Analysis

  • max time kernel
    120s
  • max time network
    284s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 07:28

General

  • Target

    QS1.exe

  • Size

    3.3MB

  • MD5

    407da4828b3b9126d6a0b6aa25a081c4

  • SHA1

    3aeee655ab024657da645f9a05b53d40c9456d76

  • SHA256

    a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2

  • SHA512

    6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d

  • SSDEEP

    49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

QS1

C2

http://mc.kaminet.eu:443/agent.ashx

Attributes
  • mesh_id

    0xEE89D60F5CD6BC8AD4C27EB31F4E89CB92C52B0E217F715BD63BD9491D17D4F7427AB13D0C72EA406672528F6DC79861

  • server_id

    A417F6622B66C84C5A6A0F6363F7C42AB877B26FD42E54C556B38C8026CBA894EE3DA91B087D9EC0AB62208B541506F6

  • wss

    wss://mc.kaminet.eu:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 13 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QS1.exe
    "C:\Users\Admin\AppData\Local\Temp\QS1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Users\Admin\AppData\Local\Temp\QS1.exe
      "C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      PID:2808
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:612
      • C:\Windows\System32\wbem\wmic.exe
        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
        2⤵
          PID:476
        • C:\Windows\system32\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
            PID:2960
          • C:\Windows\System32\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • Modifies data under HKEY_USERS
            PID:2356
          • C:\Windows\System32\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
              PID:2248
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -noprofile -nologo -command -
              2⤵
              • Drops file in Program Files directory
              • Command and Scripting Interpreter: PowerShell
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:2388
          • C:\Program Files\Mesh Agent\MeshAgent.exe
            "C:\Program Files\Mesh Agent\MeshAgent.exe"
            1⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:1208
            • C:\Windows\System32\wbem\wmic.exe
              wmic SystemEnclosure get ChassisTypes
              2⤵
              • Modifies data under HKEY_USERS
              PID:2064
            • C:\Windows\system32\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
                PID:912
              • C:\Windows\System32\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:2204
                • C:\Windows\System32\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                  • Modifies data under HKEY_USERS
                  PID:1508
                • C:\Windows\System32\wbem\wmic.exe
                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                    PID:688
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2056
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1428
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2160
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2304

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Mesh Agent\MeshAgent.db

                  Filesize

                  151KB

                  MD5

                  0857a7e1fdbf7f28ebac8ef50b7c729c

                  SHA1

                  d87df4c0c18a7c8ca1564f924da34c8102ffa551

                  SHA256

                  16b700459f42c6ca1bdb4ae6b2409f64529338e281eb89ea028ec12469becc18

                  SHA512

                  2dbd48095963e1aeb4097ed73e75dc0a7e60f758ef5dd5a210c04547dd20f47cba9134cfa485a77501bac0ccaa3c2be5cf01802e2e2dee435180908f1be38f27

                • C:\Program Files\Mesh Agent\MeshAgent.msh

                  Filesize

                  29KB

                  MD5

                  0f14c3685282f971b22ce7ede075e24d

                  SHA1

                  2d309772a8fd743bee66e8974836fc472631e994

                  SHA256

                  ae1d2b41b538e32dd5173e9452aa5aa6191d94ccc079d4d1381bc62c1fd796a8

                  SHA512

                  cae0baea1cfc8cfe8a9c6b4633d3f3f3fc43927a46c3e852e35d500bad39d9ba1179352876c11df1926c6b83f60aaa7d19d7aae5e927b64988f8feb878734d3c

                • \??\PIPE\srvsvc

                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                • \Program Files\Mesh Agent\MeshAgent.exe

                  Filesize

                  3.3MB

                  MD5

                  407da4828b3b9126d6a0b6aa25a081c4

                  SHA1

                  3aeee655ab024657da645f9a05b53d40c9456d76

                  SHA256

                  a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2

                  SHA512

                  6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d

                • memory/2056-62-0x0000000000610000-0x0000000000618000-memory.dmp

                  Filesize

                  32KB

                • memory/2056-61-0x000000001B270000-0x000000001B552000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2388-25-0x000000001B320000-0x000000001B602000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2388-26-0x0000000001C10000-0x0000000001C18000-memory.dmp

                  Filesize

                  32KB