edb1ff25...3eb9 | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 97/100
Target: win7_32_sp1 | exe
Classification: Trojan, Dropper, Pua

edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 (SHA256)

OlympicDestroyer.exe

Windows Exe (x86-32)

Created at 2018-03-15 15:14:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "1 hour" to "10 seconds" to reveal dormant functionality.

Severity Category Operation Classification
4/5
OS Modifies Windows automatic backups -
4/5
File System Associated with malicious files Trojan
  • File "c:\users\eebsym5\desktop\OlympicDestroyer.exe" is a known malicious file.
    ...
3/5
Browser Reads data related to saved browser credentials -
3/5
OS Disables a crucial system service -
  • Disable "Internet Connection Sharing Service" by ChangeServiceConfigW.
    ...
2/5
File System Associated with suspicious files Pua
1/5
Process Creates process with hidden window -
  • The process "C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe" starts with hidden window.
    ...
  • The process "C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe" starts with hidden window.
    ...
  • The process "C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe" starts with hidden window.
    ...
  • The process "C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet" starts with hidden window.
    ...
  • The process "C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet" starts with hidden window.
    ...
  • The process "C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no" starts with hidden window.
    ...
  • The process "C:\Windows\system32\cmd.exe /c wevtutil.exe cl System" starts with hidden window.
    ...
  • The process "C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security" starts with hidden window.
    ...
1/5
Anti Analysis Resolves APIs dynamically to possibly evade static detection -
1/5
Process Reads from memory of another process -
  • "c:\users\eebsym5\appdata\local\temp\ilvai.exe" reads from "c:\windows\system32\lsass.exe".
    ...
1/5
Anti Analysis Delays execution -
1/5
PE Drops PE file Dropper
1/5
PE Executes dropped PE file -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image