Analysis
-
max time kernel
1190s -
max time network
1201s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
chlorinates.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
chlorinates.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
chlorinates.dll
Resource
win11-20240426-en
General
-
Target
chlorinates.dll
-
Size
13.3MB
-
MD5
7604a8bc5e2f8aa350a0e142388d44ab
-
SHA1
1f462fbbc10d2ee5e9894a6fc0e9de0706ee525f
-
SHA256
10acfc44e2ca27846698b4ce3bd09be1fd3a3cae5f4ca1c8d18b51d2493c8a99
-
SHA512
466ef6b92390738051c71289adf2908725206a85d61b5be1aa867399384bc8f7ef66ac8f9f46518c9ca40e7a1e1c69583d1cb2f6e061c375855ba9c107ce6c8c
-
SSDEEP
393216:ijxK+okzk1UbMnYnmqJ8NCIXWHfEizt5:ijxK+okg18MYY8IXWHfEG
Malware Config
Signatures
-
Blocklisted process makes network request 22 IoCs
flow pid Process 39 4304 rundll32.exe 42 4304 rundll32.exe 43 4304 rundll32.exe 44 4304 rundll32.exe 45 4304 rundll32.exe 46 4304 rundll32.exe 47 4304 rundll32.exe 48 4304 rundll32.exe 49 4304 rundll32.exe 50 4304 rundll32.exe 56 4304 rundll32.exe 57 4304 rundll32.exe 63 4304 rundll32.exe 64 4304 rundll32.exe 65 4304 rundll32.exe 66 4304 rundll32.exe 67 4304 rundll32.exe 68 4304 rundll32.exe 69 4304 rundll32.exe 70 4304 rundll32.exe 71 4304 rundll32.exe 72 4304 rundll32.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
pid Process 2640 powershell.exe 528 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 528 powershell.exe 528 powershell.exe 2640 powershell.exe 2640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4304 wrote to memory of 528 4304 rundll32.exe 92 PID 4304 wrote to memory of 528 4304 rundll32.exe 92 PID 4304 wrote to memory of 2640 4304 rundll32.exe 94 PID 4304 wrote to memory of 2640 4304 rundll32.exe 94 PID 2640 wrote to memory of 2432 2640 powershell.exe 96 PID 2640 wrote to memory of 2432 2640 powershell.exe 96
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#11⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com3⤵PID:2432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5071e40c48b137a5d464968fcac2ed5f9
SHA126d7916861ada434d4457569055aeffebb2e1617
SHA25696127b0d042da66bf8332ddd5a22ba4046c47fa2306d18319c22097560d28f5e
SHA5128d6d81091f04e06c3c4562f606d3b3ab2d3ecf015d8f6c0ac75b1477450aaa3d98b7ddf79b682ff69c3fef1c109443a8cb23d257442cff6d0bcb575cb6c0e67e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82