Analysis
-
max time kernel
109s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-04-2024 20:07
Behavioral task
behavioral1
Sample
DeepFreeze2.exe
Resource
win10v2004-20240412-en
6 signatures
150 seconds
General
-
Target
DeepFreeze2.exe
-
Size
202KB
-
MD5
83ec608306ccd5d3e266dd4b905b4d74
-
SHA1
2e687938ea90c5a29b556262e14f5681d77a1b05
-
SHA256
43e23435f86b410624d67ff00f323652262871be7d5efaf40c336ea59a570149
-
SHA512
396715f7a400d8b967b92d079fd6404f98d698ea8d9924f2f73f1dc8e241e4ddf92093343746a0cad9d8d653eff9c9e2a108311a97d49ee7d9d08a336888de19
-
SSDEEP
6144:QLV6Bta6dtJmakIM5tlE4UXkD2rovrO6mlOw:QLV6Btpmk624ttvr5w
Malware Config
Signatures
-
Processes:
DeepFreeze2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeepFreeze2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 11 0.tcp.in.ngrok.io 25 0.tcp.in.ngrok.io 30 0.tcp.in.ngrok.io 32 0.tcp.in.ngrok.io 2 0.tcp.in.ngrok.io 4 0.tcp.in.ngrok.io 6 0.tcp.in.ngrok.io 13 0.tcp.in.ngrok.io 15 0.tcp.in.ngrok.io 21 0.tcp.in.ngrok.io 23 0.tcp.in.ngrok.io 34 0.tcp.in.ngrok.io -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
DeepFreeze2.exepid process 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe 2996 DeepFreeze2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DeepFreeze2.exepid process 2996 DeepFreeze2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DeepFreeze2.exedescription pid process Token: SeDebugPrivilege 2996 DeepFreeze2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze2.exe"1⤵PID:540