Managed XDR

c-users-user-appdata-l...l-temp-inst-temp_0.tmp (OlympicDestroyer) — malware analysis report

File info

Filename
c-users-user-appdata-local-temp-inst-temp_0.tmp
File type
Microsoft Cabinet archive data, 938664 bytes, 4 files
File size
916.7 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
aae58fb57c2189630fb583e2121cbdc81f2a5edc
SHA256
468b0cf99cd4437f58b3335c1ca8a192205aca6225a627e000c4281b475b44d1
MD5
9ca90f7f27034737c12d40a33b3b7f42

Malwares

  • OlympicDestroyer

Signatures

Execution

T1059.001 powershell_through_runspace: Executes powershell script without spawning powershell.exe process
T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_queries_computername: Retrieves the computer name
T1480 system_default_lang_id_present: Checks the system language
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules
copies_self: Creates a copy of itself
creates_exe: Creates executable files in the file system
dns_without_resolve: DNS query without a response
process_crashed: One of the processes has failed
unexpected_exception: Unexpected exception
dotnet_suspicious_resources_names: Dotnet program has suspicious resources names
create_rpc_bindings: Creates RPC connection
require_administrator: Requests administrator privileges
has_pdb: This executable file has a PDB path
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
error_drawtext: An error occured while executing the file
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
dotnet_downloader_possible_network_problem: Dotnet program possibly has network problem

Related reports