2b071652ac3988a702dd2db58cda4c822ac1bd50043ad9fd44a57adadf0f4b8c

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goodbyedpi-0.2.2/0_russia_update_blacklist_file.cmd
Size

139B
MD5

0d689231a9c73bdd03f25e8ec57a3dab
SHA1

4e0a03d846c1dca08f5f1c0ad86229eb5144b0c3
SHA256

b9c8d691b2c1140455be35b15873944896b46c29f12ed0332274432a1c45a021
SHA512

47b0b717c39ba219155271859ea95bba07f87de65c4c5168d8e7372d09700c842e4402030ed02307a421c2d16e6ce9c3d0c7f3f65aeab81488b3ee300e1a9e98

Score

8^/10

dropper

Malware Config

Signatures

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1548	bitsadmin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1548	1964	cmd.exe	31
PID 1964 wrote to memory of 1548	1964	cmd.exe	31
PID 1964 wrote to memory of 1548	1964	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\0_russia_update_blacklist_file.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer blacklist https://antizapret.prostovpn.org/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\russia-blacklist.txt"
  2⤵
  - Download via BitsAdmin
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads