Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 20:41
Static task
static1
Behavioral task
behavioral1
Sample
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
Resource
win10v2004-20240802-en
General
-
Target
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
-
Size
1.2MB
-
MD5
af9217e077e7d4498b6e6cd1200a23d0
-
SHA1
324ff379c0ab3ca39620ca6d2e6f07e0b83a6231
-
SHA256
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cf
-
SHA512
3279a7232797befb455f49b3d2d9d715952c87ef6329a8d6739a260e58daab0a30bdd52d1dbd9ba3ee24b00f83d26f3bb0cf29b363273fbaa65f4d5f1440776f
-
SSDEEP
24576:SNPn8Ip3ZaY7BS1L0JGMFFh4bjtt7pMg2iyZ6YfVAlovWk:PIpQY7BS+JDFFh4bxN2iyZ2lovx
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 3 IoCs
Processes:
attrib.execmd.exeattrib.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts attrib.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exepid Process 1868 icacls.exe 2156 icacls.exe 2420 takeown.exe 2472 icacls.exe -
Drops startup file 1 IoCs
Processes:
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoodByeDPIService.exe.lnk e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe -
Executes dropped EXE 3 IoCs
Processes:
goodbyedpi.exeGoodByeDPIService.exepid Process 472 2120 goodbyedpi.exe 1732 GoodByeDPIService.exe -
Loads dropped DLL 1 IoCs
Processes:
goodbyedpi.exepid Process 2120 goodbyedpi.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exepid Process 2156 icacls.exe 2420 takeown.exe 2472 icacls.exe 1868 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 264 sc.exe 2180 sc.exe 1156 sc.exe 2520 sc.exe 1492 sc.exe 1880 sc.exe 548 sc.exe 2184 sc.exe 480 sc.exe 1760 sc.exe 1920 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exenet1.exeGoodByeDPIService.exenet.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoodByeDPIService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2476 taskkill.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
GoodByeDPIService.exepid Process 1732 GoodByeDPIService.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
GoodByeDPIService.exepid Process 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 472 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
icacls.exetaskkill.exedescription pid Process Token: SeSecurityPrivilege 1868 icacls.exe Token: SeDebugPrivilege 2476 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
GoodByeDPIService.exepid Process 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
GoodByeDPIService.exepid Process 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe 1732 GoodByeDPIService.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GoodByeDPIService.exepid Process 1732 GoodByeDPIService.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.execmd.exeGoodByeDPIService.exedescription pid Process procid_target PID 1900 wrote to memory of 2804 1900 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 30 PID 1900 wrote to memory of 2804 1900 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 30 PID 1900 wrote to memory of 2804 1900 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 30 PID 1900 wrote to memory of 2804 1900 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 30 PID 1900 wrote to memory of 2804 1900 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 30 PID 2804 wrote to memory of 2156 2804 cmd.exe 32 PID 2804 wrote to memory of 2156 2804 cmd.exe 32 PID 2804 wrote to memory of 2156 2804 cmd.exe 32 PID 2804 wrote to memory of 2420 2804 cmd.exe 33 PID 2804 wrote to memory of 2420 2804 cmd.exe 33 PID 2804 wrote to memory of 2420 2804 cmd.exe 33 PID 2804 wrote to memory of 2472 2804 cmd.exe 34 PID 2804 wrote to memory of 2472 2804 cmd.exe 34 PID 2804 wrote to memory of 2472 2804 cmd.exe 34 PID 2804 wrote to memory of 1864 2804 cmd.exe 35 PID 2804 wrote to memory of 1864 2804 cmd.exe 35 PID 2804 wrote to memory of 1864 2804 cmd.exe 35 PID 2804 wrote to memory of 2316 2804 cmd.exe 36 PID 2804 wrote to memory of 2316 2804 cmd.exe 36 PID 2804 wrote to memory of 2316 2804 cmd.exe 36 PID 2804 wrote to memory of 1868 2804 cmd.exe 37 PID 2804 wrote to memory of 1868 2804 cmd.exe 37 PID 2804 wrote to memory of 1868 2804 cmd.exe 37 PID 2804 wrote to memory of 2476 2804 cmd.exe 38 PID 2804 wrote to memory of 2476 2804 cmd.exe 38 PID 2804 wrote to memory of 2476 2804 cmd.exe 38 PID 2804 wrote to memory of 480 2804 cmd.exe 40 PID 2804 wrote to memory of 480 2804 cmd.exe 40 PID 2804 wrote to memory of 480 2804 cmd.exe 40 PID 2804 wrote to memory of 1760 2804 cmd.exe 41 PID 2804 wrote to memory of 1760 2804 cmd.exe 41 PID 2804 wrote to memory of 1760 2804 cmd.exe 41 PID 2804 wrote to memory of 1920 2804 cmd.exe 42 PID 2804 wrote to memory of 1920 2804 cmd.exe 42 PID 2804 wrote to memory of 1920 2804 cmd.exe 42 PID 2804 wrote to memory of 1156 2804 cmd.exe 43 PID 2804 wrote to memory of 1156 2804 cmd.exe 43 PID 2804 wrote to memory of 1156 2804 cmd.exe 43 PID 2804 wrote to memory of 1880 2804 cmd.exe 44 PID 2804 wrote to memory of 1880 2804 cmd.exe 44 PID 2804 wrote to memory of 1880 2804 cmd.exe 44 PID 2804 wrote to memory of 2520 2804 cmd.exe 45 PID 2804 wrote to memory of 2520 2804 cmd.exe 45 PID 2804 wrote to memory of 2520 2804 cmd.exe 45 PID 2804 wrote to memory of 548 2804 cmd.exe 46 PID 2804 wrote to memory of 548 2804 cmd.exe 46 PID 2804 wrote to memory of 548 2804 cmd.exe 46 PID 2804 wrote to memory of 1492 2804 cmd.exe 48 PID 2804 wrote to memory of 1492 2804 cmd.exe 48 PID 2804 wrote to memory of 1492 2804 cmd.exe 48 PID 2804 wrote to memory of 264 2804 cmd.exe 49 PID 2804 wrote to memory of 264 2804 cmd.exe 49 PID 2804 wrote to memory of 264 2804 cmd.exe 49 PID 2804 wrote to memory of 2184 2804 cmd.exe 50 PID 2804 wrote to memory of 2184 2804 cmd.exe 50 PID 2804 wrote to memory of 2184 2804 cmd.exe 50 PID 2804 wrote to memory of 2180 2804 cmd.exe 51 PID 2804 wrote to memory of 2180 2804 cmd.exe 51 PID 2804 wrote to memory of 2180 2804 cmd.exe 51 PID 2804 wrote to memory of 1732 2804 cmd.exe 52 PID 2804 wrote to memory of 1732 2804 cmd.exe 52 PID 2804 wrote to memory of 1732 2804 cmd.exe 52 PID 2804 wrote to memory of 1732 2804 cmd.exe 52 PID 1732 wrote to memory of 1820 1732 GoodByeDPIService.exe 53 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1864 attrib.exe 2316 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\cmd.execmd /c ""C:\ByeByeDPI\install.cmd" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\etc\hosts" /save hosts.acl3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2156
-
-
C:\Windows\system32\takeown.exetakeown /a /f "C:\Windows\system32\drivers\etc\hosts"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2420
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\etc\hosts" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2472
-
-
C:\Windows\system32\attrib.exeattrib -r -h -s "C:\Windows\system32\drivers\etc\hosts"3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1864
-
-
C:\Windows\system32\attrib.exeattrib +r "C:\Windows\system32\drivers\etc\hosts"3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2316
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\etc" /restore hosts.acl3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im GoodByeDPIService.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\system32\sc.exesc stop "GoodbyeDPI"3⤵
- Launches sc.exe
PID:480
-
-
C:\Windows\system32\sc.exesc delete "GoodbyeDPI"3⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\system32\sc.exesc stop "GoodbyeDPI_Default"3⤵
- Launches sc.exe
PID:1920
-
-
C:\Windows\system32\sc.exesc delete "GoodbyeDPI_Default"3⤵
- Launches sc.exe
PID:1156
-
-
C:\Windows\system32\sc.exesc create "GoodbyeDPI_Default" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "auto"3⤵
- Launches sc.exe
PID:1880
-
-
C:\Windows\system32\sc.exesc description "GoodbyeDPI_Default" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Default mode)"3⤵
- Launches sc.exe
PID:2520
-
-
C:\Windows\system32\sc.exesc start "GoodbyeDPI_Default"3⤵
- Launches sc.exe
PID:548
-
-
C:\Windows\system32\sc.exesc stop "GoodbyeDPI_Aggressive"3⤵
- Launches sc.exe
PID:1492
-
-
C:\Windows\system32\sc.exesc delete "GoodbyeDPI_Aggressive"3⤵
- Launches sc.exe
PID:264
-
-
C:\Windows\system32\sc.exesc create "GoodbyeDPI_Aggressive" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -p -r -s -q -f 2 -k 2 -n -e1 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --auto-ttl --reverse-frag --wrong-seq --max-payload --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "demand"3⤵
- Launches sc.exe
PID:2184
-
-
C:\Windows\system32\sc.exesc description "GoodbyeDPI_Aggressive" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Aggressive mode)"3⤵
- Launches sc.exe
PID:2180
-
-
C:\ByeByeDPI\GoodByeDPIService.exeGoodByeDPIService.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\net.exenet start GoodbyeDPI_Default4⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start GoodbyeDPI_Default5⤵
- System Location Discovery: System Language Discovery
PID:908
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rd C:\ByeByeDPI_old /s /q4⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
-
-
C:\ByeByeDPI\x86_64\goodbyedpi.exe"C:\ByeByeDPI\x86_64\goodbyedpi.exe" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist "C:\ByeByeDPI\russia-blacklist.txt" --blacklist "C:\ByeByeDPI\russia-youtube.txt"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD549299e5f6db7ed241efaccd0c038777c
SHA15926ea78a1f8ae78fd2f48a60d49be343a67f86a
SHA256fc9380664a87b76a2af82c9f8e370f175c94816269875cfe52df4887d065f6ca
SHA5125337853d8bb14b3d2b8e111e1c3d1a13025759aaf4c07d8a5f95bbb438261b9cf0ca5eae04c21c6789c7502b4aaea660584b6a6b695773df819a9735a14a5c99
-
Filesize
122B
MD5cc4a037057ed1ac85a8845f01fe51f9a
SHA1e65b6b4cc81d709929d9ab148095d8f6228faab6
SHA25652217a03cc125f8c64b15a01062df20f39033a9ef27519981c0a5e8001705733
SHA512cdc8476728a54ba3afa9a58c7db90e0ab6e60e8438bf73adb30a9726066d22416ac1d5fe678435f4885078ad721456af2c15b8dc969869fecd4eb7c43bcb54cc
-
Filesize
9KB
MD547158fedec375f473d0b47d2c8e23290
SHA11d904652019683dd977bc6e91f58b436bec7abe4
SHA256a926fafbde9b448ac122a64dc15ae12a87350501bdae38f67fa2c612b44c17b6
SHA512142ec99546d083b3a5181168d1c0a8dc99d2347f719cbb2f00bd17333940addfc6d3e9ed90fd5c866327e072c1c77e7841c4d3eabd9c9d5cff2433e5c994f2be
-
Filesize
2KB
MD5aceefd9a2ecd1853e2b7cc7841aae842
SHA1f1ba8d05ea74909ec5616224a6c28fa1b2d404e4
SHA2565990897ffc39ae039f6880b720b89c58af7862f5e88e3461573f46ff04c0aa86
SHA5128d0138ee94c59f94e370737367804cdd097ff5dcd9cdecb19bca0964a19f1dfb6aa77f21b891f9604df1ee1ff4aba5a9aad8c8137c867290aea9e529f028d12f
-
Filesize
2.2MB
MD5c778017427c08556621c3360e7b60b12
SHA19f2e0a127dcc409c10d4890a27d165c08977c8e0
SHA256227b4961ea7bafac9bb5aaf3dfeb2537beb64169ae37f7658efebb573bc9c01a
SHA5127bac0ea2123c4be8ad0f1f0df6a941fa3ceb80bc0aa728b004f52cfc36bca99d8cbbf43ebd28a56cff90bf9e551e99a39750b364435ca05af21676a326b64fab
-
Filesize
256B
MD591d74100607dba77eda0d7a75dacb0cc
SHA195490aede362c6275d325615fdbf3f94fee8e392
SHA2562d8de5532bae45852a3f6d8270e881fc10fec89f8d9daec3d91988a669760f79
SHA5129f55f99971789c0f53aefda6d3beab78b28854b0a8ca74869e09d5e1dd905f8394a2927bca2f1bbb3a73198e5da6e8b6e3ac72ddd2cbf6363c0c88298bdadfdd
-
Filesize
46KB
MD588e1c19b978436258f7c938013408a8a
SHA109b77c8c85757e11667a7b83231598dd67fe0b8b
SHA2566110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e
SHA512eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14
-
Filesize
99KB
MD5afa7f66231b9cec7237e738b622c0181
SHA1478f336ab054623abfa691f11f12bc3be31deabe
SHA2568d412b094bb9c137ff25ba9a794d1122ecc84bb776debff6c249723a13cc31cd
SHA512a3833d6018c6ddb63c5bc5b1a2efe2f9e517e80d28d6c59661ff625d42397e484e902ae5f211fc1586a25901c1f0d1700364f604c51a536fcc467703ce76e9d8