Analysis
-
max time kernel
109s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 21:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/IamAdev213/Olympia
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/IamAdev213/Olympia
Malware Config
Extracted
discordrat
-
discord_token
MTE5MzgwMzA0MDc0NzE3MTg2MA.GshiN5.0_ZPPt-ihfojKuDIZKCjaaalSyA1SMTmz34zAE
-
server_id
1153902914876756088
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 5316 Olympia.exe 5664 Olympia.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 44 raw.githubusercontent.com 45 raw.githubusercontent.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 262121.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1532 msedge.exe 1532 msedge.exe 3800 msedge.exe 3800 msedge.exe 2368 identity_helper.exe 2368 identity_helper.exe 5200 msedge.exe 5200 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5316 Olympia.exe Token: SeDebugPrivilege 5664 Olympia.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 2124 3800 msedge.exe 81 PID 3800 wrote to memory of 2124 3800 msedge.exe 81 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 888 3800 msedge.exe 82 PID 3800 wrote to memory of 1532 3800 msedge.exe 83 PID 3800 wrote to memory of 1532 3800 msedge.exe 83 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84 PID 3800 wrote to memory of 4856 3800 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/IamAdev213/Olympia1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb576846f8,0x7ffb57684708,0x7ffb576847182⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5692 /prefetch:82⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:82⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,14129368622729685761,12554815322805079436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5200
-
-
C:\Users\Admin\Downloads\Olympia.exe"C:\Users\Admin\Downloads\Olympia.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5316
-
-
C:\Users\Admin\Downloads\Olympia.exe"C:\Users\Admin\Downloads\Olympia.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD53ab1d6fefae2e1a987016db34f1a7c63
SHA1ad2017bace1efdb6d2fadafc62d1b894aebc02f7
SHA25662d90e241b2d5d96f5b852e11263877cd27fe0d234056f478549f86e87b62c50
SHA5126fb7ad73ffc5a128ec98fcc26bb0a830d540b09152df606c19b6755bbf20a52465d6ed48e9f9abde1aa2686db071b0fcc24fa65358e61f04bbe43a3c0ba87665
-
Filesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
Filesize
5KB
MD5360c599fff3a1b56f3753bb905d299cc
SHA10c24ff5f6bc0715fb5956edd5a21fd888571337d
SHA256dfcf3e3635a0a0f95db2002e88ab5c7ae6a36f6ec41ac776c6683b0aa44a84c7
SHA512efac66624a53e75eccc68dcf4829888519ac718f3705fcf9100e8344eb7a55d31d8150a1aa9560a167995b86951fe05b549bc5365f98d3e9d41610bc3d6c16c9
-
Filesize
6KB
MD539bbb1c42de648b66b331493113e9c22
SHA17a119ea68f6e79ed0f831a8120959ef2264a4348
SHA256c1adf39f3d89132e487f142ec02570612433167ee852d907fd0412fe0ffbcb2b
SHA5125a9f422ac6940686a02cfd7bc02c5a6f707abbdf7331fbca2fb4c0449d70f7ce48494e39725c5aa81a09354e6aa18f59bd6b00af57d474ccc7e5360279684e36
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD507ed7501b61b8953012e89c5513644f6
SHA15f5b268c8a831b1b6a5063588d3beecd78f0df46
SHA2563caf11b2d07b898e89ecbb3c63014f5d4fecbdb596ddba5007cc4d6c1a97b412
SHA5121bf869b6f0dbd861c322b4eab6728f94fd9503aa2cd97000ace1d135a70175953687a6c5e2ba210c3fb981298a28a07ead0fde6a6305e8a25c575eef7f842a2a
-
Filesize
11KB
MD5ee61998d8981782fe295ee23b7499373
SHA1dd102440220f2acbfbd0e0f2a3debeae4a99afad
SHA2564c8b9315c342a4531b39441c881264de40145e09eb6c9b15b95eb7e003ec7cb9
SHA5123889072f5f023d9d29968a4f93b91346bbbed7e0c4cb5a98a368bc217fea6e6f7a2080282deffd45d56119b073bc1dae64c2624eb64af3e035d9098ea00efc6a
-
Filesize
78KB
MD5f963c311ce499c4b106c0228beae207a
SHA114411b60c546688ee8cb40775d8d00a3f40340da
SHA25619c4b18265004b0e114f6ab7c2a1995841be69cb8ab440ad8f005f7fbd63db20
SHA5122280f970e6cb6cf5ba1e78bdf7b645f4b681fc78882511be33443b06876a96035791a11f4e7b3ef4f1fc8013085da963504ac562723190493dc454f4e0cd31e9