Overview
overview
8Static
static
3goodbyedpi...le.cmd
windows10-2004-x64
8goodbyedpi...st.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...ry.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...st.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...ve.cmd
windows10-2004-x64
1goodbyedpi...rt.dll
windows10-2004-x64
3goodbyedpi...32.sys
windows10-2004-x64
1goodbyedpi...64.sys
windows10-2004-x64
1goodbyedpi...pi.exe
windows10-2004-x64
3goodbyedpi...rt.dll
windows10-2004-x64
1goodbyedpi...64.sys
windows10-2004-x64
1goodbyedpi...pi.exe
windows10-2004-x64
1Analysis
-
max time kernel
63s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/0_russia_update_blacklist_file.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/1_russia_blacklist.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/1_russia_blacklist_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/2_any_country.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/2_any_country_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_remove.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert32.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/goodbyedpi.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/WinDivert.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/WinDivert64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe
Resource
win10v2004-20240802-en
General
-
Target
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/0_russia_update_blacklist_file.cmd
-
Size
130B
-
MD5
a6af4b081a4cbcd448759306b2366eac
-
SHA1
0d1d887413e074b0991b5be0ca296f18053502c0
-
SHA256
d9d7c57c7dedb3a4e6566ddd7623758f53986a2c34e0cd3784b84f7f881a01c4
-
SHA512
f406b865f4bbe08181f1c1f239f198bab03b5b681174323b78f0b3c1790a1e177473a89ee566dac906c08d044fb0eb9a48991cf773222d378f469bd4941af62f
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
taskmgr.exepid process 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 4980 taskmgr.exe Token: SeSystemProfilePrivilege 4980 taskmgr.exe Token: SeCreateGlobalPrivilege 4980 taskmgr.exe Token: 33 4980 taskmgr.exe Token: SeIncBasePriorityPrivilege 4980 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
taskmgr.exepid process 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
taskmgr.exepid process 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe 4980 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 2712 wrote to memory of 4776 2712 cmd.exe bitsadmin.exe PID 2712 wrote to memory of 4776 2712 cmd.exe bitsadmin.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"2⤵
- Download via BitsAdmin
PID:4776
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980