1ffaef081b66fba6d95e34d3c7c70b6958f6f76702bea07205162bba32387b1a

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChilledWindows.GUI.exe
Size

4.3MB
MD5

74ff57825e5256a5e145c246bdf55a48
SHA1

a09c4666725ee3791a46018899c977747751003c
SHA256

1ffaef081b66fba6d95e34d3c7c70b6958f6f76702bea07205162bba32387b1a
SHA512

207a63aef56a8941e2560be4242c107e93fa108f837dca59d04092b295cc685d7848840c8920ac7e415671d5902bf080b4ff8bcddfc88182315d9da4c8d39515
SSDEEP

98304:U3on4k4113jdraOptUIQu8GMuwxzrH+zpCYP/KTAurli:U3on4HjtUT3kUrHG0a

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2140	CHROMI~2.EXE
2648	helper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ChilledWindows.GUI.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	helper.exe
File opened (read-only)	\??\R:	helper.exe
File opened (read-only)	\??\W:	helper.exe
File opened (read-only)	\??\L:	helper.exe
File opened (read-only)	\??\X:	helper.exe
File opened (read-only)	\??\G:	helper.exe
File opened (read-only)	\??\I:	helper.exe
File opened (read-only)	\??\J:	helper.exe
File opened (read-only)	\??\N:	helper.exe
File opened (read-only)	\??\Q:	helper.exe
File opened (read-only)	\??\S:	helper.exe
File opened (read-only)	\??\U:	helper.exe
File opened (read-only)	\??\Y:	helper.exe
File opened (read-only)	\??\A:	helper.exe
File opened (read-only)	\??\E:	helper.exe
File opened (read-only)	\??\K:	helper.exe
File opened (read-only)	\??\P:	helper.exe
File opened (read-only)	\??\T:	helper.exe
File opened (read-only)	\??\V:	helper.exe
File opened (read-only)	\??\Z:	helper.exe
File opened (read-only)	\??\B:	helper.exe
File opened (read-only)	\??\H:	helper.exe
File opened (read-only)	\??\M:	helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2648	helper.exe
Token: SeIncBasePriorityPrivilege	2648	helper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	helper.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2140	1748	ChilledWindows.GUI.exe	28
PID 1748 wrote to memory of 2140	1748	ChilledWindows.GUI.exe	28
PID 1748 wrote to memory of 2140	1748	ChilledWindows.GUI.exe	28
PID 2140 wrote to memory of 2648	2140	CHROMI~2.EXE	29
PID 2140 wrote to memory of 2648	2140	CHROMI~2.EXE	29
PID 2140 wrote to memory of 2648	2140	CHROMI~2.EXE	29

C:\Users\Admin\AppData\Local\Temp\ChilledWindows.GUI.exe
"C:\Users\Admin\AppData\Local\Temp\ChilledWindows.GUI.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHROMI~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHROMI~2.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHROMI~2.EXE

Filesize
13KB

MD5
b840b27df10b80d7d17e7ba88fe549ca

SHA1
2769b3696b80aa8048fbab5e08629c7369810499

SHA256
63ed16670362ddbc0fb96d2762c84f68073988d1f1f49fc4f064fad56076287e

SHA512
f1ceeacdbb4101b8e985878f2444840e3aa1dfe0fc2d241ebffbff48b00abf1d895425dbb1833b3a69e93b5edcf291b57c289e6b0d8ff072e7a0d1278f26ceea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
memory/2140-17-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-9-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/2140-10-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-11-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download
memory/2140-12-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download
memory/2648-28-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-39-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2648-19-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2648-20-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/2648-21-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/2648-16-0x0000000000020000-0x0000000000484000-memory.dmp

Filesize
4.4MB

Download
memory/2648-27-0x000007FEEEE10000-0x000007FEEF201000-memory.dmp

Filesize
3.9MB

Download
memory/2648-29-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-33-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-32-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-31-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-30-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-15-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-34-0x000007FEEF300000-0x000007FEEF443000-memory.dmp

Filesize
1.3MB

Download
memory/2648-36-0x000007FED0630000-0x000007FED063A000-memory.dmp

Filesize
40KB

Download
memory/2648-37-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2648-35-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-18-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2648-38-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2648-41-0x000007FEEEE10000-0x000007FEEF201000-memory.dmp

Filesize
3.9MB

Download
memory/2648-42-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-45-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-46-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-44-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-47-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-48-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/2648-49-0x000000001B030000-0x000000001B03A000-memory.dmp

Filesize
40KB

Download
memory/2648-50-0x000007FEEF300000-0x000007FEEF443000-memory.dmp

Filesize
1.3MB

Download
memory/2648-51-0x000007FED0630000-0x000007FED063A000-memory.dmp

Filesize
40KB

Download
memory/2648-52-0x000000001B030000-0x000000001B03A000-memory.dmp

Filesize
40KB

Download
memory/2648-53-0x000000001B030000-0x000000001B03A000-memory.dmp

Filesize
40KB

Download
memory/2648-57-0x000007FEEEE10000-0x000007FEEF201000-memory.dmp

Filesize
3.9MB

Download
memory/2648-58-0x000007FEEF300000-0x000007FEEF443000-memory.dmp

Filesize
1.3MB

Download
memory/2648-59-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads