1ffaef081b66fba6d95e34d3c7c70b6958f6f76702bea07205162bba32387b1a

General

Target

ChilledWindows.GUI.exe
Size

4.3MB
MD5

74ff57825e5256a5e145c246bdf55a48
SHA1

a09c4666725ee3791a46018899c977747751003c
SHA256

1ffaef081b66fba6d95e34d3c7c70b6958f6f76702bea07205162bba32387b1a
SHA512

207a63aef56a8941e2560be4242c107e93fa108f837dca59d04092b295cc685d7848840c8920ac7e415671d5902bf080b4ff8bcddfc88182315d9da4c8d39515
SSDEEP

98304:U3on4k4113jdraOptUIQu8GMuwxzrH+zpCYP/KTAurli:U3on4HjtUT3kUrHG0a

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	CHROMI~2.EXE

Executes dropped EXE 2 IoCs

pid	Process
544	CHROMI~2.EXE
2476	helper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ChilledWindows.GUI.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	helper.exe
File opened (read-only)	\??\K:	helper.exe
File opened (read-only)	\??\L:	helper.exe
File opened (read-only)	\??\M:	helper.exe
File opened (read-only)	\??\V:	helper.exe
File opened (read-only)	\??\Y:	helper.exe
File opened (read-only)	\??\Z:	helper.exe
File opened (read-only)	\??\A:	helper.exe
File opened (read-only)	\??\B:	helper.exe
File opened (read-only)	\??\E:	helper.exe
File opened (read-only)	\??\O:	helper.exe
File opened (read-only)	\??\S:	helper.exe
File opened (read-only)	\??\X:	helper.exe
File opened (read-only)	\??\I:	helper.exe
File opened (read-only)	\??\Q:	helper.exe
File opened (read-only)	\??\W:	helper.exe
File opened (read-only)	\??\G:	helper.exe
File opened (read-only)	\??\J:	helper.exe
File opened (read-only)	\??\N:	helper.exe
File opened (read-only)	\??\P:	helper.exe
File opened (read-only)	\??\R:	helper.exe
File opened (read-only)	\??\T:	helper.exe
File opened (read-only)	\??\U:	helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{71980143-C876-4617-B88F-7B3C2C3DA945}	helper.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2476	helper.exe
Token: SeCreatePagefilePrivilege	2476	helper.exe
Token: 33	864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	864	AUDIODG.EXE
Token: SeShutdownPrivilege	2476	helper.exe
Token: SeCreatePagefilePrivilege	2476	helper.exe
Token: SeShutdownPrivilege	2476	helper.exe
Token: SeCreatePagefilePrivilege	2476	helper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2476	helper.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 544	2860	ChilledWindows.GUI.exe	89
PID 2860 wrote to memory of 544	2860	ChilledWindows.GUI.exe	89
PID 544 wrote to memory of 2476	544	CHROMI~2.EXE	99
PID 544 wrote to memory of 2476	544	CHROMI~2.EXE	99

C:\Users\Admin\AppData\Local\Temp\ChilledWindows.GUI.exe
"C:\Users\Admin\AppData\Local\Temp\ChilledWindows.GUI.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHROMI~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHROMI~2.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
310d84a8905c3342ee1b607659cd6234

SHA1
e73d156649f0367de303a60ddf94528551f3f4c6

SHA256
61ca8e64187cb310455fbddf53429728857dff9796962fc67f6753c08df35f6b

SHA512
03990ac7a64b73701ddfba19aeebfca4d31f79554027b2441eac8ed9ab72516d0fbda7657e8b1735978392dc0331f9bba829c0cb9cf5b01aa7a141489d36513f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHROMI~2.EXE

Filesize
13KB

MD5
b840b27df10b80d7d17e7ba88fe549ca

SHA1
2769b3696b80aa8048fbab5e08629c7369810499

SHA256
63ed16670362ddbc0fb96d2762c84f68073988d1f1f49fc4f064fad56076287e

SHA512
f1ceeacdbb4101b8e985878f2444840e3aa1dfe0fc2d241ebffbff48b00abf1d895425dbb1833b3a69e93b5edcf291b57c289e6b0d8ff072e7a0d1278f26ceea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\helper.exe

Filesize
2.5MB

MD5
32e070b06f80b5fdc457443efc632a29

SHA1
5718e1df5dc1ead2359571635a4914cf90ae5e1b

SHA256
18fa3854faaaf7f10574c326ea00063e34530bac5a624c969d0e382d80cef7af

SHA512
236e9edc2af396ac72196c832a5892af203c9082519e79f016aa15717f8b6670035c4e1de7e367d129dbce7d30a9aa0bc16c2872e3969f1be93908b40bc170d8

Download Submit
memory/544-14-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download
memory/544-9-0x000002394FB20000-0x000002394FB30000-memory.dmp

Filesize
64KB

Download
memory/544-7-0x0000023935570000-0x000002393557A000-memory.dmp

Filesize
40KB

Download
memory/544-8-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-33-0x0000000021550000-0x000000002155E000-memory.dmp

Filesize
56KB

Download
memory/2476-16-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-28-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-30-0x00000000214D0000-0x00000000214D8000-memory.dmp

Filesize
32KB

Download
memory/2476-31-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-15-0x00000000006C0000-0x0000000000B24000-memory.dmp

Filesize
4.4MB

Download
memory/2476-32-0x0000000021580000-0x00000000215B8000-memory.dmp

Filesize
224KB

Download
memory/2476-17-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-13-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-51-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-52-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-53-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-54-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-56-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-55-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/2476-70-0x00007FFD60900000-0x00007FFD613C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads