 5868 3188 Procentdelene.exe 78 PID 3188 wrote to memory of 5868 3188 Procentdelene.exe 78 PID 3188 wrote to memory of 5868 3188 Procentdelene.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 4403⤵
- Program crash
PID:2348
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5868 -ip 58681⤵PID:5476
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b