VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: |
Worm
|
Threat Names: |
Olympic Destroyer
Generic.Ransom.DCRTR.985535A4
Generic.Ransom.DCRTR.7E9D987E
...
|
ooolbx.exe
Windows Exe (x86-32)
Created at 2020-02-12T09:11:00
Remarks
(0x0200001E): The maximum size of extracted files was exceeded. Some files may be missing in the report.
(0x0200001D): The maximum number of extracted files was exceeded. Some files may be missing in the report.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ooolbx.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Severity |
Blacklisted
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x400000 |
Entry Point | 0x402722 |
Size Of Code | 0x1800 |
Size Of Initialized Data | 0x5600 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2019-03-21 20:27:07+00:00 |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x401000 | 0x17e1 | 0x1800 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43 |
.rdata | 0x403000 | 0x4a5c | 0x4c00 | 0x1c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.88 |
.data | 0x408000 | 0x142c | 0x200 | 0x6800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.89 |
.rsrc | 0x40a000 | 0x284 | 0x400 | 0x6a00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.1 |
.reloc | 0x40b000 | 0x38e | 0x400 | 0x6e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.99 |
Imports (6)
»
SHLWAPI.dll (5)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wnsprintfW | 0x0 | 0x4030e0 | 0x7550 | 0x6150 | 0x16e |
PathAddBackslashW | 0x0 | 0x4030e4 | 0x7554 | 0x6154 | 0x30 |
StrStrIW | 0x0 | 0x4030e8 | 0x7558 | 0x6158 | 0x145 |
StrCmpNW | 0x0 | 0x4030ec | 0x755c | 0x615c | 0x122 |
PathRemoveFileSpecW | 0x0 | 0x4030f0 | 0x7560 | 0x6160 | 0x8b |
MPR.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
WNetEnumResourceW | 0x0 | 0x4030c4 | 0x7534 | 0x6134 | 0x1c |
WNetOpenEnumW | 0x0 | 0x4030c8 | 0x7538 | 0x6138 | 0x3d |
WNetCloseEnum | 0x0 | 0x4030cc | 0x753c | 0x613c | 0x10 |
WININET.dll (8)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
InternetReadFile | 0x0 | 0x4030f8 | 0x7568 | 0x6168 | 0x9f |
InternetOpenW | 0x0 | 0x4030fc | 0x756c | 0x616c | 0x9a |
InternetConnectW | 0x0 | 0x403100 | 0x7570 | 0x6170 | 0x72 |
HttpSendRequestW | 0x0 | 0x403104 | 0x7574 | 0x6174 | 0x5e |
HttpOpenRequestW | 0x0 | 0x403108 | 0x7578 | 0x6178 | 0x58 |
InternetCloseHandle | 0x0 | 0x40310c | 0x757c | 0x617c | 0x6b |
InternetQueryDataAvailable | 0x0 | 0x403110 | 0x7580 | 0x6180 | 0x9b |
InternetCrackUrlW | 0x0 | 0x403114 | 0x7584 | 0x6184 | 0x74 |
KERNEL32.dll (33)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ExpandEnvironmentStringsW | 0x0 | 0x40303c | 0x74ac | 0x60ac | 0x11d |
CloseHandle | 0x0 | 0x403040 | 0x74b0 | 0x60b0 | 0x52 |
CreateThread | 0x0 | 0x403044 | 0x74b4 | 0x60b4 | 0xb5 |
GetTickCount | 0x0 | 0x403048 | 0x74b8 | 0x60b8 | 0x293 |
HeapReAlloc | 0x0 | 0x40304c | 0x74bc | 0x60bc | 0x2d2 |
HeapAlloc | 0x0 | 0x403050 | 0x74c0 | 0x60c0 | 0x2cb |
HeapFree | 0x0 | 0x403054 | 0x74c4 | 0x60c4 | 0x2cf |
GetProcessHeap | 0x0 | 0x403058 | 0x74c8 | 0x60c8 | 0x24a |
FindResourceW | 0x0 | 0x40305c | 0x74cc | 0x60cc | 0x14e |
LoadResource | 0x0 | 0x403060 | 0x74d0 | 0x60d0 | 0x341 |
SizeofResource | 0x0 | 0x403064 | 0x74d4 | 0x60d4 | 0x4b1 |
GetModuleHandleA | 0x0 | 0x403068 | 0x74d8 | 0x60d8 | 0x215 |
ExitProcess | 0x0 | 0x40306c | 0x74dc | 0x60dc | 0x119 |
FindFirstFileW | 0x0 | 0x403070 | 0x74e0 | 0x60e0 | 0x139 |
GetDriveTypeW | 0x0 | 0x403074 | 0x74e4 | 0x60e4 | 0x1d3 |
CreateProcessW | 0x0 | 0x403078 | 0x74e8 | 0x60e8 | 0xa8 |
SetFilePointerEx | 0x0 | 0x40307c | 0x74ec | 0x60ec | 0x467 |
CreateToolhelp32Snapshot | 0x0 | 0x403080 | 0x74f0 | 0x60f0 | 0xbe |
WriteFile | 0x0 | 0x403084 | 0x74f4 | 0x60f4 | 0x525 |
GetUserDefaultLangID | 0x0 | 0x403088 | 0x74f8 | 0x60f8 | 0x29c |
OpenProcess | 0x0 | 0x40308c | 0x74fc | 0x60fc | 0x380 |
CopyFileW | 0x0 | 0x403090 | 0x7500 | 0x6100 | 0x75 |
TerminateProcess | 0x0 | 0x403094 | 0x7504 | 0x6104 | 0x4c0 |
ReadFile | 0x0 | 0x403098 | 0x7508 | 0x6108 | 0x3c0 |
GetModuleFileNameW | 0x0 | 0x40309c | 0x750c | 0x610c | 0x214 |
CreateFileW | 0x0 | 0x4030a0 | 0x7510 | 0x6110 | 0x8f |
GetLastError | 0x0 | 0x4030a4 | 0x7514 | 0x6114 | 0x202 |
MoveFileW | 0x0 | 0x4030a8 | 0x7518 | 0x6118 | 0x363 |
FindClose | 0x0 | 0x4030ac | 0x751c | 0x611c | 0x12e |
WaitForMultipleObjects | 0x0 | 0x4030b0 | 0x7520 | 0x6120 | 0x4f7 |
Process32NextW | 0x0 | 0x4030b4 | 0x7524 | 0x6124 | 0x398 |
FindNextFileW | 0x0 | 0x4030b8 | 0x7528 | 0x6128 | 0x145 |
GetLogicalDrives | 0x0 | 0x4030bc | 0x752c | 0x612c | 0x209 |
ADVAPI32.dll (14)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
OpenProcessToken | 0x0 | 0x403000 | 0x7470 | 0x6070 | 0x1f7 |
CloseServiceHandle | 0x0 | 0x403004 | 0x7474 | 0x6074 | 0x57 |
CryptAcquireContextW | 0x0 | 0x403008 | 0x7478 | 0x6078 | 0xb1 |
RegSetValueExW | 0x0 | 0x40300c | 0x747c | 0x607c | 0x27e |
RegCloseKey | 0x0 | 0x403010 | 0x7480 | 0x6080 | 0x230 |
OpenServiceW | 0x0 | 0x403014 | 0x7484 | 0x6084 | 0x1fb |
GetTokenInformation | 0x0 | 0x403018 | 0x7488 | 0x6088 | 0x15a |
CryptReleaseContext | 0x0 | 0x40301c | 0x748c | 0x608c | 0xcb |
OpenSCManagerW | 0x0 | 0x403020 | 0x7490 | 0x6090 | 0x1f9 |
ControlService | 0x0 | 0x403024 | 0x7494 | 0x6094 | 0x5c |
CryptDestroyKey | 0x0 | 0x403028 | 0x7498 | 0x6098 | 0xb7 |
CryptEncrypt | 0x0 | 0x40302c | 0x749c | 0x609c | 0xba |
CryptImportKey | 0x0 | 0x403030 | 0x74a0 | 0x60a0 | 0xca |
RegOpenKeyW | 0x0 | 0x403034 | 0x74a4 | 0x60a4 | 0x264 |
SHELL32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShellExecuteW | 0x0 | 0x4030d4 | 0x7544 | 0x6144 | 0x122 |
SHGetFolderPathW | 0x0 | 0x4030d8 | 0x7548 | 0x6148 | 0xc3 |
Memory Dumps (2)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
ooolbx.exe | 1 | 0x01360000 | 0x0136BFFF | Relevant Image | 32-bit | 0x0136162C |
...
|
|||
ooolbx.exe | 1 | 0x01360000 | 0x0136BFFF | Final Dump | 32-bit | 0x01361BB5 |
...
|
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
Generic.Ransom.DCRTR.985535A4 |
Malicious
|
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
OlympicDestroyer_Gen1 | Olympic Destroyer destructive malware | Worm |
5/5
|
...
|
\\?\C:\Boot\BOOTSTAT.DAT_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml_4paNrg_{fiasco911@protonmail.com}SDfghjkl | Dropped File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml | Modified File | Stream |
Unknown
|
...
|
»
\\?\C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab | Modified File | Stream |
Unknown
|
...
|
»
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\parid.bin | Dropped File | Text |
Unknown
|
...
|
»
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twU5X5u5JjqyRmBjT4Z9MFf9KNV5.hta | Dropped File | Text |
Unknown
|
...
|
»
Embedded URLs (2)
»
URL | First Seen | Categories | Threat Names | Reputation Status | WHOIS Data | Actions |
---|---|---|---|---|---|---|
https://localbitcoins.net/buy_bitcoins | - | - | - |
Unknown
|
Not Queried
|
...
|
http://www.coindesk.com/information/how-can-i-buy-bitcoins/ | - | - | - |
Unknown
|
Not Queried
|
...
|
\\?\C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Instructions with your files.txt | Dropped File | Text |
Unknown
|
...
|
»