Malware Analysis Report

2025-06-16 04:26

Sample ID 230712-eh7mzabg85
Target OlympicDestroyer.exe
SHA256 edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
Tags
mimikatz discovery evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9

Threat Level: Known bad

The file OlympicDestroyer.exe was found to be: Known bad.

Malicious Activity Summary

mimikatz discovery evasion ransomware spyware stealer

Mimikatz

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

mimikatz is an open source tool to dump credentials on Windows

Deletes backup catalog

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 03:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 03:57

Reported

2023-07-12 04:00

Platform

win7-20230703-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"

Signatures

Mimikatz

mimikatz

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\empdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ezpxh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A \??\c:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ezpxh.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\empdm.exe
PID 2272 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\empdm.exe
PID 2272 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\empdm.exe
PID 2272 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\empdm.exe
PID 2272 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\ezpxh.exe
PID 2272 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\ezpxh.exe
PID 2272 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\ezpxh.exe
PID 2272 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\ezpxh.exe
PID 2272 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_fmo.exe
PID 2272 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_fmo.exe
PID 2272 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_fmo.exe
PID 2272 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_fmo.exe
PID 1500 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe \??\c:\Windows\system32\vssadmin.exe
PID 3068 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe \??\c:\Windows\system32\vssadmin.exe
PID 3068 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe \??\c:\Windows\system32\vssadmin.exe
PID 1500 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2548 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2548 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1500 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2572 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1500 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2932 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2932 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1500 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\_fmo.exe C:\Windows\system32\cmd.exe
PID 2508 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2508 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2508 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe

"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"

C:\Users\Admin\AppData\Local\Temp\empdm.exe

123 \\.\pipe\ADF9E666-4CF5-47C8-80F4-A0171C458118

C:\Users\Admin\AppData\Local\Temp\ezpxh.exe

123 \\.\pipe\0E528AF2-1EA2-4931-842B-1876ED3202D8

C:\Users\Admin\AppData\Local\Temp\_fmo.exe

"C:\Users\Admin\AppData\Local\Temp\_fmo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

\??\c:\Windows\system32\vssadmin.exe

c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe cl System

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl System

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 93.102.235.167.in-addr.arpa udp
US 8.8.8.8:53 22.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
DE 167.235.102.93:135 tcp
N/A 10.127.0.1:135 tcp
DE 167.235.102.93:135 tcp
N/A 10.127.0.1:135 tcp
DE 167.235.102.93:135 tcp
N/A 10.127.0.1:135 tcp
DE 167.235.102.93:135 tcp
DE 167.235.102.93:135 tcp
N/A 10.127.0.1:135 tcp
DE 167.235.102.93:135 tcp
N/A 10.127.0.1:135 tcp
DE 167.235.102.93:135 tcp

Files

\Users\Admin\AppData\Local\Temp\empdm.exe

MD5 4f43f03783f9789f804dcf9b9474fa6d
SHA1 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d

C:\Users\Admin\AppData\Local\Temp\empdm.exe

MD5 4f43f03783f9789f804dcf9b9474fa6d
SHA1 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d

memory/1572-59-0x0000000010000000-0x00000000100AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\ezpxh.exe

MD5 d9c37b937ffde812ae15de885913e101
SHA1 ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256 f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877

C:\Users\Admin\AppData\Local\Temp\ezpxh.exe

MD5 d9c37b937ffde812ae15de885913e101
SHA1 ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256 f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877

memory/2368-72-0x0000000180000000-0x000000018002B000-memory.dmp

\Users\Admin\AppData\Local\Temp\_fmo.exe

MD5 3c0d740347b0362331c882c2dee96dbf
SHA1 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256 ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512 a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

C:\Users\Admin\AppData\Local\Temp\_fmo.exe

MD5 3c0d740347b0362331c882c2dee96dbf
SHA1 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256 ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512 a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 03:57

Reported

2023-07-12 04:00

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"

Signatures

Mimikatz

mimikatz

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bvcsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djumn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A \??\c:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\djumn.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\bvcsm.exe
PID 1276 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\bvcsm.exe
PID 1276 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\bvcsm.exe
PID 1276 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\djumn.exe
PID 1276 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\djumn.exe
PID 1276 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_sfv.exe
PID 1276 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_sfv.exe
PID 1276 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe C:\Users\Admin\AppData\Local\Temp\_sfv.exe
PID 3524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe \??\c:\Windows\system32\vssadmin.exe
PID 3036 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe \??\c:\Windows\system32\vssadmin.exe
PID 3524 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3952 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3524 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3096 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3096 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3096 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3096 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2596 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3524 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\_sfv.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2808 wrote to memory of 260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe

"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"

C:\Users\Admin\AppData\Local\Temp\bvcsm.exe

123 \\.\pipe\A5698C4D-44D1-4D02-9EA4-75B20272FE74

C:\Users\Admin\AppData\Local\Temp\djumn.exe

123 \\.\pipe\A5C145AD-A612-4CB6-9284-DC8A2B7AA55B

C:\Users\Admin\AppData\Local\Temp\_sfv.exe

"C:\Users\Admin\AppData\Local\Temp\_sfv.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

\??\c:\Windows\system32\vssadmin.exe

c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe cl System

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl System

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 22.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 13.71.61.154.in-addr.arpa udp
NL 154.61.71.13:135 tcp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
N/A 10.127.0.1:135 tcp

Files

C:\Users\Admin\AppData\Local\Temp\bvcsm.exe

MD5 4f43f03783f9789f804dcf9b9474fa6d
SHA1 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d

C:\Users\Admin\AppData\Local\Temp\bvcsm.exe

MD5 4f43f03783f9789f804dcf9b9474fa6d
SHA1 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
SHA512 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d

memory/4072-137-0x0000000010000000-0x00000000100AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\djumn.exe

MD5 d9c37b937ffde812ae15de885913e101
SHA1 ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256 f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877

C:\Users\Admin\AppData\Local\Temp\djumn.exe

MD5 d9c37b937ffde812ae15de885913e101
SHA1 ed1cd9e086923797fe2e5fe8ff19685bd2a40072
SHA256 f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
SHA512 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877

memory/5004-150-0x0000000180000000-0x000000018002B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sfv.exe

MD5 3c0d740347b0362331c882c2dee96dbf
SHA1 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256 ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512 a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

C:\Users\Admin\AppData\Local\Temp\_sfv.exe

MD5 3c0d740347b0362331c882c2dee96dbf
SHA1 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256 ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512 a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f