Analysis Overview
SHA256
69ca4d42492cef4caa9e2b85988c13e0dda8e8d8d962dd1cc3fc4adb4b3478f1
Threat Level: Known bad
The file DeepFreeze.exe was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-23 19:57
Signatures
Nanocore family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-23 19:57
Reported
2024-04-23 20:00
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SMTP Subsystem\smtpss.exe | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SMTP Subsystem\smtpss.exe | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe
"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe
"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 232.98.6.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 182.115.6.3.in-addr.arpa | udp |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:15030 | tcp | |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.185.200.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 208.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.30.85:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 85.30.6.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 17.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:15030 | tcp |
Files
memory/4888-0-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/4888-1-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/4888-2-0x0000000001800000-0x0000000001810000-memory.dmp
memory/4888-5-0x0000000001800000-0x0000000001810000-memory.dmp
memory/4888-6-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/4888-7-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/4888-8-0x0000000001800000-0x0000000001810000-memory.dmp
memory/4888-9-0x0000000001800000-0x0000000001810000-memory.dmp
memory/1704-10-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/1704-11-0x0000000001610000-0x0000000001620000-memory.dmp
memory/1704-12-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/1704-14-0x00000000750D0000-0x0000000075681000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-23 19:57
Reported
2024-04-23 20:00
Platform
win7-20231129-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\TCP Service\tcpsv.exe | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
| File created | C:\Program Files (x86)\TCP Service\tcpsv.exe | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe
"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.30.85:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.30.85:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.98.232:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.30.85:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.64:15030 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.182:15030 | 0.tcp.in.ngrok.io | tcp |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| N/A | 127.0.0.1:15030 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.115.64:15030 | 0.tcp.in.ngrok.io | tcp |
Files
memory/2352-0-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2352-1-0x0000000000C70000-0x0000000000CB0000-memory.dmp
memory/2352-2-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2352-5-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2352-6-0x0000000000C70000-0x0000000000CB0000-memory.dmp