Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 20:41

General

  • Target

    e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe

  • Size

    1.2MB

  • MD5

    af9217e077e7d4498b6e6cd1200a23d0

  • SHA1

    324ff379c0ab3ca39620ca6d2e6f07e0b83a6231

  • SHA256

    e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cf

  • SHA512

    3279a7232797befb455f49b3d2d9d715952c87ef6329a8d6739a260e58daab0a30bdd52d1dbd9ba3ee24b00f83d26f3bb0cf29b363273fbaa65f4d5f1440776f

  • SSDEEP

    24576:SNPn8Ip3ZaY7BS1L0JGMFFh4bjtt7pMg2iyZ6YfVAlovWk:PIpQY7BS+JDFFh4bxN2iyZ2lovx

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Drops file in Drivers directory 3 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • Stops running service(s) 4 TTPs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Launches sc.exe 11 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Runs net.exe
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
    "C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\ByeByeDPI\install.cmd" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\drivers\etc\hosts" /save hosts.acl
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2156
      • C:\Windows\system32\takeown.exe
        takeown /a /f "C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2420
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\drivers\etc\hosts" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2472
      • C:\Windows\system32\attrib.exe
        attrib -r -h -s "C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Drops file in Drivers directory
        • Views/modifies file attributes
        PID:1864
      • C:\Windows\system32\attrib.exe
        attrib +r "C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Drops file in Drivers directory
        • Views/modifies file attributes
        PID:2316
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\drivers\etc" /restore hosts.acl
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im GoodByeDPIService.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
      • C:\Windows\system32\sc.exe
        sc stop "GoodbyeDPI"
        3⤵
        • Launches sc.exe
        PID:480
      • C:\Windows\system32\sc.exe
        sc delete "GoodbyeDPI"
        3⤵
        • Launches sc.exe
        PID:1760
      • C:\Windows\system32\sc.exe
        sc stop "GoodbyeDPI_Default"
        3⤵
        • Launches sc.exe
        PID:1920
      • C:\Windows\system32\sc.exe
        sc delete "GoodbyeDPI_Default"
        3⤵
        • Launches sc.exe
        PID:1156
      • C:\Windows\system32\sc.exe
        sc create "GoodbyeDPI_Default" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "auto"
        3⤵
        • Launches sc.exe
        PID:1880
      • C:\Windows\system32\sc.exe
        sc description "GoodbyeDPI_Default" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Default mode)"
        3⤵
        • Launches sc.exe
        PID:2520
      • C:\Windows\system32\sc.exe
        sc start "GoodbyeDPI_Default"
        3⤵
        • Launches sc.exe
        PID:548
      • C:\Windows\system32\sc.exe
        sc stop "GoodbyeDPI_Aggressive"
        3⤵
        • Launches sc.exe
        PID:1492
      • C:\Windows\system32\sc.exe
        sc delete "GoodbyeDPI_Aggressive"
        3⤵
        • Launches sc.exe
        PID:264
      • C:\Windows\system32\sc.exe
        sc create "GoodbyeDPI_Aggressive" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -p -r -s -q -f 2 -k 2 -n -e1 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --auto-ttl --reverse-frag --wrong-seq --max-payload --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "demand"
        3⤵
        • Launches sc.exe
        PID:2184
      • C:\Windows\system32\sc.exe
        sc description "GoodbyeDPI_Aggressive" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Aggressive mode)"
        3⤵
        • Launches sc.exe
        PID:2180
      • C:\ByeByeDPI\GoodByeDPIService.exe
        GoodByeDPIService.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\net.exe
          net start GoodbyeDPI_Default
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1820
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start GoodbyeDPI_Default
            5⤵
            • System Location Discovery: System Language Discovery
            PID:908
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c rd C:\ByeByeDPI_old /s /q
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2508
  • C:\ByeByeDPI\x86_64\goodbyedpi.exe
    "C:\ByeByeDPI\x86_64\goodbyedpi.exe" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist "C:\ByeByeDPI\russia-blacklist.txt" --blacklist "C:\ByeByeDPI\russia-youtube.txt"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ByeByeDPI\GoodByeDPIService.exe

    Filesize

    68KB

    MD5

    49299e5f6db7ed241efaccd0c038777c

    SHA1

    5926ea78a1f8ae78fd2f48a60d49be343a67f86a

    SHA256

    fc9380664a87b76a2af82c9f8e370f175c94816269875cfe52df4887d065f6ca

    SHA512

    5337853d8bb14b3d2b8e111e1c3d1a13025759aaf4c07d8a5f95bbb438261b9cf0ca5eae04c21c6789c7502b4aaea660584b6a6b695773df819a9735a14a5c99

  • C:\ByeByeDPI\hosts.acl

    Filesize

    122B

    MD5

    cc4a037057ed1ac85a8845f01fe51f9a

    SHA1

    e65b6b4cc81d709929d9ab148095d8f6228faab6

    SHA256

    52217a03cc125f8c64b15a01062df20f39033a9ef27519981c0a5e8001705733

    SHA512

    cdc8476728a54ba3afa9a58c7db90e0ab6e60e8438bf73adb30a9726066d22416ac1d5fe678435f4885078ad721456af2c15b8dc969869fecd4eb7c43bcb54cc

  • C:\ByeByeDPI\hosts.txt

    Filesize

    9KB

    MD5

    47158fedec375f473d0b47d2c8e23290

    SHA1

    1d904652019683dd977bc6e91f58b436bec7abe4

    SHA256

    a926fafbde9b448ac122a64dc15ae12a87350501bdae38f67fa2c612b44c17b6

    SHA512

    142ec99546d083b3a5181168d1c0a8dc99d2347f719cbb2f00bd17333940addfc6d3e9ed90fd5c866327e072c1c77e7841c4d3eabd9c9d5cff2433e5c994f2be

  • C:\ByeByeDPI\install.cmd

    Filesize

    2KB

    MD5

    aceefd9a2ecd1853e2b7cc7841aae842

    SHA1

    f1ba8d05ea74909ec5616224a6c28fa1b2d404e4

    SHA256

    5990897ffc39ae039f6880b720b89c58af7862f5e88e3461573f46ff04c0aa86

    SHA512

    8d0138ee94c59f94e370737367804cdd097ff5dcd9cdecb19bca0964a19f1dfb6aa77f21b891f9604df1ee1ff4aba5a9aad8c8137c867290aea9e529f028d12f

  • C:\ByeByeDPI\russia-blacklist.txt

    Filesize

    2.2MB

    MD5

    c778017427c08556621c3360e7b60b12

    SHA1

    9f2e0a127dcc409c10d4890a27d165c08977c8e0

    SHA256

    227b4961ea7bafac9bb5aaf3dfeb2537beb64169ae37f7658efebb573bc9c01a

    SHA512

    7bac0ea2123c4be8ad0f1f0df6a941fa3ceb80bc0aa728b004f52cfc36bca99d8cbbf43ebd28a56cff90bf9e551e99a39750b364435ca05af21676a326b64fab

  • C:\ByeByeDPI\russia-youtube.txt

    Filesize

    256B

    MD5

    91d74100607dba77eda0d7a75dacb0cc

    SHA1

    95490aede362c6275d325615fdbf3f94fee8e392

    SHA256

    2d8de5532bae45852a3f6d8270e881fc10fec89f8d9daec3d91988a669760f79

    SHA512

    9f55f99971789c0f53aefda6d3beab78b28854b0a8ca74869e09d5e1dd905f8394a2927bca2f1bbb3a73198e5da6e8b6e3ac72ddd2cbf6363c0c88298bdadfdd

  • C:\ByeByeDPI\x86_64\WinDivert.dll

    Filesize

    46KB

    MD5

    88e1c19b978436258f7c938013408a8a

    SHA1

    09b77c8c85757e11667a7b83231598dd67fe0b8b

    SHA256

    6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e

    SHA512

    eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14

  • \ByeByeDPI\x86_64\goodbyedpi.exe

    Filesize

    99KB

    MD5

    afa7f66231b9cec7237e738b622c0181

    SHA1

    478f336ab054623abfa691f11f12bc3be31deabe

    SHA256

    8d412b094bb9c137ff25ba9a794d1122ecc84bb776debff6c249723a13cc31cd

    SHA512

    a3833d6018c6ddb63c5bc5b1a2efe2f9e517e80d28d6c59661ff625d42397e484e902ae5f211fc1586a25901c1f0d1700364f604c51a536fcc467703ce76e9d8

  • memory/2120-103-0x0000000062800000-0x0000000062813000-memory.dmp

    Filesize

    76KB

  • memory/2120-102-0x000000013FF10000-0x000000013FF32000-memory.dmp

    Filesize

    136KB

  • memory/2120-104-0x000000013FF10000-0x000000013FF32000-memory.dmp

    Filesize

    136KB