Analysis
-
max time kernel
13s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 11:32
Behavioral task
behavioral1
Sample
Primordial.exe
Resource
win7-20240419-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Primordial.exe
Resource
win10v2004-20240508-en
5 signatures
150 seconds
General
-
Target
Primordial.exe
-
Size
93KB
-
MD5
dcc0946afc440b8b0a0c4ec24ac30db8
-
SHA1
a09b41ac539fd3f362b2ecfe5f07caabfcf7a28b
-
SHA256
0088d42558db8697390fe888cc6bbb230fdcaf726069a11cc28a44595eb38f18
-
SHA512
558d4276448a4844815c5352df8293e25c9b1d55290deae1b282268acb38a4e807b18497d5930e9413c8332ea9144e1724ed965d84f088e98d34db31b67a2fe1
-
SSDEEP
768:sY3zUnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3FsGb:vUxOx6baIa9RZj00ljEwzGi1dDVDfgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2444 netsh.exe -
Drops startup file 2 IoCs
Processes:
Primordial.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Primordial.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Primordial.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Primordial.exepid process 2420 Primordial.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Primordial.exedescription pid process Token: SeDebugPrivilege 2420 Primordial.exe Token: 33 2420 Primordial.exe Token: SeIncBasePriorityPrivilege 2420 Primordial.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Primordial.exedescription pid process target process PID 2420 wrote to memory of 2444 2420 Primordial.exe netsh.exe PID 2420 wrote to memory of 2444 2420 Primordial.exe netsh.exe PID 2420 wrote to memory of 2444 2420 Primordial.exe netsh.exe PID 2420 wrote to memory of 2444 2420 Primordial.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Primordial.exe"C:\Users\Admin\AppData\Local\Temp\Primordial.exe"1⤵
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Primordial.exe" "Primordial.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2444