Analysis
-
max time kernel
297s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-08-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe
Resource
win10v2004-20240802-en
General
-
Target
goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe
-
Size
95KB
-
MD5
fd680538c2a80dc54c63ae39c3563fbd
-
SHA1
34fc71b71ab4361a68bf8355e9b2f54dd8cf910f
-
SHA256
fa9a32ae6eb24e2290941ea60f80e914168e1f84e900293bffd4393fb9a8fae2
-
SHA512
8bae7d75dcaf708433504e8b725da41f051fdaffccfc2e27e2450f89866b8d113a2782a11c54e1dbf03e5db22b883eaf7bea8cfd2472e67c7eebabc9de2ef838
-
SSDEEP
1536:uS4122+admkx3xg+s8ZtkhMvIpylYTvf6EEXUaSsGe0yNgnIcm:/4122+admkx6cZi0IvUasKUgID
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4680 sc.exe 3860 sc.exe 1324 sc.exe 3856 sc.exe 864 sc.exe 1244 sc.exe 4952 sc.exe 2636 sc.exe 3280 sc.exe 3388 sc.exe -
Suspicious behavior: LoadsDriver 9 IoCs
Processes:
pid process 636 636 636 636 636 636 636 636 636 -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1796 wrote to memory of 4120 1796 cmd.exe goodbyedpi.exe PID 1796 wrote to memory of 4120 1796 cmd.exe goodbyedpi.exe PID 4732 wrote to memory of 2716 4732 cmd.exe goodbyedpi.exe PID 4732 wrote to memory of 2716 4732 cmd.exe goodbyedpi.exe PID 4260 wrote to memory of 4364 4260 cmd.exe goodbyedpi.exe PID 4260 wrote to memory of 4364 4260 cmd.exe goodbyedpi.exe PID 4948 wrote to memory of 4952 4948 cmd.exe sc.exe PID 4948 wrote to memory of 4952 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2636 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2636 4948 cmd.exe sc.exe PID 4948 wrote to memory of 4680 4948 cmd.exe sc.exe PID 4948 wrote to memory of 4680 4948 cmd.exe sc.exe PID 4948 wrote to memory of 3860 4948 cmd.exe sc.exe PID 4948 wrote to memory of 3860 4948 cmd.exe sc.exe PID 4948 wrote to memory of 3280 4948 cmd.exe sc.exe PID 4948 wrote to memory of 3280 4948 cmd.exe sc.exe PID 2776 wrote to memory of 3388 2776 cmd.exe sc.exe PID 2776 wrote to memory of 3388 2776 cmd.exe sc.exe PID 2776 wrote to memory of 1324 2776 cmd.exe sc.exe PID 2776 wrote to memory of 1324 2776 cmd.exe sc.exe PID 2776 wrote to memory of 864 2776 cmd.exe sc.exe PID 2776 wrote to memory of 864 2776 cmd.exe sc.exe PID 2776 wrote to memory of 3856 2776 cmd.exe sc.exe PID 2776 wrote to memory of 3856 2776 cmd.exe sc.exe PID 2776 wrote to memory of 1244 2776 cmd.exe sc.exe PID 2776 wrote to memory of 1244 2776 cmd.exe sc.exe PID 1020 wrote to memory of 5104 1020 cmd.exe goodbyedpi.exe PID 1020 wrote to memory of 5104 1020 cmd.exe goodbyedpi.exe PID 3628 wrote to memory of 2568 3628 cmd.exe goodbyedpi.exe PID 3628 wrote to memory of 2568 3628 cmd.exe goodbyedpi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"1⤵PID:2092
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s fdPHost1⤵PID:3632
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exegoodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt2⤵PID:4120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exegoodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt2⤵PID:2716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exegoodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt2⤵PID:4364
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd1⤵PID:3184
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd1⤵PID:3720
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd1⤵PID:4040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\sc.exesc stop "GoodbyeDPI"2⤵
- Launches sc.exe
PID:4952 -
C:\Windows\system32\sc.exesc delete "GoodbyeDPI"2⤵
- Launches sc.exe
PID:2636 -
C:\Windows\system32\sc.exesc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"2⤵
- Launches sc.exe
PID:4680 -
C:\Windows\system32\sc.exesc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"2⤵
- Launches sc.exe
PID:3860 -
C:\Windows\system32\sc.exesc start "GoodbyeDPI"2⤵
- Launches sc.exe
PID:3280
-
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"1⤵PID:3556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\sc.exesc stop "GoodbyeDPI"2⤵
- Launches sc.exe
PID:3388 -
C:\Windows\system32\sc.exesc delete "GoodbyeDPI"2⤵
- Launches sc.exe
PID:1324 -
C:\Windows\system32\sc.exesc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"2⤵
- Launches sc.exe
PID:864 -
C:\Windows\system32\sc.exesc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"2⤵
- Launches sc.exe
PID:3856 -
C:\Windows\system32\sc.exesc start "GoodbyeDPI"2⤵
- Launches sc.exe
PID:1244
-
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"1⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exegoodbyedpi.exe -92⤵PID:5104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exegoodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 12532⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"1⤵PID:2820