b08c7b02968a250abbc5520008216ddcf0a9d67fcb87c00f2b4d89b64844aa56

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoodbyeDPI 0.2.3rc3 - Launcher 8.8/x86/Launcher for GoodbyeDPI.exe
Size

1.7MB
MD5

ced1ba578bc18f0cf784fea79155e685
SHA1

291f40ef9f88ed762662ac1185bb1c1ecb92a7c8
SHA256

f0d65b5d2dc9a836f6975e8a1a44f154140165d21354dc687a90126702c5f5e1
SHA512

db710704c78b4c6f9ad7101f8c4745dcb28c33c51258b2eae1b6a9382069db4ac036abf3f4e193e7c6141ea492dd15c43eaade48dcb74b25895698a897f0aaad
SSDEEP

24576:WEj50CsjEAhoknIezRz4fsfT1YGzH5br9kbpziyesdY4Yv6l7Shs2HkFNG5N:xmNgKoSRUqT1dH5br9klziyeb

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RunDLL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	RunDLL32.EXE

System Binary Proxy Execution: Rundll32 1 TTPs 2 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
1820	RunDLL32.EXE
1156	RunDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher for GoodbyeDPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDLL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDLL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
208	Launcher for GoodbyeDPI.exe
208	Launcher for GoodbyeDPI.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
208	Launcher for GoodbyeDPI.exe
208	Launcher for GoodbyeDPI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
208	Launcher for GoodbyeDPI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1156	208	Launcher for GoodbyeDPI.exe	82
PID 208 wrote to memory of 1156	208	Launcher for GoodbyeDPI.exe	82
PID 208 wrote to memory of 1156	208	Launcher for GoodbyeDPI.exe	82
PID 208 wrote to memory of 1820	208	Launcher for GoodbyeDPI.exe	83
PID 208 wrote to memory of 1820	208	Launcher for GoodbyeDPI.exe	83
PID 208 wrote to memory of 1820	208	Launcher for GoodbyeDPI.exe	83
PID 1156 wrote to memory of 4864	1156	RunDLL32.EXE	84
PID 1156 wrote to memory of 4864	1156	RunDLL32.EXE	84
PID 1156 wrote to memory of 4864	1156	RunDLL32.EXE	84
PID 1820 wrote to memory of 1328	1820	RunDLL32.EXE	86
PID 1820 wrote to memory of 1328	1820	RunDLL32.EXE	86
PID 1820 wrote to memory of 1328	1820	RunDLL32.EXE	86

C:\Users\Admin\AppData\Local\Temp\GoodbyeDPI 0.2.3rc3 - Launcher 8.8\x86\Launcher for GoodbyeDPI.exe
"C:\Users\Admin\AppData\Local\Temp\GoodbyeDPI 0.2.3rc3 - Launcher 8.8\x86\Launcher for GoodbyeDPI.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\RunDLL32.EXE
  RunDLL32.EXE shell32.dll,ShellExec_RunDLL schtasks /delete /tn GoodbyeDPI /F
  2⤵
  - Checks computer location settings
  - System Binary Proxy Execution: Rundll32
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn GoodbyeDPI /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
- C:\Windows\SysWOW64\RunDLL32.EXE
  RunDLL32.EXE shell32.dll,ShellExec_RunDLL reg export "HKEY_CURRENT_USER\Software\GoodbyeDPILauncher" "C:\Users\Admin\AppData\Local\Temp\GoodbyeDPI 0.2.3rc3 - Launcher 8.8\x86\Настройки Launcher for GoodbyeDPI.reg"
  2⤵
  - Checks computer location settings
  - System Binary Proxy Execution: Rundll32
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export "HKEY_CURRENT_USER\Software\GoodbyeDPILauncher" "C:\Users\Admin\AppData\Local\Temp\GoodbyeDPI 0.2.3rc3 - Launcher 8.8\x86\Настройки Launcher for GoodbyeDPI.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Rundll32

T1218.011

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REG87AE.tmp

Filesize
3KB

MD5
6aaf4f7060e3cc2ddd23eaf3ac5ccfa7

SHA1
83d26250c0255767a3497fa752f43b80d8d3486a

SHA256
b2cc91ff7bc6f3c261b8a919c178b24e8c21ac6f0703a0877373289183ffc30a

SHA512
c34ae60ac572c5f317c6ce14d5d4e20a056d4a2ab4bfb5cab20041eb955da1db999bae585cd1c5e09bf43b8f11b97d8eca2ff60ac91f1cd10a891bcb782b5d7f

Download Submit