Analysis

  • max time kernel
    24s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 14:22

General

  • Target

    goodbyedpi-0.2.3rc1/service_install_russia_blacklist.cmd

  • Size

    660B

  • MD5

    af6dac6686b77dc51203800737f41b75

  • SHA1

    385568a96d92ca8206e45b6cf945b2fa11b29f80

  • SHA256

    4d2068f04436998bdf003c430f7bc28f0d0fc7d48031b8a37983f84bad6374bb

  • SHA512

    ae54f13ec18a71983b598f9f2d38231168b9f7de3238f6f742128331f2957e0a770b9502f2bf1997c8f6a6cb0c4bb90e9f4a8156ac807744141c51f4b0c4c49c

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\system32\sc.exe
      sc stop "GoodbyeDPI"
      2⤵
      • Launches sc.exe
      PID:2240
    • C:\Windows\system32\sc.exe
      sc delete "GoodbyeDPI"
      2⤵
      • Launches sc.exe
      PID:2440
    • C:\Windows\system32\sc.exe
      sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
      2⤵
      • Launches sc.exe
      PID:1864
    • C:\Windows\system32\sc.exe
      sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
      2⤵
      • Launches sc.exe
      PID:2716
    • C:\Windows\system32\sc.exe
      sc start "GoodbyeDPI"
      2⤵
      • Launches sc.exe
      PID:1060
  • C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
    "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt"
    1⤵
      PID:1652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads