Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 19:57
Behavioral task
behavioral1
Sample
DeepFreeze.exe
Resource
win7-20231129-en
8 signatures
150 seconds
General
-
Target
DeepFreeze.exe
-
Size
202KB
-
MD5
606d848584caad00d05e933758bc2620
-
SHA1
7dce40e1d7dfb125570c0a2445264b7791967e6b
-
SHA256
69ca4d42492cef4caa9e2b85988c13e0dda8e8d8d962dd1cc3fc4adb4b3478f1
-
SHA512
3e66acb0a21ad606bcb78721a46fd513e702723cd31adbf04506ac1d74cc974111b3c0b84c3f471d1096b884c27c943bcbac463f7d8c63b6e55d53cb2ccfd945
-
SSDEEP
6144:gLV6Bta6dtJmakIM5elE4UXkD2rovrO6mlOdu:gLV6Btpmkt24ttvr5du
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DeepFreeze.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" DeepFreeze.exe -
Processes:
DeepFreeze.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeepFreeze.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
Processes:
flow ioc 101 0.tcp.in.ngrok.io 111 0.tcp.in.ngrok.io 67 0.tcp.in.ngrok.io 69 0.tcp.in.ngrok.io 97 0.tcp.in.ngrok.io 107 0.tcp.in.ngrok.io 24 0.tcp.in.ngrok.io 27 0.tcp.in.ngrok.io 81 0.tcp.in.ngrok.io 83 0.tcp.in.ngrok.io 85 0.tcp.in.ngrok.io 99 0.tcp.in.ngrok.io 109 0.tcp.in.ngrok.io 11 0.tcp.in.ngrok.io 72 0.tcp.in.ngrok.io -
Drops file in Program Files directory 2 IoCs
Processes:
DeepFreeze.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe DeepFreeze.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe DeepFreeze.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
DeepFreeze.exepid process 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe 4888 DeepFreeze.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DeepFreeze.exepid process 4888 DeepFreeze.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DeepFreeze.exedescription pid process Token: SeDebugPrivilege 4888 DeepFreeze.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:1152
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"1⤵PID:1704