Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 19:57

General

  • Target

    DeepFreeze.exe

  • Size

    202KB

  • MD5

    606d848584caad00d05e933758bc2620

  • SHA1

    7dce40e1d7dfb125570c0a2445264b7791967e6b

  • SHA256

    69ca4d42492cef4caa9e2b85988c13e0dda8e8d8d962dd1cc3fc4adb4b3478f1

  • SHA512

    3e66acb0a21ad606bcb78721a46fd513e702723cd31adbf04506ac1d74cc974111b3c0b84c3f471d1096b884c27c943bcbac463f7d8c63b6e55d53cb2ccfd945

  • SSDEEP

    6144:gLV6Bta6dtJmakIM5elE4UXkD2rovrO6mlOdu:gLV6Btpmkt24ttvr5du

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe
    "C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:4888
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1152
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2392
      • C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe
        "C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"
        1⤵
          PID:1704

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1704-10-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/1704-11-0x0000000001610000-0x0000000001620000-memory.dmp

          Filesize

          64KB

        • memory/1704-12-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/1704-14-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/4888-0-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/4888-1-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/4888-2-0x0000000001800000-0x0000000001810000-memory.dmp

          Filesize

          64KB

        • memory/4888-5-0x0000000001800000-0x0000000001810000-memory.dmp

          Filesize

          64KB

        • memory/4888-6-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/4888-7-0x00000000750D0000-0x0000000075681000-memory.dmp

          Filesize

          5.7MB

        • memory/4888-8-0x0000000001800000-0x0000000001810000-memory.dmp

          Filesize

          64KB

        • memory/4888-9-0x0000000001800000-0x0000000001810000-memory.dmp

          Filesize

          64KB