Malware Analysis Report

2024-10-16 05:06

Sample ID 240801-pf8glazfjk
Target goodbyedpi-0.2.3rc1-2.zip
SHA256 e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
Tags
discovery dropper
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443

Threat Level: Likely malicious

The file goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper

Download via BitsAdmin

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

435s

Max time network

1153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/3416-0-0x00007FF797760000-0x00007FF797780000-memory.dmp

memory/3416-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/3416-2-0x00007FF797760000-0x00007FF797780000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

431s

Max time network

1162s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3096 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4336-0-0x00007FF6A8330000-0x00007FF6A8350000-memory.dmp

memory/4336-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/4336-2-0x00007FF6A8330000-0x00007FF6A8350000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

436s

Max time network

1155s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4708 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3652-0-0x00007FF62E870000-0x00007FF62E890000-memory.dmp

memory/3652-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/3652-2-0x00007FF62E870000-0x00007FF62E890000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

444s

Max time network

1164s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

438s

Max time network

1160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

442s

Max time network

1163s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3452 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1396-0-0x00007FF7E3E60000-0x00007FF7E3E80000-memory.dmp

memory/1396-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/1396-2-0x00007FF7E3E60000-0x00007FF7E3E80000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

448s

Max time network

1171s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

407s

Max time network

1135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

450s

Max time network

1143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

440s

Max time network

1125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240729-en

Max time kernel

439s

Max time network

1157s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4404 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

Network

Files

memory/4608-0-0x00007FF7E07C0000-0x00007FF7E07E0000-memory.dmp

memory/4608-1-0x0000000062800000-0x0000000062813000-memory.dmp

memory/4608-2-0x00007FF7E07C0000-0x00007FF7E07E0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

445s

Max time network

1165s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:29

Platform

win11-20240730-en

Max time kernel

434s

Max time network

1155s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4972 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 p.thenewone.lol udp
LV 195.123.208.131:443 p.thenewone.lol tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

448s

Max time network

1170s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-01 12:17

Reported

2024-08-01 14:30

Platform

win11-20240730-en

Max time kernel

437s

Max time network

1157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"

Network

Files

memory/2076-0-0x000000003FAC0000-0x000000003FADF000-memory.dmp

memory/2076-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp

memory/2076-2-0x000000003FAC0000-0x000000003FADF000-memory.dmp