Overview
overview
8Static
static
3goodbyedpi...le.cmd
windows10-2004-x64
8goodbyedpi...st.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...ry.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
1goodbyedpi...st.cmd
windows10-2004-x64
1goodbyedpi...ir.cmd
windows10-2004-x64
8goodbyedpi...ve.cmd
windows10-2004-x64
8goodbyedpi...rt.dll
windows10-2004-x64
3goodbyedpi...32.sys
windows10-2004-x64
1goodbyedpi...64.sys
windows10-2004-x64
1goodbyedpi...pi.exe
windows10-2004-x64
3goodbyedpi...rt.dll
windows10-2004-x64
1goodbyedpi...64.sys
windows10-2004-x64
1goodbyedpi...pi.exe
windows10-2004-x64
1Analysis
-
max time kernel
98s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2024 06:14
Static task
static1
Behavioral task
behavioral1
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/0_russia_update_blacklist_file.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/1_russia_blacklist.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/1_russia_blacklist_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/2_any_country.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/2_any_country_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_install_russia_blacklist_dnsredir.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_remove.cmd
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert32.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/WinDivert64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86/goodbyedpi.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/WinDivert.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/WinDivert64.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/x86_64/goodbyedpi.exe
Resource
win10v2004-20240802-en
General
-
Target
goodbyedpi-0.2.3rc1-2/goodbyedpi-0.2.3rc1/service_remove.cmd
-
Size
272B
-
MD5
295c774295b7fab9f7e3100bf3a482da
-
SHA1
ddee388d720107a5959126e85e979daf9f6579b7
-
SHA256
d6f19938699e88198ace9206e417e1289f211e187cfed163d31172f97cb91d55
-
SHA512
dfca3ad06fcf73ecf1499828923a58f37d7ea82c531c3f71ed39ee98ec1be490a5220c5626ab45c817bbce7cb4362791fc3ee680511841dd317961ba0f346d54
Malware Config
Signatures
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3456 sc.exe 3284 sc.exe 4684 sc.exe 880 sc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exedescription pid process target process PID 2404 wrote to memory of 3456 2404 cmd.exe sc.exe PID 2404 wrote to memory of 3456 2404 cmd.exe sc.exe PID 2404 wrote to memory of 3284 2404 cmd.exe sc.exe PID 2404 wrote to memory of 3284 2404 cmd.exe sc.exe PID 2404 wrote to memory of 4684 2404 cmd.exe sc.exe PID 2404 wrote to memory of 4684 2404 cmd.exe sc.exe PID 2404 wrote to memory of 880 2404 cmd.exe sc.exe PID 2404 wrote to memory of 880 2404 cmd.exe sc.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_remove.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\sc.exesc stop "GoodbyeDPI"2⤵
- Launches sc.exe
PID:3456 -
C:\Windows\system32\sc.exesc delete "GoodbyeDPI"2⤵
- Launches sc.exe
PID:3284 -
C:\Windows\system32\sc.exesc stop "WinDivert"2⤵
- Launches sc.exe
PID:4684 -
C:\Windows\system32\sc.exesc delete "WinDivert"2⤵
- Launches sc.exe
PID:880