Analysis Overview
SHA256
0088d42558db8697390fe888cc6bbb230fdcaf726069a11cc28a44595eb38f18
Threat Level: Known bad
The file Primordial.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
Modifies Windows Firewall
Drops startup file
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 12:29
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 12:29
Reported
2024-05-28 12:30
Platform
win10-20240404-en
Max time kernel
49s
Max time network
23s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4568 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4568 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4568 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Primordial.exe
"C:\Users\Admin\AppData\Local\Temp\Primordial.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Primordial.exe" "Primordial.exe" ENABLE
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/4568-0-0x00000000734E1000-0x00000000734E2000-memory.dmp
memory/4568-1-0x00000000734E0000-0x0000000073A90000-memory.dmp
memory/4568-2-0x00000000734E0000-0x0000000073A90000-memory.dmp
memory/4568-5-0x00000000734E0000-0x0000000073A90000-memory.dmp
memory/4568-6-0x00000000734E0000-0x0000000073A90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 12:29
Reported
2024-05-28 12:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3264 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3264 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3264 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\Primordial.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Primordial.exe
"C:\Users\Admin\AppData\Local\Temp\Primordial.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Primordial.exe" "Primordial.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/3264-0-0x0000000074682000-0x0000000074683000-memory.dmp
memory/3264-1-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/3264-2-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/3264-6-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/3264-5-0x0000000074682000-0x0000000074683000-memory.dmp
memory/3264-7-0x0000000074680000-0x0000000074C31000-memory.dmp