| File name: | Faronics_DFS.zip |
| Full analysis: | https://app.any.run/tasks/8e7df3ce-6597-43f7-8aaf-7363df77c518 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | January 31, 2024, 22:20:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 68DAE0B63E600D35F45979378C83343C |
| SHA1: | C289C2F6A6E42007F26262E9E6568D4CEE5CC655 |
| SHA256: | A18B25E22C36A51E84745023198A6B98E363CC72A1DA8FFEE89CB61D44E876C0 |
| SSDEEP: | 98304:c+OmPBb1CJY+Id80IjLleiaaNU/dK9iWXUesrNJU47cY1ioV2R0nwLmx3h906+mJ:+d/YDOoFl04gBuAIwUXm0 |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1380)
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
Creates a writable file in the system directory
- DeepFreeze_C.exe (PID: 3644)
- mofcomp.exe (PID: 1812)
- mofcomp.exe (PID: 2136)
- mofcomp.exe (PID: 3880)
Registers / Runs the DLL via REGSVR32.EXE
- DeepFreeze_C.exe (PID: 3644)
SUSPICIOUS
Executable content was dropped or overwritten
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
Drops a system driver (possible attempt to evade defenses)
- DeepFreeze_C.exe (PID: 3644)
Creates files in the driver directory
- DeepFreeze_C.exe (PID: 3644)
Starts CMD.EXE for commands execution
- DeepFreeze_C.exe (PID: 3644)
The process executes via Task Scheduler
- ctfmon.exe (PID: 2368)
- sipnotify.exe (PID: 2380)
- sipnotify.exe (PID: 2268)
- ctfmon.exe (PID: 2256)
Reads the Internet Settings
- sipnotify.exe (PID: 2380)
- sipnotify.exe (PID: 2268)
Reads settings of System Certificates
- sipnotify.exe (PID: 2380)
- sipnotify.exe (PID: 2268)
INFO
Manual execution by a user
- DFStd.exe (PID: 2796)
- DFStd.exe (PID: 1072)
- IMEKLMG.EXE (PID: 2520)
- wmpnscfg.exe (PID: 2780)
- wmpnscfg.exe (PID: 2760)
- IMEKLMG.EXE (PID: 2512)
- IMEKLMG.EXE (PID: 2408)
- IMEKLMG.EXE (PID: 2392)
- wmpnscfg.exe (PID: 2644)
- wmpnscfg.exe (PID: 2664)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1380)
Checks supported languages
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
- DFServ.exe (PID: 292)
- ReAgentc.exe (PID: 1196)
- IMEKLMG.EXE (PID: 2520)
- FrzState2k.exe (PID: 2888)
- wmpnscfg.exe (PID: 2760)
- wmpnscfg.exe (PID: 2780)
- DFLocker.exe (PID: 904)
- IMEKLMG.EXE (PID: 2512)
- ReAgentc.exe (PID: 1184)
- IMEKLMG.EXE (PID: 2392)
- IMEKLMG.EXE (PID: 2408)
- wmpnscfg.exe (PID: 2644)
- FrzState2k.exe (PID: 2772)
- wmpnscfg.exe (PID: 2664)
Reads the computer name
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
- DFServ.exe (PID: 292)
- IMEKLMG.EXE (PID: 2520)
- wmpnscfg.exe (PID: 2760)
- wmpnscfg.exe (PID: 2780)
- FrzState2k.exe (PID: 2888)
- IMEKLMG.EXE (PID: 2512)
- DFLocker.exe (PID: 904)
- wmpnscfg.exe (PID: 2644)
- IMEKLMG.EXE (PID: 2392)
- IMEKLMG.EXE (PID: 2408)
- wmpnscfg.exe (PID: 2664)
- FrzState2k.exe (PID: 2772)
Reads the machine GUID from the registry
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
- FrzState2k.exe (PID: 2888)
- FrzState2k.exe (PID: 2772)
Create files in a temporary directory
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
- mofcomp.exe (PID: 3880)
- mofcomp.exe (PID: 2136)
- mofcomp.exe (PID: 1812)
- FrzState2k.exe (PID: 2888)
- FrzState2k.exe (PID: 2772)
Creates files in the program directory
- DFStd.exe (PID: 2796)
- DeepFreeze_C.exe (PID: 3644)
- FrzState2k.exe (PID: 2888)
- FrzState2k.exe (PID: 2772)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 2380)
- sipnotify.exe (PID: 2268)
Process checks whether UAC notifications are on
- IMEKLMG.EXE (PID: 2512)
- IMEKLMG.EXE (PID: 2520)
- IMEKLMG.EXE (PID: 2408)
- IMEKLMG.EXE (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:08:24 13:38:04 |
| ZipCRC: | 0xf799afb8 |
| ZipCompressedSize: | 12229092 |
| ZipUncompressedSize: | 17961904 |
| ZipFileName: | Faronics_DFS/DFStd.exe |
Total processes
167
Monitored processes
32
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 292 | "C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe" /INSTALL /SILENT | C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe | — | DeepFreeze_C.exe | |||||||||||
User: admin Company: Faronics Corporation Integrity Level: HIGH Description: Deep Freeze Service Exit code: 0 Version: 8,71,20,5734 Modules
| |||||||||||||||
| 904 | "C:\Windows\TEMP\DFLocker.exe" | C:\Windows\Temp\DFLocker.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Company: Faronics Corporation Integrity Level: SYSTEM Description: Deep Freeze Show Message Helper Exit code: 0 Version: 8,71,20,5734 Modules
| |||||||||||||||
| 944 | C:\Windows\system32\regsvr32.exe /s /u "C:\Program Files\Faronics\Deep Freeze\Install C-0\DeepFreezeAdapter.dll" | C:\Windows\System32\regsvr32.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 948 | C:\Windows\system32\regsvr32.exe /s /u "C:\Program Files\Faronics\Deep Freeze\Install C-0\DeepFreezeAdapter.dll" | C:\Windows\System32\regsvr32.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1072 | "C:\Users\admin\Desktop\Faronics_DFS\DFStd.exe" | C:\Users\admin\Desktop\Faronics_DFS\DFStd.exe | — | explorer.exe | |||||||||||
User: admin Company: Faronics Corporation Integrity Level: MEDIUM Description: Install program for Deep Freeze Standard Exit code: 3221226540 Version: 8,71,20,5734 Modules
| |||||||||||||||
| 1156 | C:\Windows\system32\regsvr32.exe /s "C:\Program Files\Faronics\Deep Freeze\Install C-0\DeepFreezeAdapter.dll" | C:\Windows\System32\regsvr32.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1160 | C:\Windows\system32\regsvr32.exe /s "C:\Program Files\Faronics\Deep Freeze\Install C-0\DeepFreezeAdapter.dll" | C:\Windows\System32\regsvr32.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1184 | C:\WINDOWS\SYSTEM32\ReagentC.exe /disable | C:\Windows\System32\ReAgentc.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 1196 | C:\Windows\system32\regsvr32.exe /s /u "C:\Program Files\Faronics\Deep Freeze\Install C-0\DeepFreezeAdapter.dll" | C:\Windows\System32\regsvr32.exe | — | DeepFreeze_C.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1196 | C:\WINDOWS\SYSTEM32\ReagentC.exe /disable | C:\Windows\System32\ReAgentc.exe | — | DFServ.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
Total events
14 727
Read events
14 529
Write events
122
Delete events
76
Modification events
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1380) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
15
Suspicious files
21
Text files
27
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Documentation\Deutsch\Deep Freeze Standard Benutzerhandbuch.url | url | |
MD5:44CC280F6869F8A1D28770A752437CD2 | SHA256:2593A4A6A82A8558F4E2BEA001643A55FC6A2E7955F50295DEA3F3538C99236C | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Documentation\English\Data Igloo User Guide.url | url | |
MD5:5954FE160C4533AB2113261D327F2C5F | SHA256:A72F11F35CBEEC043F08468CD4D8E8605FB0907A85D3D36ABF65F39A5481EEEB | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Documentation\English\Deep Freeze Standard User Guide.url | url | |
MD5:31190415F7A9D269A21678247E007F88 | SHA256:AE6AF8377B14D1744DF3ABF3AED7A427D69E5479C09D98968164C3869FE21F9B | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\DFStd.exe | executable | |
MD5:1FD10393197F95E322BAF28B5E6C9584 | SHA256:3AFF5169EEB9CED019B158169B300C344032BBD8FCEDAA0C1686C48C7AB108BD | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Documentation\Francais\Data Igloo Manuel de l'utilisateur.url | url | |
MD5:872381DC88E9248E51ECD9B8602D3935 | SHA256:3ED7D402D7F754FA4D774D47521CBBDEA734AED37E54FBA4D3AE32A59AC08AB2 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Documentation\Francais\Deep Freeze Standard Manuel de l'utilisateur.url | url | |
MD5:5C078540122FEC4C04685284BC39D691 | SHA256:5A9E03416841356767528DCC9F68C622FA531C3D2AC6DB1822A3E9272E3884EB | |||
| 2796 | DFStd.exe | C:\DFInstall.log | text | |
MD5:469C08354D28E61086D3C23925A4BD2F | SHA256:631BFAF8EDB54983FE138DBCBA79CE19677344572A4CE79BF2033A4440595483 | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Documentation\Japanese\Deep Freeze Standard User Guide.url | url | |
MD5:F143037F4CDAD5E228840F4C855D8DA6 | SHA256:4BAA1E3D54352386C5B9D62DEFA3989D7CB46D290BACD8E0FC3D4AEC51B823BE | |||
| 1380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1380.13847\Faronics_DFS\Redirect_User_Profiles_and_Folders\Faronics_Data_Igloo.url | text | |
MD5:C9E3064E81572C12F188646775EB8E0F | SHA256:774258D1A739F3ABF37E82A101708FFB83C1A6AE933AE1E0410F7459CBE3C14F | |||
| 2796 | DFStd.exe | C:\Users\admin\AppData\Local\Temp\_$Df\DFStdInstall.sib | binary | |
MD5:BB31B05EEF8748A0AA0BCC310F2E1E70 | SHA256:08B602CD351C810D572F48DE149FFD9A851D67EC3D8E6D2FF87EAAF3C87E4EA9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
24
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2380 | sipnotify.exe | HEAD | 200 | 23.197.138.118:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133512133936710000 | unknown | — | — | unknown |
2380 | sipnotify.exe | HEAD | 200 | 23.197.138.118:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133512134705460000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1736 | svchost.exe | 239.255.255.250:3702 | — | — | — | unknown |
1388 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2380 | sipnotify.exe | 23.197.138.118:80 | query.prod.cms.rt.microsoft.com | Akamai International B.V. | US | unknown |
2888 | FrzState2k.exe | 50.112.159.225:443 | connector.deepfreeze.com | AMAZON-02 | US | unknown |
1724 | svchost.exe | 239.255.255.250:3702 | — | — | — | unknown |
1388 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |
connector.deepfreeze.com |
| unknown |