Malware Analysis Report

2024-10-23 19:45

Sample ID 240423-ypp62sbd62
Target DeepFreeze.exe
SHA256 69ca4d42492cef4caa9e2b85988c13e0dda8e8d8d962dd1cc3fc4adb4b3478f1
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69ca4d42492cef4caa9e2b85988c13e0dda8e8d8d962dd1cc3fc4adb4b3478f1

Threat Level: Known bad

The file DeepFreeze.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-23 19:57

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-23 19:57

Reported

2024-04-23 20:00

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A
File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe

"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe

"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 232.98.6.3.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 182.115.6.3.in-addr.arpa udp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 127.0.0.1:15030 tcp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 159.185.200.23.in-addr.arpa udp
N/A 127.0.0.1:15030 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.30.85:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 85.30.6.3.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp
N/A 127.0.0.1:15030 tcp

Files

memory/4888-0-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/4888-1-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/4888-2-0x0000000001800000-0x0000000001810000-memory.dmp

memory/4888-5-0x0000000001800000-0x0000000001810000-memory.dmp

memory/4888-6-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/4888-7-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/4888-8-0x0000000001800000-0x0000000001810000-memory.dmp

memory/4888-9-0x0000000001800000-0x0000000001810000-memory.dmp

memory/1704-10-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1704-11-0x0000000001610000-0x0000000001620000-memory.dmp

memory/1704-12-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1704-14-0x00000000750D0000-0x0000000075681000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-23 19:57

Reported

2024-04-23 20:00

Platform

win7-20231129-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A
File created C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe

"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.30.85:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.30.85:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.98.232:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.30.85:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.64:15030 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.182:15030 0.tcp.in.ngrok.io tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
N/A 127.0.0.1:15030 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.115.64:15030 0.tcp.in.ngrok.io tcp

Files

memory/2352-0-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2352-1-0x0000000000C70000-0x0000000000CB0000-memory.dmp

memory/2352-2-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2352-5-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2352-6-0x0000000000C70000-0x0000000000CB0000-memory.dmp