Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
12/07/2023, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
OlympicDestroyer.exe
Resource
win7-20230703-en
General
-
Target
OlympicDestroyer.exe
-
Size
1.8MB
-
MD5
cfdd16225e67471f5ef54cab9b3a5558
-
SHA1
26de43cc558a4e0e60eddd4dc9321bcb5a0a181c
-
SHA256
edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
-
SHA512
e1855a872f4db7c17eb22130d9cb205eddde641f1b39ea5de97dfb762fc97dc2347bc6e6e88b9c5a303e1540b4b4bdb19c839c7d3e237348adbfa4b942f24adb
-
SSDEEP
49152:R9dnjRSnRMWHrVDoqNcVhcAwARGcWRrLy3pNq:3dVSRMUrVDEVHLRGdRrLy5N
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Clears Windows event logs 1 TTPs 2 IoCs
pid Process 2904 wevtutil.exe 2636 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1132 bcdedit.exe 1540 bcdedit.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/memory/2368-72-0x0000000180000000-0x000000018002B000-memory.dmp mimikatz -
pid Process 1652 wbadmin.exe -
Executes dropped EXE 3 IoCs
pid Process 1572 empdm.exe 2368 ezpxh.exe 1500 _fmo.exe -
Loads dropped DLL 3 IoCs
pid Process 2272 OlympicDestroyer.exe 2272 OlympicDestroyer.exe 2272 OlympicDestroyer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2228 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2368 ezpxh.exe 2368 ezpxh.exe 2368 ezpxh.exe 2368 ezpxh.exe 2368 ezpxh.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2272 OlympicDestroyer.exe Token: SeSecurityPrivilege 2272 OlympicDestroyer.exe Token: SeTakeOwnershipPrivilege 2272 OlympicDestroyer.exe Token: SeLoadDriverPrivilege 2272 OlympicDestroyer.exe Token: SeSystemProfilePrivilege 2272 OlympicDestroyer.exe Token: SeSystemtimePrivilege 2272 OlympicDestroyer.exe Token: SeProfSingleProcessPrivilege 2272 OlympicDestroyer.exe Token: SeIncBasePriorityPrivilege 2272 OlympicDestroyer.exe Token: SeCreatePagefilePrivilege 2272 OlympicDestroyer.exe Token: SeBackupPrivilege 2272 OlympicDestroyer.exe Token: SeRestorePrivilege 2272 OlympicDestroyer.exe Token: SeShutdownPrivilege 2272 OlympicDestroyer.exe Token: SeDebugPrivilege 2272 OlympicDestroyer.exe Token: SeSystemEnvironmentPrivilege 2272 OlympicDestroyer.exe Token: SeRemoteShutdownPrivilege 2272 OlympicDestroyer.exe Token: SeUndockPrivilege 2272 OlympicDestroyer.exe Token: SeManageVolumePrivilege 2272 OlympicDestroyer.exe Token: 33 2272 OlympicDestroyer.exe Token: 34 2272 OlympicDestroyer.exe Token: 35 2272 OlympicDestroyer.exe Token: SeDebugPrivilege 2368 ezpxh.exe Token: SeShutdownPrivilege 1500 _fmo.exe Token: SeBackupPrivilege 2844 wbengine.exe Token: SeRestorePrivilege 2844 wbengine.exe Token: SeSecurityPrivilege 2844 wbengine.exe Token: SeSecurityPrivilege 2904 wevtutil.exe Token: SeBackupPrivilege 2904 wevtutil.exe Token: SeSecurityPrivilege 2636 wevtutil.exe Token: SeBackupPrivilege 2636 wevtutil.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1572 2272 OlympicDestroyer.exe 29 PID 2272 wrote to memory of 1572 2272 OlympicDestroyer.exe 29 PID 2272 wrote to memory of 1572 2272 OlympicDestroyer.exe 29 PID 2272 wrote to memory of 1572 2272 OlympicDestroyer.exe 29 PID 2272 wrote to memory of 2368 2272 OlympicDestroyer.exe 30 PID 2272 wrote to memory of 2368 2272 OlympicDestroyer.exe 30 PID 2272 wrote to memory of 2368 2272 OlympicDestroyer.exe 30 PID 2272 wrote to memory of 2368 2272 OlympicDestroyer.exe 30 PID 2272 wrote to memory of 1500 2272 OlympicDestroyer.exe 31 PID 2272 wrote to memory of 1500 2272 OlympicDestroyer.exe 31 PID 2272 wrote to memory of 1500 2272 OlympicDestroyer.exe 31 PID 2272 wrote to memory of 1500 2272 OlympicDestroyer.exe 31 PID 1500 wrote to memory of 3068 1500 _fmo.exe 32 PID 1500 wrote to memory of 3068 1500 _fmo.exe 32 PID 1500 wrote to memory of 3068 1500 _fmo.exe 32 PID 1500 wrote to memory of 3068 1500 _fmo.exe 32 PID 3068 wrote to memory of 2228 3068 cmd.exe 34 PID 3068 wrote to memory of 2228 3068 cmd.exe 34 PID 3068 wrote to memory of 2228 3068 cmd.exe 34 PID 1500 wrote to memory of 2548 1500 _fmo.exe 35 PID 1500 wrote to memory of 2548 1500 _fmo.exe 35 PID 1500 wrote to memory of 2548 1500 _fmo.exe 35 PID 1500 wrote to memory of 2548 1500 _fmo.exe 35 PID 2548 wrote to memory of 1652 2548 cmd.exe 37 PID 2548 wrote to memory of 1652 2548 cmd.exe 37 PID 2548 wrote to memory of 1652 2548 cmd.exe 37 PID 1500 wrote to memory of 2572 1500 _fmo.exe 41 PID 1500 wrote to memory of 2572 1500 _fmo.exe 41 PID 1500 wrote to memory of 2572 1500 _fmo.exe 41 PID 1500 wrote to memory of 2572 1500 _fmo.exe 41 PID 2572 wrote to memory of 1132 2572 cmd.exe 43 PID 2572 wrote to memory of 1132 2572 cmd.exe 43 PID 2572 wrote to memory of 1132 2572 cmd.exe 43 PID 2572 wrote to memory of 1540 2572 cmd.exe 44 PID 2572 wrote to memory of 1540 2572 cmd.exe 44 PID 2572 wrote to memory of 1540 2572 cmd.exe 44 PID 1500 wrote to memory of 2932 1500 _fmo.exe 45 PID 1500 wrote to memory of 2932 1500 _fmo.exe 45 PID 1500 wrote to memory of 2932 1500 _fmo.exe 45 PID 1500 wrote to memory of 2932 1500 _fmo.exe 45 PID 2932 wrote to memory of 2904 2932 cmd.exe 47 PID 2932 wrote to memory of 2904 2932 cmd.exe 47 PID 2932 wrote to memory of 2904 2932 cmd.exe 47 PID 1500 wrote to memory of 2508 1500 _fmo.exe 48 PID 1500 wrote to memory of 2508 1500 _fmo.exe 48 PID 1500 wrote to memory of 2508 1500 _fmo.exe 48 PID 1500 wrote to memory of 2508 1500 _fmo.exe 48 PID 2508 wrote to memory of 2636 2508 cmd.exe 50 PID 2508 wrote to memory of 2636 2508 cmd.exe 50 PID 2508 wrote to memory of 2636 2508 cmd.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\empdm.exe123 \\.\pipe\ADF9E666-4CF5-47C8-80F4-A0171C4581182⤵
- Executes dropped EXE
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\ezpxh.exe123 \\.\pipe\0E528AF2-1EA2-4931-842B-1876ED3202D82⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\_fmo.exe"C:\Users\Admin\AppData\Local\Temp\_fmo.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1132
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl System3⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl System4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl Security3⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2360
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD53c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
Filesize
751KB
MD54f43f03783f9789f804dcf9b9474fa6d
SHA1492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA25619ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d
-
Filesize
277KB
MD5d9c37b937ffde812ae15de885913e101
SHA1ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877
-
Filesize
36KB
MD53c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
Filesize
751KB
MD54f43f03783f9789f804dcf9b9474fa6d
SHA1492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA25619ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d
-
Filesize
277KB
MD5d9c37b937ffde812ae15de885913e101
SHA1ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877