Analysis
-
max time kernel
120s -
max time network
284s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 07:28
Behavioral task
behavioral1
Sample
QS1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QS1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
QS1.exe
Resource
win10v2004-20240802-en
General
-
Target
QS1.exe
-
Size
3.3MB
-
MD5
407da4828b3b9126d6a0b6aa25a081c4
-
SHA1
3aeee655ab024657da645f9a05b53d40c9456d76
-
SHA256
a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
-
SHA512
6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d
-
SSDEEP
49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u
Malware Config
Extracted
meshagent
2
QS1
http://mc.kaminet.eu:443/agent.ashx
-
mesh_id
0xEE89D60F5CD6BC8AD4C27EB31F4E89CB92C52B0E217F715BD63BD9491D17D4F7427AB13D0C72EA406672528F6DC79861
-
server_id
A417F6622B66C84C5A6A0F6363F7C42AB877B26FD42E54C556B38C8026CBA894EE3DA91B087D9EC0AB62208B541506F6
-
wss
wss://mc.kaminet.eu:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule \Program Files\Mesh Agent\MeshAgent.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
QS1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " QS1.exe -
Executes dropped EXE 3 IoCs
Processes:
MeshAgent.exeMeshAgent.exepid process 480 3028 MeshAgent.exe 1208 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 13 IoCs
Processes:
MeshAgent.exepowershell.exeMeshAgent.exeQS1.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.exe QS1.exe File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2388 powershell.exe 2056 powershell.exe 1428 powershell.exe 2160 powershell.exe 2304 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 12 IoCs
Processes:
wmic.exepowershell.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exewmic.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" MeshAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" MeshAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e041b9b21c0fdb01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" MeshAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" MeshAgent.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2388 powershell.exe 2056 powershell.exe 1428 powershell.exe 2160 powershell.exe 2304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2708 wmic.exe Token: SeSecurityPrivilege 2708 wmic.exe Token: SeTakeOwnershipPrivilege 2708 wmic.exe Token: SeLoadDriverPrivilege 2708 wmic.exe Token: SeSystemProfilePrivilege 2708 wmic.exe Token: SeSystemtimePrivilege 2708 wmic.exe Token: SeProfSingleProcessPrivilege 2708 wmic.exe Token: SeIncBasePriorityPrivilege 2708 wmic.exe Token: SeCreatePagefilePrivilege 2708 wmic.exe Token: SeBackupPrivilege 2708 wmic.exe Token: SeRestorePrivilege 2708 wmic.exe Token: SeShutdownPrivilege 2708 wmic.exe Token: SeDebugPrivilege 2708 wmic.exe Token: SeSystemEnvironmentPrivilege 2708 wmic.exe Token: SeRemoteShutdownPrivilege 2708 wmic.exe Token: SeUndockPrivilege 2708 wmic.exe Token: SeManageVolumePrivilege 2708 wmic.exe Token: 33 2708 wmic.exe Token: 34 2708 wmic.exe Token: 35 2708 wmic.exe Token: SeIncreaseQuotaPrivilege 2708 wmic.exe Token: SeSecurityPrivilege 2708 wmic.exe Token: SeTakeOwnershipPrivilege 2708 wmic.exe Token: SeLoadDriverPrivilege 2708 wmic.exe Token: SeSystemProfilePrivilege 2708 wmic.exe Token: SeSystemtimePrivilege 2708 wmic.exe Token: SeProfSingleProcessPrivilege 2708 wmic.exe Token: SeIncBasePriorityPrivilege 2708 wmic.exe Token: SeCreatePagefilePrivilege 2708 wmic.exe Token: SeBackupPrivilege 2708 wmic.exe Token: SeRestorePrivilege 2708 wmic.exe Token: SeShutdownPrivilege 2708 wmic.exe Token: SeDebugPrivilege 2708 wmic.exe Token: SeSystemEnvironmentPrivilege 2708 wmic.exe Token: SeRemoteShutdownPrivilege 2708 wmic.exe Token: SeUndockPrivilege 2708 wmic.exe Token: SeManageVolumePrivilege 2708 wmic.exe Token: 33 2708 wmic.exe Token: 34 2708 wmic.exe Token: 35 2708 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2468 wmic.exe Token: SeIncreaseQuotaPrivilege 2468 wmic.exe Token: SeSecurityPrivilege 2468 wmic.exe Token: SeTakeOwnershipPrivilege 2468 wmic.exe Token: SeLoadDriverPrivilege 2468 wmic.exe Token: SeSystemtimePrivilege 2468 wmic.exe Token: SeBackupPrivilege 2468 wmic.exe Token: SeRestorePrivilege 2468 wmic.exe Token: SeShutdownPrivilege 2468 wmic.exe Token: SeSystemEnvironmentPrivilege 2468 wmic.exe Token: SeUndockPrivilege 2468 wmic.exe Token: SeManageVolumePrivilege 2468 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2468 wmic.exe Token: SeIncreaseQuotaPrivilege 2468 wmic.exe Token: SeSecurityPrivilege 2468 wmic.exe Token: SeTakeOwnershipPrivilege 2468 wmic.exe Token: SeLoadDriverPrivilege 2468 wmic.exe Token: SeSystemtimePrivilege 2468 wmic.exe Token: SeBackupPrivilege 2468 wmic.exe Token: SeRestorePrivilege 2468 wmic.exe Token: SeShutdownPrivilege 2468 wmic.exe Token: SeSystemEnvironmentPrivilege 2468 wmic.exe Token: SeUndockPrivilege 2468 wmic.exe Token: SeManageVolumePrivilege 2468 wmic.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
QS1.exeMeshAgent.exeMeshAgent.exedescription pid process target process PID 1204 wrote to memory of 2708 1204 QS1.exe wmic.exe PID 1204 wrote to memory of 2708 1204 QS1.exe wmic.exe PID 1204 wrote to memory of 2708 1204 QS1.exe wmic.exe PID 1204 wrote to memory of 2808 1204 QS1.exe QS1.exe PID 1204 wrote to memory of 2808 1204 QS1.exe QS1.exe PID 1204 wrote to memory of 2808 1204 QS1.exe QS1.exe PID 3028 wrote to memory of 2468 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2468 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2468 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 612 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 612 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 612 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 476 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 476 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 476 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2960 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2960 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2960 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2356 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2356 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2356 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2248 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2248 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2248 3028 MeshAgent.exe wmic.exe PID 3028 wrote to memory of 2388 3028 MeshAgent.exe powershell.exe PID 3028 wrote to memory of 2388 3028 MeshAgent.exe powershell.exe PID 3028 wrote to memory of 2388 3028 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2064 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 2064 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 2064 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 912 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 912 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 912 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 2204 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 2204 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 2204 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 1508 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 1508 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 1508 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 688 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 688 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 688 1208 MeshAgent.exe wmic.exe PID 1208 wrote to memory of 2056 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2056 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2056 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 1428 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 1428 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 1428 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2160 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2160 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2160 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2304 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2304 1208 MeshAgent.exe powershell.exe PID 1208 wrote to memory of 2304 1208 MeshAgent.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QS1.exe"C:\Users\Admin\AppData\Local\Temp\QS1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\QS1.exe"C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall2⤵
- Sets service image path in registry
- Drops file in Program Files directory
PID:2808
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:612
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:476
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:2960
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2356 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2248
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2064 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:912
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2204
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:1508 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD50857a7e1fdbf7f28ebac8ef50b7c729c
SHA1d87df4c0c18a7c8ca1564f924da34c8102ffa551
SHA25616b700459f42c6ca1bdb4ae6b2409f64529338e281eb89ea028ec12469becc18
SHA5122dbd48095963e1aeb4097ed73e75dc0a7e60f758ef5dd5a210c04547dd20f47cba9134cfa485a77501bac0ccaa3c2be5cf01802e2e2dee435180908f1be38f27
-
Filesize
29KB
MD50f14c3685282f971b22ce7ede075e24d
SHA12d309772a8fd743bee66e8974836fc472631e994
SHA256ae1d2b41b538e32dd5173e9452aa5aa6191d94ccc079d4d1381bc62c1fd796a8
SHA512cae0baea1cfc8cfe8a9c6b4633d3f3f3fc43927a46c3e852e35d500bad39d9ba1179352876c11df1926c6b83f60aaa7d19d7aae5e927b64988f8feb878734d3c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.3MB
MD5407da4828b3b9126d6a0b6aa25a081c4
SHA13aeee655ab024657da645f9a05b53d40c9456d76
SHA256a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
SHA5126f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d