Overview

overview

7

Static

static

7

Chlorine 2.0.exe

windows10-1703-x64

7

source/BitBlt1.exe

windows10-1703-x64

1

source/Chlorine.vbs

windows10-1703-x64

6

source/IconHell.exe

windows10-1703-x64

1

source/Vbs...xe.exe

windows10-1703-x64

7

source/Vbs...4).exe

windows10-1703-x64

7

source/Vbs...r).exe

windows10-1703-x64

7

source/bsod.exe

windows10-1703-x64

1

source/mbr.exe

windows10-1703-x64

6

source/mousedraw.exe

windows10-1703-x64

1

source/msgloop.vbs

windows10-1703-x64

1

source/noise.exe

windows10-1703-x64

1

source/sussywaves.exe

windows10-1703-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24/06/2024, 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    source/Chlorine.vbs

  • Size

    5KB

  • MD5

    a10d375e013a00dd14a16bfce7b6d2f0

  • SHA1

    9c863fddf6a0a5e7b0b2b1cb8268ea1586de5150

  • SHA256

    16a59e4fd5b0d27325cbf2deeb34f8f49f3368c562e9a5deb934eb234d89ea05

  • SHA512

    6d839b235c9c4ff3021947debb8b73a512c7b8c140ac35a7f49a127446102b84f16fa11e441cc360beea248180de23305527c1de90f3226ddf332e6863c30378

  • SSDEEP

    96:Fo7feQCdUFuzxhldtVpdyQJQI1EUgRtCoYkXZ8qw5oHYpw0:9QCdUgxhl3VpdB6I1qrXZ8q2oHYpw0

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Chlorine.vbs"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Users\Admin\AppData\Local\Temp\source\mbr.exe
      "C:\Users\Admin\AppData\Local\Temp\source\mbr.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      PID:3108
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\msgloop.vbs"
      2⤵
        PID:5108
      • C:\Users\Admin\AppData\Local\Temp\source\noise.exe
        "C:\Users\Admin\AppData\Local\Temp\source\noise.exe"
        2⤵
          PID:1416
        • C:\Users\Admin\AppData\Local\Temp\source\mousedraw.exe
          "C:\Users\Admin\AppData\Local\Temp\source\mousedraw.exe"
          2⤵
            PID:4548
          • C:\Users\Admin\AppData\Local\Temp\source\sussywaves.exe
            "C:\Users\Admin\AppData\Local\Temp\source\sussywaves.exe"
            2⤵
              PID:648
            • C:\Users\Admin\AppData\Local\Temp\source\BitBlt1.exe
              "C:\Users\Admin\AppData\Local\Temp\source\BitBlt1.exe"
              2⤵
                PID:3868
              • C:\Users\Admin\AppData\Local\Temp\source\IconHell.exe
                "C:\Users\Admin\AppData\Local\Temp\source\IconHell.exe"
                2⤵
                  PID:4716
                • C:\Users\Admin\AppData\Local\Temp\source\bsod.exe
                  "C:\Users\Admin\AppData\Local\Temp\source\bsod.exe"
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2044
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x3ac
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:644

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/648-6-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/1416-3-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/3108-0-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/3868-10-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/4548-4-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/4716-39-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

                Download