Analysis
-
max time kernel
1190s -
max time network
1202s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/06/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
chlorinates.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
chlorinates.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
chlorinates.dll
Resource
win11-20240426-en
General
-
Target
chlorinates.dll
-
Size
13.3MB
-
MD5
7604a8bc5e2f8aa350a0e142388d44ab
-
SHA1
1f462fbbc10d2ee5e9894a6fc0e9de0706ee525f
-
SHA256
10acfc44e2ca27846698b4ce3bd09be1fd3a3cae5f4ca1c8d18b51d2493c8a99
-
SHA512
466ef6b92390738051c71289adf2908725206a85d61b5be1aa867399384bc8f7ef66ac8f9f46518c9ca40e7a1e1c69583d1cb2f6e061c375855ba9c107ce6c8c
-
SSDEEP
393216:ijxK+okzk1UbMnYnmqJ8NCIXWHfEizt5:ijxK+okg18MYY8IXWHfEG
Malware Config
Signatures
-
Blocklisted process makes network request 38 IoCs
flow pid Process 5 336 rundll32.exe 8 336 rundll32.exe 9 336 rundll32.exe 11 336 rundll32.exe 12 336 rundll32.exe 13 336 rundll32.exe 14 336 rundll32.exe 15 336 rundll32.exe 16 336 rundll32.exe 17 336 rundll32.exe 18 336 rundll32.exe 19 336 rundll32.exe 21 336 rundll32.exe 22 336 rundll32.exe 25 336 rundll32.exe 27 336 rundll32.exe 28 336 rundll32.exe 29 336 rundll32.exe 30 336 rundll32.exe 31 336 rundll32.exe 32 336 rundll32.exe 33 336 rundll32.exe 34 336 rundll32.exe 36 336 rundll32.exe 37 336 rundll32.exe 38 336 rundll32.exe 40 336 rundll32.exe 41 336 rundll32.exe 42 336 rundll32.exe 43 336 rundll32.exe 44 336 rundll32.exe 45 336 rundll32.exe 46 336 rundll32.exe 47 336 rundll32.exe 48 336 rundll32.exe 49 336 rundll32.exe 50 336 rundll32.exe 51 336 rundll32.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
pid Process 4084 powershell.exe 952 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4084 powershell.exe 4084 powershell.exe 952 powershell.exe 952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 952 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 336 wrote to memory of 4084 336 rundll32.exe 78 PID 336 wrote to memory of 4084 336 rundll32.exe 78 PID 336 wrote to memory of 952 336 rundll32.exe 81 PID 336 wrote to memory of 952 336 rundll32.exe 81 PID 952 wrote to memory of 2212 952 powershell.exe 83 PID 952 wrote to memory of 2212 952 powershell.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#11⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com3⤵PID:2212
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD522e796539d05c5390c21787da1fb4c2b
SHA155320ebdedd3069b2aaf1a258462600d9ef53a58
SHA2567c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09
-
Filesize
1KB
MD5161f955c57fd28c6ec65ac6e654db3e1
SHA1a6730d9ea505e13871a3b173852041c83376d400
SHA256e5915b7488ae418e4d81fda1a0b72a04529bf9cdb26b88aacfdfb7466a409f9d
SHA51210d4787848d6a383500ebc9b5f4a9fe8f45aafab503479a887e4aab6329ce0509f888ef46f0cbef591ac4b005386c4e05ca37883bcaad046af3f7c59b04fce1a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82