Malware Analysis Report

2025-06-16 07:25

Sample ID 240602-c5wg4sgb3x
Target chlorinates.exe
SHA256 10acfc44e2ca27846698b4ce3bd09be1fd3a3cae5f4ca1c8d18b51d2493c8a99
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

10acfc44e2ca27846698b4ce3bd09be1fd3a3cae5f4ca1c8d18b51d2493c8a99

Threat Level: Likely malicious

The file chlorinates.exe was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Unexpected DNS network traffic destination

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 02:40

Reported

2024-06-02 04:47

Platform

win7-20240508-en

Max time kernel

1192s

Max time network

1201s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#1

Signatures

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"

C:\Windows\system32\nslookup.exe

"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp

Files

memory/1804-0-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-2-0x000007FEF4560000-0x000007FEF4FE4000-memory.dmp

memory/1804-3-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-4-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-5-0x000007FEF4560000-0x000007FEF4FE4000-memory.dmp

memory/1804-6-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-7-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-8-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-9-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/2140-14-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2140-15-0x0000000002860000-0x0000000002868000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2357258a3dbee32ad062e674aa4104e0
SHA1 4c877d30deddb8c3014bf1076bae8e42889e4106
SHA256 7b8b068c8583662dcc48d52be249d347d9e068368c4c27aac6716372c53ae03b
SHA512 a0d1ea566f47fc01633a56eeeef3296366df37b702d81459b9512eb12ddc685db8af67d825c8d1aad3c243bb08eb66042880d33d4fce10e009d2c4ff45ec604c

memory/2232-21-0x000000001B630000-0x000000001B912000-memory.dmp

memory/2232-22-0x0000000002860000-0x0000000002868000-memory.dmp

memory/1804-23-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-24-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

memory/1804-25-0x000007FEF4560000-0x000007FEF52BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 02:40

Reported

2024-06-02 04:48

Platform

win10v2004-20240426-en

Max time kernel

1190s

Max time network

1201s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#1

Signatures

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"

C:\Windows\system32\nslookup.exe

"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
GB 51.68.216.13:443 tcp
US 8.8.8.8:53 222.222.67.208.in-addr.arpa udp
US 8.8.8.8:53 13.216.68.51.in-addr.arpa udp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp

Files

memory/4304-0-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-2-0x00007FFF36F90000-0x00007FFF37A14000-memory.dmp

memory/4304-3-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-4-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-5-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-6-0x00007FFF36F90000-0x00007FFF37A14000-memory.dmp

memory/4304-7-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/528-8-0x00007FFF356C3000-0x00007FFF356C5000-memory.dmp

memory/528-9-0x000001768AF60000-0x000001768AF82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zv21id44.cvs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/528-19-0x00007FFF356C0000-0x00007FFF36181000-memory.dmp

memory/528-20-0x00007FFF356C0000-0x00007FFF36181000-memory.dmp

memory/528-23-0x00007FFF356C0000-0x00007FFF36181000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 223bd4ae02766ddc32e6145fd1a29301
SHA1 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA256 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 071e40c48b137a5d464968fcac2ed5f9
SHA1 26d7916861ada434d4457569055aeffebb2e1617
SHA256 96127b0d042da66bf8332ddd5a22ba4046c47fa2306d18319c22097560d28f5e
SHA512 8d6d81091f04e06c3c4562f606d3b3ab2d3ecf015d8f6c0ac75b1477450aaa3d98b7ddf79b682ff69c3fef1c109443a8cb23d257442cff6d0bcb575cb6c0e67e

memory/4304-36-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-37-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-38-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-43-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-44-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

memory/4304-45-0x00007FFF36F90000-0x00007FFF37CEA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 02:40

Reported

2024-06-02 04:49

Platform

win11-20240426-en

Max time kernel

1190s

Max time network

1202s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\chlorinates.dll,#1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"

C:\Windows\system32\nslookup.exe

"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
GB 51.68.216.13:443 tcp
US 8.8.8.8:53 222.222.67.208.in-addr.arpa udp
US 8.8.8.8:53 13.216.68.51.in-addr.arpa udp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp
GB 51.68.216.13:443 tcp

Files

memory/336-0-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-2-0x00007FFCEFF20000-0x00007FFCF09A4000-memory.dmp

memory/336-3-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-4-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-6-0x00007FFCEFF20000-0x00007FFCF09A4000-memory.dmp

memory/336-5-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-7-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-8-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-9-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/4084-10-0x00007FFCEF453000-0x00007FFCEF455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elcg0ndq.r51.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4084-19-0x000002244FCC0000-0x000002244FCE2000-memory.dmp

memory/4084-20-0x00007FFCEF450000-0x00007FFCEFF12000-memory.dmp

memory/4084-21-0x00007FFCEF450000-0x00007FFCEFF12000-memory.dmp

memory/4084-22-0x00007FFCEF450000-0x00007FFCEFF12000-memory.dmp

memory/4084-25-0x00007FFCEF450000-0x00007FFCEFF12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 22e796539d05c5390c21787da1fb4c2b
SHA1 55320ebdedd3069b2aaf1a258462600d9ef53a58
SHA256 7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512 d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 161f955c57fd28c6ec65ac6e654db3e1
SHA1 a6730d9ea505e13871a3b173852041c83376d400
SHA256 e5915b7488ae418e4d81fda1a0b72a04529bf9cdb26b88aacfdfb7466a409f9d
SHA512 10d4787848d6a383500ebc9b5f4a9fe8f45aafab503479a887e4aab6329ce0509f888ef46f0cbef591ac4b005386c4e05ca37883bcaad046af3f7c59b04fce1a

memory/336-37-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-38-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-39-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-43-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-44-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-45-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-50-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp

memory/336-51-0x00007FFCEFF20000-0x00007FFCF0C7A000-memory.dmp