acbf56c935ee70f6ed11eb6dbc790a030bab97f69f2166a74df0a4bd709fa2e0

Analysis

max time kernel
83s
max time network
89s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/05/2023, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freedomgpt-1.1.2.Setup.exe
Size

94.8MB
MD5

d5a4206a94a54ef822c7fb919f50df81
SHA1

e1ec3f08578b2f8e342fdb4527194fb115a44acc
SHA256

acbf56c935ee70f6ed11eb6dbc790a030bab97f69f2166a74df0a4bd709fa2e0
SHA512

bc2c48258af79bf5d9b97dd0a35d7deb8d03a64a4174614a06860948ae4bc48ccb3cfd14e8a342b31d6484ba87c4c03c450cfd1916dd9f3f5e6d858946e316c5
SSDEEP

1572864:cSpvrBAu74kSOkPFYmRw+N61uKtWYNvRz4G1Q+NzYY2qYtc391NCHnF1FLTcPrq1:/bAuMOkdYvptjhZ4eQ+Nb2qYtc39jCHL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2024	Update.exe
1640	Squirrel.exe
1096	freedomgpt.exe
1324	freedomgpt.exe

Loads dropped DLL 6 IoCs

pid	Process
1204	freedomgpt-1.1.2.Setup.exe
2024	Update.exe
2024	Update.exe
2024	Update.exe
1096	freedomgpt.exe
1324	freedomgpt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	Update.exe
2024	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2024	1204	freedomgpt-1.1.2.Setup.exe	28
PID 1204 wrote to memory of 2024	1204	freedomgpt-1.1.2.Setup.exe	28
PID 1204 wrote to memory of 2024	1204	freedomgpt-1.1.2.Setup.exe	28
PID 1204 wrote to memory of 2024	1204	freedomgpt-1.1.2.Setup.exe	28
PID 2024 wrote to memory of 1640	2024	Update.exe	29
PID 2024 wrote to memory of 1640	2024	Update.exe	29
PID 2024 wrote to memory of 1640	2024	Update.exe	29
PID 2024 wrote to memory of 1096	2024	Update.exe	30
PID 2024 wrote to memory of 1096	2024	Update.exe	30
PID 2024 wrote to memory of 1096	2024	Update.exe	30
PID 2024 wrote to memory of 1324	2024	Update.exe	31
PID 2024 wrote to memory of 1324	2024	Update.exe	31
PID 2024 wrote to memory of 1324	2024	Update.exe	31

C:\Users\Admin\AppData\Local\Temp\freedomgpt-1.1.2.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\freedomgpt-1.1.2.Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\Squirrel.exe
    "C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe
    "C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe" --squirrel-install 1.1.2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1096
- - C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe
    "C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FreedomGPT\Update.exe

Filesize
2.2MB

MD5
d497e00ee09558c69ac90563a17272bb

SHA1
b6e98269379983aa4d04bcb504078d7e00d16985

SHA256
c154edf405b68dc8b23137708659fdacd5d7879b914b45f575814e325aa218ae

SHA512
1dcf67690e378a39f5813b4a149ede16f325d8aa20817bbfee39ccb63043dc5c1d90975842cdf89d49ae440e6732e7cc6995969de262893b2123128a5c7ca913

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\Squirrel.exe

Filesize
2.2MB

MD5
d497e00ee09558c69ac90563a17272bb

SHA1
b6e98269379983aa4d04bcb504078d7e00d16985

SHA256
c154edf405b68dc8b23137708659fdacd5d7879b914b45f575814e325aa218ae

SHA512
1dcf67690e378a39f5813b4a149ede16f325d8aa20817bbfee39ccb63043dc5c1d90975842cdf89d49ae440e6732e7cc6995969de262893b2123128a5c7ca913

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\ffmpeg.dll

Filesize
2.7MB

MD5
4578f9620450f9a52e205e7376cc901e

SHA1
ff13f7d3bef452dd8407fc5c2396939126395225

SHA256
822f56cc057c37b6c368fc8642ad74ff56ba39a9255b3b18bfeabc7a74aff307

SHA512
b1d584f47a452e67510b6f79e4f4bd24639c03bfca81e605ee3e86bb21d641b24988bb0bc788b3826d9c9d569867f71b67f818a5e46d5296bd1e937219919562

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe

Filesize
154.8MB

MD5
cb6c576881b0e237f982dfde6d552d40

SHA1
057634b4e70165462108310e23079f5f1ab7d851

SHA256
da3b3004d26e89677f3d8ee43f4fe24c72b621c8ae27e81558d7bae7dcbd890c

SHA512
62a689b4536ba470863ad4e36b553fc03a8a3637501fdcf4120cc87fb14050a9fab62ba07b160612c4bef37a51c10ba5790509e482fa0454517d343af5541b25

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe

Filesize
154.8MB

MD5
cb6c576881b0e237f982dfde6d552d40

SHA1
057634b4e70165462108310e23079f5f1ab7d851

SHA256
da3b3004d26e89677f3d8ee43f4fe24c72b621c8ae27e81558d7bae7dcbd890c

SHA512
62a689b4536ba470863ad4e36b553fc03a8a3637501fdcf4120cc87fb14050a9fab62ba07b160612c4bef37a51c10ba5790509e482fa0454517d343af5541b25

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe

Filesize
154.8MB

MD5
cb6c576881b0e237f982dfde6d552d40

SHA1
057634b4e70165462108310e23079f5f1ab7d851

SHA256
da3b3004d26e89677f3d8ee43f4fe24c72b621c8ae27e81558d7bae7dcbd890c

SHA512
62a689b4536ba470863ad4e36b553fc03a8a3637501fdcf4120cc87fb14050a9fab62ba07b160612c4bef37a51c10ba5790509e482fa0454517d343af5541b25

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\squirrel.exe

Filesize
2.2MB

MD5
d497e00ee09558c69ac90563a17272bb

SHA1
b6e98269379983aa4d04bcb504078d7e00d16985

SHA256
c154edf405b68dc8b23137708659fdacd5d7879b914b45f575814e325aa218ae

SHA512
1dcf67690e378a39f5813b4a149ede16f325d8aa20817bbfee39ccb63043dc5c1d90975842cdf89d49ae440e6732e7cc6995969de262893b2123128a5c7ca913

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\packages\FreedomGPT-1.1.2-full.nupkg

Filesize
93.6MB

MD5
37c95f0480adc8344d6756ed3b1b1915

SHA1
87b646bae61c4772aaa4aa1d0f4d124ed1872f7f

SHA256
30ebe368fe9af14aac037d0184d38392790176334230a8ea19cb6ca2acea593c

SHA512
7a7f70044efa24e72690565a0986f50b3e42e852a49b47e77fe221b85112581517bdf7f023cc6867fa0ed32bbbba246765ba2985120bfc3bc5d3425827a6f122

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\packages\RELEASES

Filesize
80B

MD5
b84ff889e260632254edec108b59460f

SHA1
06d78c28c8f597563a4ca4b19f21a2f7a31aa766

SHA256
e3e90e4989ae8cc0f62adfe969b153ed328d353951f4144858a87576248825ef

SHA512
1638ff0b33d9cf6a7e4acc472149b7905771f952dc270f00eda282fc15b28f8a3f73f8b2d9314627b33c0cdc592435f65e8620f8586e16e73e1e5c842c054abc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\FreedomGPT-1.1.2-full.nupkg

Filesize
93.6MB

MD5
37c95f0480adc8344d6756ed3b1b1915

SHA1
87b646bae61c4772aaa4aa1d0f4d124ed1872f7f

SHA256
30ebe368fe9af14aac037d0184d38392790176334230a8ea19cb6ca2acea593c

SHA512
7a7f70044efa24e72690565a0986f50b3e42e852a49b47e77fe221b85112581517bdf7f023cc6867fa0ed32bbbba246765ba2985120bfc3bc5d3425827a6f122

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
80B

MD5
b84ff889e260632254edec108b59460f

SHA1
06d78c28c8f597563a4ca4b19f21a2f7a31aa766

SHA256
e3e90e4989ae8cc0f62adfe969b153ed328d353951f4144858a87576248825ef

SHA512
1638ff0b33d9cf6a7e4acc472149b7905771f952dc270f00eda282fc15b28f8a3f73f8b2d9314627b33c0cdc592435f65e8620f8586e16e73e1e5c842c054abc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
3db8b783a08194a66b0b4dd98f1a37d6

SHA1
5d1031c2aa317c412b553b86ec4f40c8482689bc

SHA256
03655ece724dcd2e64011814afa4e40e375a09117ffb5fa3050bf07816a36599

SHA512
5b65f3acc577025cffcc64143b8a887064cc1feabf724cb99f4d9d4ca6af686740ccace5876e02ef964b9f93cf6d9f37d5660b1c54ee03e7f5a0593064db2de4

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
3db8b783a08194a66b0b4dd98f1a37d6

SHA1
5d1031c2aa317c412b553b86ec4f40c8482689bc

SHA256
03655ece724dcd2e64011814afa4e40e375a09117ffb5fa3050bf07816a36599

SHA512
5b65f3acc577025cffcc64143b8a887064cc1feabf724cb99f4d9d4ca6af686740ccace5876e02ef964b9f93cf6d9f37d5660b1c54ee03e7f5a0593064db2de4

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
43KB

MD5
b5a42ecde0b058b3c4e661e0ec84400b

SHA1
7e2bfc653c5bc6997553c150a0823daae372cd99

SHA256
ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

SHA512
b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
352KB

MD5
5640aa75945e9ef9808f7db2d53f2b9d

SHA1
c314affd5a0edd2ea8bfd7affde123e441d521d4

SHA256
e1917947cf58b8f4041b1ea0fc673d7d220cdcd3f36a6483c7ed85b6c510a1c9

SHA512
c9a4efc3a53693743c573b36fe6a1289c2961602146f2f85def48cee91da0b5468dce389d2f1c1475fa6a30a30c52b181c6dd19102ca9cb211ba0c3e0d6a3578

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\ffmpeg.dll

Filesize
2.7MB

MD5
4578f9620450f9a52e205e7376cc901e

SHA1
ff13f7d3bef452dd8407fc5c2396939126395225

SHA256
822f56cc057c37b6c368fc8642ad74ff56ba39a9255b3b18bfeabc7a74aff307

SHA512
b1d584f47a452e67510b6f79e4f4bd24639c03bfca81e605ee3e86bb21d641b24988bb0bc788b3826d9c9d569867f71b67f818a5e46d5296bd1e937219919562

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\ffmpeg.dll

Filesize
2.7MB

MD5
4578f9620450f9a52e205e7376cc901e

SHA1
ff13f7d3bef452dd8407fc5c2396939126395225

SHA256
822f56cc057c37b6c368fc8642ad74ff56ba39a9255b3b18bfeabc7a74aff307

SHA512
b1d584f47a452e67510b6f79e4f4bd24639c03bfca81e605ee3e86bb21d641b24988bb0bc788b3826d9c9d569867f71b67f818a5e46d5296bd1e937219919562

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe

Filesize
154.8MB

MD5
cb6c576881b0e237f982dfde6d552d40

SHA1
057634b4e70165462108310e23079f5f1ab7d851

SHA256
da3b3004d26e89677f3d8ee43f4fe24c72b621c8ae27e81558d7bae7dcbd890c

SHA512
62a689b4536ba470863ad4e36b553fc03a8a3637501fdcf4120cc87fb14050a9fab62ba07b160612c4bef37a51c10ba5790509e482fa0454517d343af5541b25

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe

Filesize
154.8MB

MD5
cb6c576881b0e237f982dfde6d552d40

SHA1
057634b4e70165462108310e23079f5f1ab7d851

SHA256
da3b3004d26e89677f3d8ee43f4fe24c72b621c8ae27e81558d7bae7dcbd890c

SHA512
62a689b4536ba470863ad4e36b553fc03a8a3637501fdcf4120cc87fb14050a9fab62ba07b160612c4bef37a51c10ba5790509e482fa0454517d343af5541b25

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.2\freedomgpt.exe

Filesize
154.8MB

MD5
cb6c576881b0e237f982dfde6d552d40

SHA1
057634b4e70165462108310e23079f5f1ab7d851

SHA256
da3b3004d26e89677f3d8ee43f4fe24c72b621c8ae27e81558d7bae7dcbd890c

SHA512
62a689b4536ba470863ad4e36b553fc03a8a3637501fdcf4120cc87fb14050a9fab62ba07b160612c4bef37a51c10ba5790509e482fa0454517d343af5541b25

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
3db8b783a08194a66b0b4dd98f1a37d6

SHA1
5d1031c2aa317c412b553b86ec4f40c8482689bc

SHA256
03655ece724dcd2e64011814afa4e40e375a09117ffb5fa3050bf07816a36599

SHA512
5b65f3acc577025cffcc64143b8a887064cc1feabf724cb99f4d9d4ca6af686740ccace5876e02ef964b9f93cf6d9f37d5660b1c54ee03e7f5a0593064db2de4

Download Submit
memory/1640-174-0x0000000001290000-0x00000000014BE000-memory.dmp

Filesize
2.2MB

Download
memory/2024-176-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2024-177-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2024-66-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2024-194-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2024-198-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2024-197-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2024-206-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2024-63-0x0000000000FC0000-0x0000000001196000-memory.dmp

Filesize
1.8MB

Download