bf6ed975a4c4f770294623c0c2a27846c1db7e2ab6cdb272cc2080341e7f8c34

Analysis

max time kernel
57s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freedomgpt-1.1.3.Setup.exe
Size

94.4MB
MD5

d71e86e91c1523d75ba112f9953d551a
SHA1

8b76138584149289eb771c2ca6fac65e85888b18
SHA256

bf6ed975a4c4f770294623c0c2a27846c1db7e2ab6cdb272cc2080341e7f8c34
SHA512

2d9c811404febcc53b99c34f03f5d0f851a8416a3cf3b18ee27944009868ff6d4abe81ac75beac0ac3e0deed1ebe20e11faaab201d3bda2ce7b1c552865ad670
SSDEEP

1572864:jCgNjVW/qgFGkVyMmi82RP0F4ry9Fq8GWK/O0SzpRTrcxRYTkhQnoYqbDBZj0T:jdWZG0yM/je7qRWK/0lRTrcyBn3gDvjO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1176	Update.exe
2008	Squirrel.exe
1596	freedomgpt.exe
1932	freedomgpt.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	freedomgpt-1.1.3.Setup.exe
1176	Update.exe
1176	Update.exe
1176	Update.exe
1596	freedomgpt.exe
1932	freedomgpt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1176	Update.exe
1176	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1176	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1176	1964	freedomgpt-1.1.3.Setup.exe	28
PID 1964 wrote to memory of 1176	1964	freedomgpt-1.1.3.Setup.exe	28
PID 1964 wrote to memory of 1176	1964	freedomgpt-1.1.3.Setup.exe	28
PID 1964 wrote to memory of 1176	1964	freedomgpt-1.1.3.Setup.exe	28
PID 1176 wrote to memory of 2008	1176	Update.exe	29
PID 1176 wrote to memory of 2008	1176	Update.exe	29
PID 1176 wrote to memory of 2008	1176	Update.exe	29
PID 1176 wrote to memory of 1596	1176	Update.exe	30
PID 1176 wrote to memory of 1596	1176	Update.exe	30
PID 1176 wrote to memory of 1596	1176	Update.exe	30
PID 1176 wrote to memory of 1932	1176	Update.exe	31
PID 1176 wrote to memory of 1932	1176	Update.exe	31
PID 1176 wrote to memory of 1932	1176	Update.exe	31

C:\Users\Admin\AppData\Local\Temp\freedomgpt-1.1.3.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\freedomgpt-1.1.3.Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\Squirrel.exe
    "C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:2008
- - C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe
    "C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe" --squirrel-install 1.1.3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1596
- - C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe
    "C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FreedomGPT\Update.exe

Filesize
2.2MB

MD5
d497e00ee09558c69ac90563a17272bb

SHA1
b6e98269379983aa4d04bcb504078d7e00d16985

SHA256
c154edf405b68dc8b23137708659fdacd5d7879b914b45f575814e325aa218ae

SHA512
1dcf67690e378a39f5813b4a149ede16f325d8aa20817bbfee39ccb63043dc5c1d90975842cdf89d49ae440e6732e7cc6995969de262893b2123128a5c7ca913

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\Squirrel.exe

Filesize
2.2MB

MD5
d497e00ee09558c69ac90563a17272bb

SHA1
b6e98269379983aa4d04bcb504078d7e00d16985

SHA256
c154edf405b68dc8b23137708659fdacd5d7879b914b45f575814e325aa218ae

SHA512
1dcf67690e378a39f5813b4a149ede16f325d8aa20817bbfee39ccb63043dc5c1d90975842cdf89d49ae440e6732e7cc6995969de262893b2123128a5c7ca913

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\ffmpeg.dll

Filesize
2.7MB

MD5
4578f9620450f9a52e205e7376cc901e

SHA1
ff13f7d3bef452dd8407fc5c2396939126395225

SHA256
822f56cc057c37b6c368fc8642ad74ff56ba39a9255b3b18bfeabc7a74aff307

SHA512
b1d584f47a452e67510b6f79e4f4bd24639c03bfca81e605ee3e86bb21d641b24988bb0bc788b3826d9c9d569867f71b67f818a5e46d5296bd1e937219919562

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe

Filesize
154.8MB

MD5
d1ce36aba0b06390be67cb76a216337c

SHA1
3f736e23a6bfa9ac148b7e593c6b5ed9ed56a13e

SHA256
b80a8385f925245c117e63bf82c2fd53028505d6271f683827e4248d9bc36a67

SHA512
6b7581386968d5f68a8ce874056e8dbf71a6206ff882fbb49fb8ca98cc78ac0f2a51e8b35b1e0d3632d611a5f4a9e776a9638b1ee4b049f258576e1a3d212fcb

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe

Filesize
154.8MB

MD5
d1ce36aba0b06390be67cb76a216337c

SHA1
3f736e23a6bfa9ac148b7e593c6b5ed9ed56a13e

SHA256
b80a8385f925245c117e63bf82c2fd53028505d6271f683827e4248d9bc36a67

SHA512
6b7581386968d5f68a8ce874056e8dbf71a6206ff882fbb49fb8ca98cc78ac0f2a51e8b35b1e0d3632d611a5f4a9e776a9638b1ee4b049f258576e1a3d212fcb

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe

Filesize
154.8MB

MD5
d1ce36aba0b06390be67cb76a216337c

SHA1
3f736e23a6bfa9ac148b7e593c6b5ed9ed56a13e

SHA256
b80a8385f925245c117e63bf82c2fd53028505d6271f683827e4248d9bc36a67

SHA512
6b7581386968d5f68a8ce874056e8dbf71a6206ff882fbb49fb8ca98cc78ac0f2a51e8b35b1e0d3632d611a5f4a9e776a9638b1ee4b049f258576e1a3d212fcb

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\squirrel.exe

Filesize
2.2MB

MD5
d497e00ee09558c69ac90563a17272bb

SHA1
b6e98269379983aa4d04bcb504078d7e00d16985

SHA256
c154edf405b68dc8b23137708659fdacd5d7879b914b45f575814e325aa218ae

SHA512
1dcf67690e378a39f5813b4a149ede16f325d8aa20817bbfee39ccb63043dc5c1d90975842cdf89d49ae440e6732e7cc6995969de262893b2123128a5c7ca913

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\packages\FreedomGPT-1.1.3-full.nupkg

Filesize
93.2MB

MD5
4db3bbfb8218737fcb5d46343bb8d3f0

SHA1
b96552bf17de7533b393926c5fdb85766addcfef

SHA256
53f8a50de09c2206ea8e52f2b70a0bd8204d4e8fabcb8593b2860e829e4668ba

SHA512
aa98e40251a2ea99463727da3b74f7210a1bb6649d5bc0bd6a0e9f12fba73a03cbfd496dfb61de8ab7c69d03932cc86cbc8477e3fed02b4365066ba2956bfe6a

Download Submit
C:\Users\Admin\AppData\Local\FreedomGPT\packages\RELEASES

Filesize
80B

MD5
d90133c87cc350ec2c9308d26a1fb0a2

SHA1
cfaddaff3b6149f8eb548391a0875836f7a7fb5b

SHA256
15b9ccdfee6c75ec8f2193d00e9e347de629b4a535ac07b9322fe7c91b49565e

SHA512
6c33990551d91a344d51a5bf7c2e93985e97c256624254c71164936d53d4eab18a65a951fe16560cb0ffd97dc3d3dd6738faa98be804d5c65d25d6fc60dc4030

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\FreedomGPT-1.1.3-full.nupkg

Filesize
93.2MB

MD5
4db3bbfb8218737fcb5d46343bb8d3f0

SHA1
b96552bf17de7533b393926c5fdb85766addcfef

SHA256
53f8a50de09c2206ea8e52f2b70a0bd8204d4e8fabcb8593b2860e829e4668ba

SHA512
aa98e40251a2ea99463727da3b74f7210a1bb6649d5bc0bd6a0e9f12fba73a03cbfd496dfb61de8ab7c69d03932cc86cbc8477e3fed02b4365066ba2956bfe6a

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
80B

MD5
d90133c87cc350ec2c9308d26a1fb0a2

SHA1
cfaddaff3b6149f8eb548391a0875836f7a7fb5b

SHA256
15b9ccdfee6c75ec8f2193d00e9e347de629b4a535ac07b9322fe7c91b49565e

SHA512
6c33990551d91a344d51a5bf7c2e93985e97c256624254c71164936d53d4eab18a65a951fe16560cb0ffd97dc3d3dd6738faa98be804d5c65d25d6fc60dc4030

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
3db8b783a08194a66b0b4dd98f1a37d6

SHA1
5d1031c2aa317c412b553b86ec4f40c8482689bc

SHA256
03655ece724dcd2e64011814afa4e40e375a09117ffb5fa3050bf07816a36599

SHA512
5b65f3acc577025cffcc64143b8a887064cc1feabf724cb99f4d9d4ca6af686740ccace5876e02ef964b9f93cf6d9f37d5660b1c54ee03e7f5a0593064db2de4

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
3db8b783a08194a66b0b4dd98f1a37d6

SHA1
5d1031c2aa317c412b553b86ec4f40c8482689bc

SHA256
03655ece724dcd2e64011814afa4e40e375a09117ffb5fa3050bf07816a36599

SHA512
5b65f3acc577025cffcc64143b8a887064cc1feabf724cb99f4d9d4ca6af686740ccace5876e02ef964b9f93cf6d9f37d5660b1c54ee03e7f5a0593064db2de4

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
43KB

MD5
b5a42ecde0b058b3c4e661e0ec84400b

SHA1
7e2bfc653c5bc6997553c150a0823daae372cd99

SHA256
ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

SHA512
b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
352KB

MD5
5640aa75945e9ef9808f7db2d53f2b9d

SHA1
c314affd5a0edd2ea8bfd7affde123e441d521d4

SHA256
e1917947cf58b8f4041b1ea0fc673d7d220cdcd3f36a6483c7ed85b6c510a1c9

SHA512
c9a4efc3a53693743c573b36fe6a1289c2961602146f2f85def48cee91da0b5468dce389d2f1c1475fa6a30a30c52b181c6dd19102ca9cb211ba0c3e0d6a3578

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\ffmpeg.dll

Filesize
2.7MB

MD5
4578f9620450f9a52e205e7376cc901e

SHA1
ff13f7d3bef452dd8407fc5c2396939126395225

SHA256
822f56cc057c37b6c368fc8642ad74ff56ba39a9255b3b18bfeabc7a74aff307

SHA512
b1d584f47a452e67510b6f79e4f4bd24639c03bfca81e605ee3e86bb21d641b24988bb0bc788b3826d9c9d569867f71b67f818a5e46d5296bd1e937219919562

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\ffmpeg.dll

Filesize
2.7MB

MD5
4578f9620450f9a52e205e7376cc901e

SHA1
ff13f7d3bef452dd8407fc5c2396939126395225

SHA256
822f56cc057c37b6c368fc8642ad74ff56ba39a9255b3b18bfeabc7a74aff307

SHA512
b1d584f47a452e67510b6f79e4f4bd24639c03bfca81e605ee3e86bb21d641b24988bb0bc788b3826d9c9d569867f71b67f818a5e46d5296bd1e937219919562

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe

Filesize
154.8MB

MD5
d1ce36aba0b06390be67cb76a216337c

SHA1
3f736e23a6bfa9ac148b7e593c6b5ed9ed56a13e

SHA256
b80a8385f925245c117e63bf82c2fd53028505d6271f683827e4248d9bc36a67

SHA512
6b7581386968d5f68a8ce874056e8dbf71a6206ff882fbb49fb8ca98cc78ac0f2a51e8b35b1e0d3632d611a5f4a9e776a9638b1ee4b049f258576e1a3d212fcb

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe

Filesize
154.8MB

MD5
d1ce36aba0b06390be67cb76a216337c

SHA1
3f736e23a6bfa9ac148b7e593c6b5ed9ed56a13e

SHA256
b80a8385f925245c117e63bf82c2fd53028505d6271f683827e4248d9bc36a67

SHA512
6b7581386968d5f68a8ce874056e8dbf71a6206ff882fbb49fb8ca98cc78ac0f2a51e8b35b1e0d3632d611a5f4a9e776a9638b1ee4b049f258576e1a3d212fcb

Download Submit
\Users\Admin\AppData\Local\FreedomGPT\app-1.1.3\freedomgpt.exe

Filesize
154.8MB

MD5
d1ce36aba0b06390be67cb76a216337c

SHA1
3f736e23a6bfa9ac148b7e593c6b5ed9ed56a13e

SHA256
b80a8385f925245c117e63bf82c2fd53028505d6271f683827e4248d9bc36a67

SHA512
6b7581386968d5f68a8ce874056e8dbf71a6206ff882fbb49fb8ca98cc78ac0f2a51e8b35b1e0d3632d611a5f4a9e776a9638b1ee4b049f258576e1a3d212fcb

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
3db8b783a08194a66b0b4dd98f1a37d6

SHA1
5d1031c2aa317c412b553b86ec4f40c8482689bc

SHA256
03655ece724dcd2e64011814afa4e40e375a09117ffb5fa3050bf07816a36599

SHA512
5b65f3acc577025cffcc64143b8a887064cc1feabf724cb99f4d9d4ca6af686740ccace5876e02ef964b9f93cf6d9f37d5660b1c54ee03e7f5a0593064db2de4

Download Submit
memory/1176-66-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/1176-63-0x0000000000210000-0x00000000003E6000-memory.dmp

Filesize
1.8MB

Download
memory/1176-168-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1176-189-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2008-169-0x00000000011F0000-0x000000000141E000-memory.dmp

Filesize
2.2MB

Download