Analysis Overview
SHA256
e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
Threat Level: Likely malicious
The file goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Download via BitsAdmin
Stops running service(s)
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 06:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
132s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
90s
Max time network
126s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
Files
memory/2364-0-0x00007FF6156C0000-0x00007FF6156E0000-memory.dmp
memory/2364-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2364-2-0x00007FF6156C0000-0x00007FF6156E0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3928 wrote to memory of 3560 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 3928 wrote to memory of 3560 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
Files
memory/3560-0-0x00007FF7CBC50000-0x00007FF7CBC70000-memory.dmp
memory/3560-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3560-2-0x00007FF7CBC50000-0x00007FF7CBC70000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3732 wrote to memory of 1384 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 3732 wrote to memory of 1384 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
Network
Files
memory/1384-0-0x00007FF637430000-0x00007FF637450000-memory.dmp
memory/1384-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1384-2-0x00007FF637430000-0x00007FF637450000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4492 wrote to memory of 4360 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4492 wrote to memory of 4360 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-uthash.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-uthash.txt
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:29
Platform
win11-20240802-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
90s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
136s
Max time network
127s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5004 wrote to memory of 4848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 5004 wrote to memory of 4848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | p.thenewone.lol | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
| US | 8.8.8.8:53 | 131.208.123.195.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
91s
Max time network
97s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1004 wrote to memory of 4928 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 1004 wrote to memory of 4928 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
Files
memory/4928-0-0x00007FF7046C0000-0x00007FF7046E0000-memory.dmp
memory/4928-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4928-2-0x00007FF7046C0000-0x00007FF7046E0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
117s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3848 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 3848 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
126s
Max time network
100s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 3884 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1988 wrote to memory of 3884 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
61s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 20.189.173.2:443 | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5224 wrote to memory of 2972 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 5224 wrote to memory of 2972 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2972-0-0x00007FF61B810000-0x00007FF61B830000-memory.dmp
memory/2972-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2972-2-0x00007FF61B810000-0x00007FF61B830000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
91s
Max time network
143s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 1580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2932 wrote to memory of 1580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-getline.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-getline.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
132s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4708 wrote to memory of 4180 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4708 wrote to memory of 4180 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-goodbyedpi.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-goodbyedpi.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 888 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2660 wrote to memory of 888 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-windivert.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-windivert.txt
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
132s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3944-0-0x000000003F610000-0x000000003F62F000-memory.dmp
memory/3944-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/3944-2-0x000000003F610000-0x000000003F62F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.13:443 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
148s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 3372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 3372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 4716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 4716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 2256 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 2256 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 4036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 4036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
| PID 1956 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\sc.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
C:\Windows\system32\sc.exe
sc start "GoodbyeDPI"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"
Network
Files
memory/4684-0-0x00007FF6E93A0000-0x00007FF6E93C0000-memory.dmp
memory/4684-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4684-2-0x00007FF6E93A0000-0x00007FF6E93C0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2732 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2732 wrote to memory of 4540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 52.111.229.19:443 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-04 06:26
Reported
2024-08-04 06:30
Platform
win11-20240802-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys