c0fc9f785dcb99b59a8602837457a2945e0501b77677dcb66b98a52b1a1f5424

Analysis

max time kernel
96s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreedomSetup.exe
Size

16.0MB
MD5

2055c0051cc5e04ce02c588963ff1689
SHA1

0f52a0a99450d07cc17a9f3281fd6c0e0dff71c3
SHA256

c0fc9f785dcb99b59a8602837457a2945e0501b77677dcb66b98a52b1a1f5424
SHA512

b8476a2aa5ffae0f0a0ec3bb3f2beb41bd57186b9c6763169ea024fa571da0cdd7879dda8e80bcf34524420dbd80b1e0864ab1ff52f67c0cb258f5dd6e9b1f37
SSDEEP

393216:ky+Cufq6mYxACoh4KOCMf2i8lUya09Ql5GKImpufXv0XbL:wpq6mutEUV0KfG5mpwXv03

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
4316	FreedomSetup.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	FreedomSetup.exe
File opened (read-only)	\??\H:	FreedomSetup.exe
File opened (read-only)	\??\K:	FreedomSetup.exe
File opened (read-only)	\??\Y:	FreedomSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	FreedomSetup.exe
File opened (read-only)	\??\N:	FreedomSetup.exe
File opened (read-only)	\??\S:	FreedomSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	FreedomSetup.exe
File opened (read-only)	\??\L:	FreedomSetup.exe
File opened (read-only)	\??\R:	FreedomSetup.exe
File opened (read-only)	\??\T:	FreedomSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	FreedomSetup.exe
File opened (read-only)	\??\J:	FreedomSetup.exe
File opened (read-only)	\??\Q:	FreedomSetup.exe
File opened (read-only)	\??\W:	FreedomSetup.exe
File opened (read-only)	\??\Z:	FreedomSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	FreedomSetup.exe
File opened (read-only)	\??\V:	FreedomSetup.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	FreedomSetup.exe
File opened (read-only)	\??\B:	FreedomSetup.exe
File opened (read-only)	\??\P:	FreedomSetup.exe
File opened (read-only)	\??\X:	FreedomSetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	FreedomSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreedomSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5012	msiexec.exe
Token: SeCreateTokenPrivilege	4316	FreedomSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4316	FreedomSetup.exe
Token: SeLockMemoryPrivilege	4316	FreedomSetup.exe
Token: SeIncreaseQuotaPrivilege	4316	FreedomSetup.exe
Token: SeMachineAccountPrivilege	4316	FreedomSetup.exe
Token: SeTcbPrivilege	4316	FreedomSetup.exe
Token: SeSecurityPrivilege	4316	FreedomSetup.exe
Token: SeTakeOwnershipPrivilege	4316	FreedomSetup.exe
Token: SeLoadDriverPrivilege	4316	FreedomSetup.exe
Token: SeSystemProfilePrivilege	4316	FreedomSetup.exe
Token: SeSystemtimePrivilege	4316	FreedomSetup.exe
Token: SeProfSingleProcessPrivilege	4316	FreedomSetup.exe
Token: SeIncBasePriorityPrivilege	4316	FreedomSetup.exe
Token: SeCreatePagefilePrivilege	4316	FreedomSetup.exe
Token: SeCreatePermanentPrivilege	4316	FreedomSetup.exe
Token: SeBackupPrivilege	4316	FreedomSetup.exe
Token: SeRestorePrivilege	4316	FreedomSetup.exe
Token: SeShutdownPrivilege	4316	FreedomSetup.exe
Token: SeDebugPrivilege	4316	FreedomSetup.exe
Token: SeAuditPrivilege	4316	FreedomSetup.exe
Token: SeSystemEnvironmentPrivilege	4316	FreedomSetup.exe
Token: SeChangeNotifyPrivilege	4316	FreedomSetup.exe
Token: SeRemoteShutdownPrivilege	4316	FreedomSetup.exe
Token: SeUndockPrivilege	4316	FreedomSetup.exe
Token: SeSyncAgentPrivilege	4316	FreedomSetup.exe
Token: SeEnableDelegationPrivilege	4316	FreedomSetup.exe
Token: SeManageVolumePrivilege	4316	FreedomSetup.exe
Token: SeImpersonatePrivilege	4316	FreedomSetup.exe
Token: SeCreateGlobalPrivilege	4316	FreedomSetup.exe
Token: SeCreateTokenPrivilege	4316	FreedomSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4316	FreedomSetup.exe
Token: SeLockMemoryPrivilege	4316	FreedomSetup.exe
Token: SeIncreaseQuotaPrivilege	4316	FreedomSetup.exe
Token: SeMachineAccountPrivilege	4316	FreedomSetup.exe
Token: SeTcbPrivilege	4316	FreedomSetup.exe
Token: SeSecurityPrivilege	4316	FreedomSetup.exe
Token: SeTakeOwnershipPrivilege	4316	FreedomSetup.exe
Token: SeLoadDriverPrivilege	4316	FreedomSetup.exe
Token: SeSystemProfilePrivilege	4316	FreedomSetup.exe
Token: SeSystemtimePrivilege	4316	FreedomSetup.exe
Token: SeProfSingleProcessPrivilege	4316	FreedomSetup.exe
Token: SeIncBasePriorityPrivilege	4316	FreedomSetup.exe
Token: SeCreatePagefilePrivilege	4316	FreedomSetup.exe
Token: SeCreatePermanentPrivilege	4316	FreedomSetup.exe
Token: SeBackupPrivilege	4316	FreedomSetup.exe
Token: SeRestorePrivilege	4316	FreedomSetup.exe
Token: SeShutdownPrivilege	4316	FreedomSetup.exe
Token: SeDebugPrivilege	4316	FreedomSetup.exe
Token: SeAuditPrivilege	4316	FreedomSetup.exe
Token: SeSystemEnvironmentPrivilege	4316	FreedomSetup.exe
Token: SeChangeNotifyPrivilege	4316	FreedomSetup.exe
Token: SeRemoteShutdownPrivilege	4316	FreedomSetup.exe
Token: SeUndockPrivilege	4316	FreedomSetup.exe
Token: SeSyncAgentPrivilege	4316	FreedomSetup.exe
Token: SeEnableDelegationPrivilege	4316	FreedomSetup.exe
Token: SeManageVolumePrivilege	4316	FreedomSetup.exe
Token: SeImpersonatePrivilege	4316	FreedomSetup.exe
Token: SeCreateGlobalPrivilege	4316	FreedomSetup.exe
Token: SeCreateTokenPrivilege	4316	FreedomSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4316	FreedomSetup.exe
Token: SeLockMemoryPrivilege	4316	FreedomSetup.exe
Token: SeIncreaseQuotaPrivilege	4316	FreedomSetup.exe
Token: SeMachineAccountPrivilege	4316	FreedomSetup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4316	FreedomSetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4488	5012	msiexec.exe	88
PID 5012 wrote to memory of 4488	5012	msiexec.exe	88
PID 5012 wrote to memory of 4488	5012	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\FreedomSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FreedomSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7FB9E025BB291CC4B0F6B6D465D187B9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4316\freedomaidialog.bmp

Filesize
617KB

MD5
5d4d074aeaeb42897c88f3fe5a9849cb

SHA1
7fa9eea790e21aa21ec1b8570574324d87ebaf0f

SHA256
04c74960fd65cbcec16cb202c89666f8e33615c2cec80b9796ca0ec9027e77fd

SHA512
b09d290adacf8bee95b179cc74267125d7808079634244449e6f1609dbc32bf399a1dcbdf939b2ad15d5c68fd2c2a71b7d71b9fc32709babda1c4227a0db4adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI69A8.tmp

Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6A55.tmp

Filesize
914KB

MD5
91d4a8c2c296ef53dd8c01b9af69b735

SHA1
ad2e5311a0f2dbba988fbdb6fcf70034fda3920d

SHA256
a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23

SHA512
63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

Download Submit
C:\Users\Admin\AppData\Roaming\Freedom.to\Freedom 2.28.3\install\EE13D3F\FreedomSetup-2.28.3.msi

Filesize
4.4MB

MD5
63d8b3d3af327173da754bf5507652ef

SHA1
1468d45f45baa30ef319892dc6d1aadd4aa2f34b

SHA256
3846f6ca01a2ab725f5141f2fdc2376bd1002ae88d2ba7028ab417602eefd492

SHA512
4c8caf5dab1fd7ff22413471efdc05946a16a705cb421d0c25c3aedaa2731f3ee144577e1f571e1448a1b59db8858b34c82e4e2e159515aeba4f99ada63a6b09

Download Submit
C:\Users\Admin\AppData\Roaming\Freedom.to\Freedom 2.28.3\install\decoder.dll

Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit