Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 20:03
Behavioral task
behavioral1
Sample
DeepFreeze.exe
Resource
win7-20240220-en
8 signatures
150 seconds
General
-
Target
DeepFreeze.exe
-
Size
202KB
-
MD5
606d848584caad00d05e933758bc2620
-
SHA1
7dce40e1d7dfb125570c0a2445264b7791967e6b
-
SHA256
69ca4d42492cef4caa9e2b85988c13e0dda8e8d8d962dd1cc3fc4adb4b3478f1
-
SHA512
3e66acb0a21ad606bcb78721a46fd513e702723cd31adbf04506ac1d74cc974111b3c0b84c3f471d1096b884c27c943bcbac463f7d8c63b6e55d53cb2ccfd945
-
SSDEEP
6144:gLV6Bta6dtJmakIM5elE4UXkD2rovrO6mlOdu:gLV6Btpmkt24ttvr5du
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DeepFreeze.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Manager = "C:\\Program Files (x86)\\SAAS Manager\\saasmgr.exe" DeepFreeze.exe -
Processes:
DeepFreeze.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeepFreeze.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
Processes:
flow ioc 133 0.tcp.in.ngrok.io 238 0.tcp.in.ngrok.io 311 0.tcp.in.ngrok.io 410 0.tcp.in.ngrok.io 213 0.tcp.in.ngrok.io 297 0.tcp.in.ngrok.io 325 0.tcp.in.ngrok.io 224 0.tcp.in.ngrok.io 379 0.tcp.in.ngrok.io 4 0.tcp.in.ngrok.io 54 0.tcp.in.ngrok.io 105 0.tcp.in.ngrok.io 38 0.tcp.in.ngrok.io 118 0.tcp.in.ngrok.io 395 0.tcp.in.ngrok.io -
Drops file in Program Files directory 2 IoCs
Processes:
DeepFreeze.exedescription ioc process File created C:\Program Files (x86)\SAAS Manager\saasmgr.exe DeepFreeze.exe File opened for modification C:\Program Files (x86)\SAAS Manager\saasmgr.exe DeepFreeze.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
DeepFreeze.exepid process 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe 2308 DeepFreeze.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DeepFreeze.exepid process 2308 DeepFreeze.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DeepFreeze.exedescription pid process Token: SeDebugPrivilege 2308 DeepFreeze.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze.exe"1⤵PID:1480