Analysis

  • max time kernel
    119s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 20:41

General

  • Target

    e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe

  • Size

    1.2MB

  • MD5

    af9217e077e7d4498b6e6cd1200a23d0

  • SHA1

    324ff379c0ab3ca39620ca6d2e6f07e0b83a6231

  • SHA256

    e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cf

  • SHA512

    3279a7232797befb455f49b3d2d9d715952c87ef6329a8d6739a260e58daab0a30bdd52d1dbd9ba3ee24b00f83d26f3bb0cf29b363273fbaa65f4d5f1440776f

  • SSDEEP

    24576:SNPn8Ip3ZaY7BS1L0JGMFFh4bjtt7pMg2iyZ6YfVAlovWk:PIpQY7BS+JDFFh4bxN2iyZ2lovx

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Drops file in Drivers directory 3 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Launches sc.exe 11 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
    "C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ByeByeDPI\install.cmd" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\drivers\etc\hosts" /save hosts.acl
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2760
      • C:\Windows\system32\takeown.exe
        takeown /a /f "C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3452
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\drivers\etc\hosts" /reset
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2724
      • C:\Windows\system32\attrib.exe
        attrib -r -h -s "C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Drops file in Drivers directory
        • Views/modifies file attributes
        PID:2640
      • C:\Windows\system32\attrib.exe
        attrib +r "C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Drops file in Drivers directory
        • Views/modifies file attributes
        PID:1412
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\drivers\etc" /restore hosts.acl
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4760
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im GoodByeDPIService.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:548
      • C:\Windows\system32\sc.exe
        sc stop "GoodbyeDPI"
        3⤵
        • Launches sc.exe
        PID:1540
      • C:\Windows\system32\sc.exe
        sc delete "GoodbyeDPI"
        3⤵
        • Launches sc.exe
        PID:2916
      • C:\Windows\system32\sc.exe
        sc stop "GoodbyeDPI_Default"
        3⤵
        • Launches sc.exe
        PID:2932
      • C:\Windows\system32\sc.exe
        sc delete "GoodbyeDPI_Default"
        3⤵
        • Launches sc.exe
        PID:3880
      • C:\Windows\system32\sc.exe
        sc create "GoodbyeDPI_Default" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "auto"
        3⤵
        • Launches sc.exe
        PID:1052
      • C:\Windows\system32\sc.exe
        sc description "GoodbyeDPI_Default" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Default mode)"
        3⤵
        • Launches sc.exe
        PID:3056
      • C:\Windows\system32\sc.exe
        sc start "GoodbyeDPI_Default"
        3⤵
        • Launches sc.exe
        PID:2836
      • C:\Windows\system32\sc.exe
        sc stop "GoodbyeDPI_Aggressive"
        3⤵
        • Launches sc.exe
        PID:4484
      • C:\Windows\system32\sc.exe
        sc delete "GoodbyeDPI_Aggressive"
        3⤵
        • Launches sc.exe
        PID:3876
      • C:\Windows\system32\sc.exe
        sc create "GoodbyeDPI_Aggressive" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -p -r -s -q -f 2 -k 2 -n -e1 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --auto-ttl --reverse-frag --wrong-seq --max-payload --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "demand"
        3⤵
        • Launches sc.exe
        PID:3612
      • C:\Windows\system32\sc.exe
        sc description "GoodbyeDPI_Aggressive" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Aggressive mode)"
        3⤵
        • Launches sc.exe
        PID:3816
      • C:\ByeByeDPI\GoodByeDPIService.exe
        GoodByeDPIService.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\net.exe
          net start GoodbyeDPI_Default
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1352
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start GoodbyeDPI_Default
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c rd C:\ByeByeDPI_old /s /q
          4⤵
          • System Location Discovery: System Language Discovery
          PID:376
  • C:\ByeByeDPI\x86_64\goodbyedpi.exe
    "C:\ByeByeDPI\x86_64\goodbyedpi.exe" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist "C:\ByeByeDPI\russia-blacklist.txt" --blacklist "C:\ByeByeDPI\russia-youtube.txt"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:4040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ByeByeDPI\GoodByeDPIService.exe

    Filesize

    68KB

    MD5

    49299e5f6db7ed241efaccd0c038777c

    SHA1

    5926ea78a1f8ae78fd2f48a60d49be343a67f86a

    SHA256

    fc9380664a87b76a2af82c9f8e370f175c94816269875cfe52df4887d065f6ca

    SHA512

    5337853d8bb14b3d2b8e111e1c3d1a13025759aaf4c07d8a5f95bbb438261b9cf0ca5eae04c21c6789c7502b4aaea660584b6a6b695773df819a9735a14a5c99

  • C:\ByeByeDPI\hosts.acl

    Filesize

    218B

    MD5

    de03fcce33861c8a005e919b203b7f6f

    SHA1

    86e9531ad41787a10fd2015b5f420882db707d79

    SHA256

    52eda44d432f950d97bc64a0cb16b28ba15f66884214be1d5b63cb069fecb028

    SHA512

    600a1f9f3914a913019295c1eb518318486308fa395d659c49b5e9ffde09d7948592ef8e2dd4f45d409c554197200a725af0555f9f590a31b9881416bc65c11d

  • C:\ByeByeDPI\hosts.txt

    Filesize

    9KB

    MD5

    47158fedec375f473d0b47d2c8e23290

    SHA1

    1d904652019683dd977bc6e91f58b436bec7abe4

    SHA256

    a926fafbde9b448ac122a64dc15ae12a87350501bdae38f67fa2c612b44c17b6

    SHA512

    142ec99546d083b3a5181168d1c0a8dc99d2347f719cbb2f00bd17333940addfc6d3e9ed90fd5c866327e072c1c77e7841c4d3eabd9c9d5cff2433e5c994f2be

  • C:\ByeByeDPI\install.cmd

    Filesize

    2KB

    MD5

    aceefd9a2ecd1853e2b7cc7841aae842

    SHA1

    f1ba8d05ea74909ec5616224a6c28fa1b2d404e4

    SHA256

    5990897ffc39ae039f6880b720b89c58af7862f5e88e3461573f46ff04c0aa86

    SHA512

    8d0138ee94c59f94e370737367804cdd097ff5dcd9cdecb19bca0964a19f1dfb6aa77f21b891f9604df1ee1ff4aba5a9aad8c8137c867290aea9e529f028d12f

  • C:\ByeByeDPI\russia-blacklist.txt

    Filesize

    2.2MB

    MD5

    c778017427c08556621c3360e7b60b12

    SHA1

    9f2e0a127dcc409c10d4890a27d165c08977c8e0

    SHA256

    227b4961ea7bafac9bb5aaf3dfeb2537beb64169ae37f7658efebb573bc9c01a

    SHA512

    7bac0ea2123c4be8ad0f1f0df6a941fa3ceb80bc0aa728b004f52cfc36bca99d8cbbf43ebd28a56cff90bf9e551e99a39750b364435ca05af21676a326b64fab

  • C:\ByeByeDPI\russia-youtube.txt

    Filesize

    256B

    MD5

    91d74100607dba77eda0d7a75dacb0cc

    SHA1

    95490aede362c6275d325615fdbf3f94fee8e392

    SHA256

    2d8de5532bae45852a3f6d8270e881fc10fec89f8d9daec3d91988a669760f79

    SHA512

    9f55f99971789c0f53aefda6d3beab78b28854b0a8ca74869e09d5e1dd905f8394a2927bca2f1bbb3a73198e5da6e8b6e3ac72ddd2cbf6363c0c88298bdadfdd

  • C:\ByeByeDPI\x86_64\WinDivert.dll

    Filesize

    46KB

    MD5

    88e1c19b978436258f7c938013408a8a

    SHA1

    09b77c8c85757e11667a7b83231598dd67fe0b8b

    SHA256

    6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e

    SHA512

    eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14

  • C:\ByeByeDPI\x86_64\goodbyedpi.exe

    Filesize

    99KB

    MD5

    afa7f66231b9cec7237e738b622c0181

    SHA1

    478f336ab054623abfa691f11f12bc3be31deabe

    SHA256

    8d412b094bb9c137ff25ba9a794d1122ecc84bb776debff6c249723a13cc31cd

    SHA512

    a3833d6018c6ddb63c5bc5b1a2efe2f9e517e80d28d6c59661ff625d42397e484e902ae5f211fc1586a25901c1f0d1700364f604c51a536fcc467703ce76e9d8

  • memory/4040-93-0x0000000062800000-0x0000000062813000-memory.dmp

    Filesize

    76KB

  • memory/4040-92-0x00007FF7D6020000-0x00007FF7D6042000-memory.dmp

    Filesize

    136KB

  • memory/4040-96-0x00007FF7D6020000-0x00007FF7D6042000-memory.dmp

    Filesize

    136KB