Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 20:41
Static task
static1
Behavioral task
behavioral1
Sample
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
Resource
win10v2004-20240802-en
General
-
Target
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
-
Size
1.2MB
-
MD5
af9217e077e7d4498b6e6cd1200a23d0
-
SHA1
324ff379c0ab3ca39620ca6d2e6f07e0b83a6231
-
SHA256
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cf
-
SHA512
3279a7232797befb455f49b3d2d9d715952c87ef6329a8d6739a260e58daab0a30bdd52d1dbd9ba3ee24b00f83d26f3bb0cf29b363273fbaa65f4d5f1440776f
-
SSDEEP
24576:SNPn8Ip3ZaY7BS1L0JGMFFh4bjtt7pMg2iyZ6YfVAlovWk:PIpQY7BS+JDFFh4bxN2iyZ2lovx
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 3 IoCs
Processes:
attrib.execmd.exeattrib.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts attrib.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exepid Process 2760 icacls.exe 3452 takeown.exe 2724 icacls.exe 4760 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe -
Drops startup file 1 IoCs
Processes:
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoodByeDPIService.exe.lnk e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe -
Executes dropped EXE 2 IoCs
Processes:
goodbyedpi.exeGoodByeDPIService.exepid Process 4040 goodbyedpi.exe 2716 GoodByeDPIService.exe -
Loads dropped DLL 1 IoCs
Processes:
goodbyedpi.exepid Process 4040 goodbyedpi.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exepid Process 2724 icacls.exe 4760 icacls.exe 2760 icacls.exe 3452 takeown.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 2836 sc.exe 4484 sc.exe 3876 sc.exe 3816 sc.exe 3880 sc.exe 3056 sc.exe 2932 sc.exe 1052 sc.exe 3612 sc.exe 1540 sc.exe 2916 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
net1.execmd.exeGoodByeDPIService.exenet.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoodByeDPIService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 548 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
GoodByeDPIService.exepid Process 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 660 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
icacls.exetaskkill.exedescription pid Process Token: SeSecurityPrivilege 4760 icacls.exe Token: SeDebugPrivilege 548 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
GoodByeDPIService.exepid Process 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
GoodByeDPIService.exepid Process 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe 2716 GoodByeDPIService.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GoodByeDPIService.exepid Process 2716 GoodByeDPIService.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.execmd.exeGoodByeDPIService.exenet.exedescription pid Process procid_target PID 4876 wrote to memory of 3196 4876 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 84 PID 4876 wrote to memory of 3196 4876 e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe 84 PID 3196 wrote to memory of 2760 3196 cmd.exe 87 PID 3196 wrote to memory of 2760 3196 cmd.exe 87 PID 3196 wrote to memory of 3452 3196 cmd.exe 88 PID 3196 wrote to memory of 3452 3196 cmd.exe 88 PID 3196 wrote to memory of 2724 3196 cmd.exe 89 PID 3196 wrote to memory of 2724 3196 cmd.exe 89 PID 3196 wrote to memory of 2640 3196 cmd.exe 90 PID 3196 wrote to memory of 2640 3196 cmd.exe 90 PID 3196 wrote to memory of 1412 3196 cmd.exe 91 PID 3196 wrote to memory of 1412 3196 cmd.exe 91 PID 3196 wrote to memory of 4760 3196 cmd.exe 92 PID 3196 wrote to memory of 4760 3196 cmd.exe 92 PID 3196 wrote to memory of 548 3196 cmd.exe 93 PID 3196 wrote to memory of 548 3196 cmd.exe 93 PID 3196 wrote to memory of 1540 3196 cmd.exe 95 PID 3196 wrote to memory of 1540 3196 cmd.exe 95 PID 3196 wrote to memory of 2916 3196 cmd.exe 96 PID 3196 wrote to memory of 2916 3196 cmd.exe 96 PID 3196 wrote to memory of 2932 3196 cmd.exe 97 PID 3196 wrote to memory of 2932 3196 cmd.exe 97 PID 3196 wrote to memory of 3880 3196 cmd.exe 98 PID 3196 wrote to memory of 3880 3196 cmd.exe 98 PID 3196 wrote to memory of 1052 3196 cmd.exe 99 PID 3196 wrote to memory of 1052 3196 cmd.exe 99 PID 3196 wrote to memory of 3056 3196 cmd.exe 100 PID 3196 wrote to memory of 3056 3196 cmd.exe 100 PID 3196 wrote to memory of 2836 3196 cmd.exe 101 PID 3196 wrote to memory of 2836 3196 cmd.exe 101 PID 3196 wrote to memory of 4484 3196 cmd.exe 103 PID 3196 wrote to memory of 4484 3196 cmd.exe 103 PID 3196 wrote to memory of 3876 3196 cmd.exe 104 PID 3196 wrote to memory of 3876 3196 cmd.exe 104 PID 3196 wrote to memory of 3612 3196 cmd.exe 105 PID 3196 wrote to memory of 3612 3196 cmd.exe 105 PID 3196 wrote to memory of 3816 3196 cmd.exe 106 PID 3196 wrote to memory of 3816 3196 cmd.exe 106 PID 3196 wrote to memory of 2716 3196 cmd.exe 107 PID 3196 wrote to memory of 2716 3196 cmd.exe 107 PID 3196 wrote to memory of 2716 3196 cmd.exe 107 PID 2716 wrote to memory of 1352 2716 GoodByeDPIService.exe 108 PID 2716 wrote to memory of 1352 2716 GoodByeDPIService.exe 108 PID 2716 wrote to memory of 1352 2716 GoodByeDPIService.exe 108 PID 2716 wrote to memory of 376 2716 GoodByeDPIService.exe 110 PID 2716 wrote to memory of 376 2716 GoodByeDPIService.exe 110 PID 2716 wrote to memory of 376 2716 GoodByeDPIService.exe 110 PID 1352 wrote to memory of 2372 1352 net.exe 112 PID 1352 wrote to memory of 2372 1352 net.exe 112 PID 1352 wrote to memory of 2372 1352 net.exe 112 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2640 attrib.exe 1412 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ByeByeDPI\install.cmd" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\etc\hosts" /save hosts.acl3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2760
-
-
C:\Windows\system32\takeown.exetakeown /a /f "C:\Windows\system32\drivers\etc\hosts"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3452
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\etc\hosts" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2724
-
-
C:\Windows\system32\attrib.exeattrib -r -h -s "C:\Windows\system32\drivers\etc\hosts"3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2640
-
-
C:\Windows\system32\attrib.exeattrib +r "C:\Windows\system32\drivers\etc\hosts"3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1412
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\drivers\etc" /restore hosts.acl3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im GoodByeDPIService.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\system32\sc.exesc stop "GoodbyeDPI"3⤵
- Launches sc.exe
PID:1540
-
-
C:\Windows\system32\sc.exesc delete "GoodbyeDPI"3⤵
- Launches sc.exe
PID:2916
-
-
C:\Windows\system32\sc.exesc stop "GoodbyeDPI_Default"3⤵
- Launches sc.exe
PID:2932
-
-
C:\Windows\system32\sc.exesc delete "GoodbyeDPI_Default"3⤵
- Launches sc.exe
PID:3880
-
-
C:\Windows\system32\sc.exesc create "GoodbyeDPI_Default" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "auto"3⤵
- Launches sc.exe
PID:1052
-
-
C:\Windows\system32\sc.exesc description "GoodbyeDPI_Default" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Default mode)"3⤵
- Launches sc.exe
PID:3056
-
-
C:\Windows\system32\sc.exesc start "GoodbyeDPI_Default"3⤵
- Launches sc.exe
PID:2836
-
-
C:\Windows\system32\sc.exesc stop "GoodbyeDPI_Aggressive"3⤵
- Launches sc.exe
PID:4484
-
-
C:\Windows\system32\sc.exesc delete "GoodbyeDPI_Aggressive"3⤵
- Launches sc.exe
PID:3876
-
-
C:\Windows\system32\sc.exesc create "GoodbyeDPI_Aggressive" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -p -r -s -q -f 2 -k 2 -n -e1 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --auto-ttl --reverse-frag --wrong-seq --max-payload --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "demand"3⤵
- Launches sc.exe
PID:3612
-
-
C:\Windows\system32\sc.exesc description "GoodbyeDPI_Aggressive" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Aggressive mode)"3⤵
- Launches sc.exe
PID:3816
-
-
C:\ByeByeDPI\GoodByeDPIService.exeGoodByeDPIService.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\net.exenet start GoodbyeDPI_Default4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start GoodbyeDPI_Default5⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rd C:\ByeByeDPI_old /s /q4⤵
- System Location Discovery: System Language Discovery
PID:376
-
-
-
-
C:\ByeByeDPI\x86_64\goodbyedpi.exe"C:\ByeByeDPI\x86_64\goodbyedpi.exe" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist "C:\ByeByeDPI\russia-blacklist.txt" --blacklist "C:\ByeByeDPI\russia-youtube.txt"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4040
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD549299e5f6db7ed241efaccd0c038777c
SHA15926ea78a1f8ae78fd2f48a60d49be343a67f86a
SHA256fc9380664a87b76a2af82c9f8e370f175c94816269875cfe52df4887d065f6ca
SHA5125337853d8bb14b3d2b8e111e1c3d1a13025759aaf4c07d8a5f95bbb438261b9cf0ca5eae04c21c6789c7502b4aaea660584b6a6b695773df819a9735a14a5c99
-
Filesize
218B
MD5de03fcce33861c8a005e919b203b7f6f
SHA186e9531ad41787a10fd2015b5f420882db707d79
SHA25652eda44d432f950d97bc64a0cb16b28ba15f66884214be1d5b63cb069fecb028
SHA512600a1f9f3914a913019295c1eb518318486308fa395d659c49b5e9ffde09d7948592ef8e2dd4f45d409c554197200a725af0555f9f590a31b9881416bc65c11d
-
Filesize
9KB
MD547158fedec375f473d0b47d2c8e23290
SHA11d904652019683dd977bc6e91f58b436bec7abe4
SHA256a926fafbde9b448ac122a64dc15ae12a87350501bdae38f67fa2c612b44c17b6
SHA512142ec99546d083b3a5181168d1c0a8dc99d2347f719cbb2f00bd17333940addfc6d3e9ed90fd5c866327e072c1c77e7841c4d3eabd9c9d5cff2433e5c994f2be
-
Filesize
2KB
MD5aceefd9a2ecd1853e2b7cc7841aae842
SHA1f1ba8d05ea74909ec5616224a6c28fa1b2d404e4
SHA2565990897ffc39ae039f6880b720b89c58af7862f5e88e3461573f46ff04c0aa86
SHA5128d0138ee94c59f94e370737367804cdd097ff5dcd9cdecb19bca0964a19f1dfb6aa77f21b891f9604df1ee1ff4aba5a9aad8c8137c867290aea9e529f028d12f
-
Filesize
2.2MB
MD5c778017427c08556621c3360e7b60b12
SHA19f2e0a127dcc409c10d4890a27d165c08977c8e0
SHA256227b4961ea7bafac9bb5aaf3dfeb2537beb64169ae37f7658efebb573bc9c01a
SHA5127bac0ea2123c4be8ad0f1f0df6a941fa3ceb80bc0aa728b004f52cfc36bca99d8cbbf43ebd28a56cff90bf9e551e99a39750b364435ca05af21676a326b64fab
-
Filesize
256B
MD591d74100607dba77eda0d7a75dacb0cc
SHA195490aede362c6275d325615fdbf3f94fee8e392
SHA2562d8de5532bae45852a3f6d8270e881fc10fec89f8d9daec3d91988a669760f79
SHA5129f55f99971789c0f53aefda6d3beab78b28854b0a8ca74869e09d5e1dd905f8394a2927bca2f1bbb3a73198e5da6e8b6e3ac72ddd2cbf6363c0c88298bdadfdd
-
Filesize
46KB
MD588e1c19b978436258f7c938013408a8a
SHA109b77c8c85757e11667a7b83231598dd67fe0b8b
SHA2566110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e
SHA512eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14
-
Filesize
99KB
MD5afa7f66231b9cec7237e738b622c0181
SHA1478f336ab054623abfa691f11f12bc3be31deabe
SHA2568d412b094bb9c137ff25ba9a794d1122ecc84bb776debff6c249723a13cc31cd
SHA512a3833d6018c6ddb63c5bc5b1a2efe2f9e517e80d28d6c59661ff625d42397e484e902ae5f211fc1586a25901c1f0d1700364f604c51a536fcc467703ce76e9d8