Analysis
-
max time kernel
111s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 20:07
Behavioral task
behavioral1
Sample
DeepFreeze2.exe
Resource
win10v2004-20240412-en
6 signatures
150 seconds
General
-
Target
DeepFreeze2.exe
-
Size
202KB
-
MD5
83ec608306ccd5d3e266dd4b905b4d74
-
SHA1
2e687938ea90c5a29b556262e14f5681d77a1b05
-
SHA256
43e23435f86b410624d67ff00f323652262871be7d5efaf40c336ea59a570149
-
SHA512
396715f7a400d8b967b92d079fd6404f98d698ea8d9924f2f73f1dc8e241e4ddf92093343746a0cad9d8d653eff9c9e2a108311a97d49ee7d9d08a336888de19
-
SSDEEP
6144:QLV6Bta6dtJmakIM5tlE4UXkD2rovrO6mlOw:QLV6Btpmk624ttvr5w
Malware Config
Signatures
-
Processes:
DeepFreeze2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeepFreeze2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 42 0.tcp.in.ngrok.io 45 0.tcp.in.ngrok.io 61 0.tcp.in.ngrok.io 72 0.tcp.in.ngrok.io 95 0.tcp.in.ngrok.io 114 0.tcp.in.ngrok.io 116 0.tcp.in.ngrok.io 8 0.tcp.in.ngrok.io 28 0.tcp.in.ngrok.io 75 0.tcp.in.ngrok.io 91 0.tcp.in.ngrok.io 112 0.tcp.in.ngrok.io -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
DeepFreeze2.exepid process 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe 4772 DeepFreeze2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DeepFreeze2.exepid process 4772 DeepFreeze2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DeepFreeze2.exedescription pid process Token: SeDebugPrivilege 4772 DeepFreeze2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"1⤵PID:4100