Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2023, 23:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Primordial.dll
Resource
win10v2004-20230831-en
7 signatures
150 seconds
General
-
Target
Primordial.dll
-
Size
17.1MB
-
MD5
813f69f601f2177a14e9282e14bcffa1
-
SHA1
66c3b6ee63eb0852ac2dfd2e9afc1e3dc56767f8
-
SHA256
8aac99035f9d59d4b903ea0792fd102ef39d613a670a5346c3aa747c1e0b9a5e
-
SHA512
bab6d141a151af3fa4b6e278ea43d8efced6a99f8a9279f81fb5f9deca6c35e1865b390dbcf1d34d7925f3c170965b41a129be6978107d13b052b31d914065df
-
SSDEEP
3072:1lbMw6KQE0K19jxph0LR/hSMXlk4ZqKFya5XB67Tzn+Yl:145Enph0lhSMXlBXBWH+Yl
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FD85EC3C-6B13-446C-99C8-556C29E83B21}.catalogItem svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3020 rundll32.exe 3020 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4868 3020 WerFault.exe 87 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4128 wrote to memory of 3020 4128 rundll32.exe 87 PID 4128 wrote to memory of 3020 4128 rundll32.exe 87 PID 4128 wrote to memory of 3020 4128 rundll32.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Primordial.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Primordial.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 5803⤵
- Program crash
PID:4868
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3020 -ip 30201⤵PID:1144