Analysis
-
max time kernel
49s -
max time network
23s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-05-2024 12:29
Behavioral task
behavioral1
Sample
Primordial.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Primordial.exe
Resource
win10v2004-20240508-en
General
-
Target
Primordial.exe
-
Size
93KB
-
MD5
dcc0946afc440b8b0a0c4ec24ac30db8
-
SHA1
a09b41ac539fd3f362b2ecfe5f07caabfcf7a28b
-
SHA256
0088d42558db8697390fe888cc6bbb230fdcaf726069a11cc28a44595eb38f18
-
SHA512
558d4276448a4844815c5352df8293e25c9b1d55290deae1b282268acb38a4e807b18497d5930e9413c8332ea9144e1724ed965d84f088e98d34db31b67a2fe1
-
SSDEEP
768:sY3zUnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3FsGb:vUxOx6baIa9RZj00ljEwzGi1dDVDfgS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3684 netsh.exe -
Drops startup file 2 IoCs
Processes:
Primordial.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Primordial.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Primordial.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
taskmgr.exepid process 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Primordial.exepid process 4568 Primordial.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
Primordial.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 4568 Primordial.exe Token: 33 4568 Primordial.exe Token: SeIncBasePriorityPrivilege 4568 Primordial.exe Token: 33 4568 Primordial.exe Token: SeIncBasePriorityPrivilege 4568 Primordial.exe Token: 33 4568 Primordial.exe Token: SeIncBasePriorityPrivilege 4568 Primordial.exe Token: 33 4568 Primordial.exe Token: SeIncBasePriorityPrivilege 4568 Primordial.exe Token: SeDebugPrivilege 4276 taskmgr.exe Token: SeSystemProfilePrivilege 4276 taskmgr.exe Token: SeCreateGlobalPrivilege 4276 taskmgr.exe Token: 33 4568 Primordial.exe Token: SeIncBasePriorityPrivilege 4568 Primordial.exe Token: 33 4276 taskmgr.exe Token: SeIncBasePriorityPrivilege 4276 taskmgr.exe Token: 33 4568 Primordial.exe Token: SeIncBasePriorityPrivilege 4568 Primordial.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
Processes:
taskmgr.exepid process 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
Processes:
taskmgr.exepid process 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe 4276 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Primordial.exedescription pid process target process PID 4568 wrote to memory of 3684 4568 Primordial.exe netsh.exe PID 4568 wrote to memory of 3684 4568 Primordial.exe netsh.exe PID 4568 wrote to memory of 3684 4568 Primordial.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Primordial.exe"C:\Users\Admin\AppData\Local\Temp\Primordial.exe"1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Primordial.exe" "Primordial.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:3684
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276