Overview
overview
8Static
static
3goodbyedpi...le.cmd
windows10-2004-x64
8goodbyedpi...st.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...ry.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...st.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...ve.cmd
windows10-2004-x64
1goodbyedpi...rt.dll
windows10-2004-x64
3goodbyedpi...32.sys
windows10-2004-x64
1goodbyedpi...64.sys
windows10-2004-x64
1goodbyedpi...pi.exe
windows10-2004-x64
3goodbyedpi...rt.dll
windows10-2004-x64
1goodbyedpi...64.sys
windows10-2004-x64
1goodbyedpi...pi.exe
windows10-2004-x64
1Analysis
-
max time kernel
113s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/0_russia_update_blacklist_file.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/1_russia_blacklist.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/1_russia_blacklist_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/2_any_country.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/2_any_country_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_remove.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert32.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/goodbyedpi.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/WinDivert.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/WinDivert64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe
Resource
win10v2004-20240802-en
General
-
Target
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert64.sys
-
Size
89KB
-
MD5
6a33620de63bccaf5e5314ee49cd58fb
-
SHA1
ac728b339681b2e27099fecc1419821f01d04b34
-
SHA256
e69b5ba3f0cd6cfb2983e442636e7f0b342b61b15264b0328317d4559c82cf50
-
SHA512
638d1b8aa4dc0e4ac504f51aaa3ec8375ccc3d69a4d36821f6bb98060b58586007f47966b9d58d222b9f067e12e80755f56559286cbabec8746146acaf24f945
-
SSDEEP
1536:8ovgCRgYL/h//oJJw5AdPtey2AyWpdsihch9WXi2v6MuO2:84jmJJsKle9A5pdsiqg/vsO2
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
taskmgr.exepid process 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 5000 taskmgr.exe Token: SeSystemProfilePrivilege 5000 taskmgr.exe Token: SeCreateGlobalPrivilege 5000 taskmgr.exe Token: 33 5000 taskmgr.exe Token: SeIncBasePriorityPrivilege 5000 taskmgr.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
taskmgr.exepid process 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
taskmgr.exepid process 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe 5000 taskmgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\WinDivert64.sysC:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys2⤵PID:3768
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000