Analysis
-
max time kernel
1192s -
max time network
1201s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
chlorinates.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
chlorinates.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
chlorinates.dll
Resource
win11-20240426-en
General
-
Target
chlorinates.dll
-
Size
13.3MB
-
MD5
7604a8bc5e2f8aa350a0e142388d44ab
-
SHA1
1f462fbbc10d2ee5e9894a6fc0e9de0706ee525f
-
SHA256
10acfc44e2ca27846698b4ce3bd09be1fd3a3cae5f4ca1c8d18b51d2493c8a99
-
SHA512
466ef6b92390738051c71289adf2908725206a85d61b5be1aa867399384bc8f7ef66ac8f9f46518c9ca40e7a1e1c69583d1cb2f6e061c375855ba9c107ce6c8c
-
SSDEEP
393216:ijxK+okzk1UbMnYnmqJ8NCIXWHfEizt5:ijxK+okg18MYY8IXWHfEG
Malware Config
Signatures
-
Blocklisted process makes network request 24 IoCs
flow pid Process 6 1804 rundll32.exe 7 1804 rundll32.exe 8 1804 rundll32.exe 9 1804 rundll32.exe 10 1804 rundll32.exe 11 1804 rundll32.exe 12 1804 rundll32.exe 13 1804 rundll32.exe 14 1804 rundll32.exe 15 1804 rundll32.exe 16 1804 rundll32.exe 17 1804 rundll32.exe 18 1804 rundll32.exe 19 1804 rundll32.exe 20 1804 rundll32.exe 21 1804 rundll32.exe 22 1804 rundll32.exe 23 1804 rundll32.exe 24 1804 rundll32.exe 25 1804 rundll32.exe 26 1804 rundll32.exe 27 1804 rundll32.exe 28 1804 rundll32.exe 29 1804 rundll32.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
pid Process 2140 powershell.exe 2232 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2140 powershell.exe 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2140 1804 rundll32.exe 30 PID 1804 wrote to memory of 2140 1804 rundll32.exe 30 PID 1804 wrote to memory of 2140 1804 rundll32.exe 30 PID 1804 wrote to memory of 2232 1804 rundll32.exe 33 PID 1804 wrote to memory of 2232 1804 rundll32.exe 33 PID 1804 wrote to memory of 2232 1804 rundll32.exe 33 PID 2232 wrote to memory of 1860 2232 powershell.exe 35 PID 2232 wrote to memory of 1860 2232 powershell.exe 35 PID 2232 wrote to memory of 1860 2232 powershell.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#11⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com3⤵PID:1860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52357258a3dbee32ad062e674aa4104e0
SHA14c877d30deddb8c3014bf1076bae8e42889e4106
SHA2567b8b068c8583662dcc48d52be249d347d9e068368c4c27aac6716372c53ae03b
SHA512a0d1ea566f47fc01633a56eeeef3296366df37b702d81459b9512eb12ddc685db8af67d825c8d1aad3c243bb08eb66042880d33d4fce10e009d2c4ff45ec604c