Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 20:11
Behavioral task
behavioral1
Sample
DeepFreeze3.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
DeepFreeze3.exe
-
Size
202KB
-
MD5
638057af238763e319b034c984156cfe
-
SHA1
1e7f30c505182ef7f4ea704d495bbde942682e42
-
SHA256
283655432a294659d3532ab8624eab8b8ce6e7dade0a7eb98107f2a77186489c
-
SHA512
beb8204be20e2377f33f20c772a71e7d98707de1879f37ed46053431037d692d8ae850f8ed1a8c77cdc0f13b717992665ee5710e5043cbae8a1df25792dcdcfb
-
SSDEEP
6144:gLV6Bta6dtJmakIM5SlE4UXkD2rovrO6mlOZ:gLV6BtpmkN24ttvr5Z
Malware Config
Signatures
-
Processes:
DeepFreeze3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeepFreeze3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
Processes:
flow ioc 517 0.tcp.in.ngrok.io 260 0.tcp.in.ngrok.io 411 0.tcp.in.ngrok.io 32 0.tcp.in.ngrok.io 171 0.tcp.in.ngrok.io 295 0.tcp.in.ngrok.io 443 0.tcp.in.ngrok.io 515 0.tcp.in.ngrok.io 3 0.tcp.in.ngrok.io 278 0.tcp.in.ngrok.io 154 0.tcp.in.ngrok.io 385 0.tcp.in.ngrok.io 512 0.tcp.in.ngrok.io 12 0.tcp.in.ngrok.io 135 0.tcp.in.ngrok.io -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
DeepFreeze3.exepid process 3592 DeepFreeze3.exe 3592 DeepFreeze3.exe 3592 DeepFreeze3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DeepFreeze3.exepid process 3592 DeepFreeze3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DeepFreeze3.exesvchost.exedescription pid process Token: SeDebugPrivilege 3592 DeepFreeze3.exe Token: SeManageVolumePrivilege 2772 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeepFreeze3.exe"C:\Users\Admin\AppData\Local\Temp\DeepFreeze3.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772