Analysis
-
max time kernel
272s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 07:28
Behavioral task
behavioral1
Sample
QS1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QS1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
QS1.exe
Resource
win10v2004-20240802-en
General
-
Target
QS1.exe
-
Size
3.3MB
-
MD5
407da4828b3b9126d6a0b6aa25a081c4
-
SHA1
3aeee655ab024657da645f9a05b53d40c9456d76
-
SHA256
a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
-
SHA512
6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d
-
SSDEEP
49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u
Malware Config
Extracted
meshagent
2
QS1
http://mc.kaminet.eu:443/agent.ashx
-
mesh_id
0xEE89D60F5CD6BC8AD4C27EB31F4E89CB92C52B0E217F715BD63BD9491D17D4F7427AB13D0C72EA406672528F6DC79861
-
server_id
A417F6622B66C84C5A6A0F6363F7C42AB877B26FD42E54C556B38C8026CBA894EE3DA91B087D9EC0AB62208B541506F6
-
wss
wss://mc.kaminet.eu:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Program Files\Mesh Agent\MeshAgent.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
QS1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " QS1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
QS1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation QS1.exe -
Executes dropped EXE 1 IoCs
Processes:
MeshAgent.exepid process 740 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
MeshAgent.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\symbols\dll\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb MeshAgent.exe File opened for modification C:\Windows\System32\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb MeshAgent.exe File opened for modification C:\Windows\System32\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\332344099BFB44C83A7737B30C276CADB4C4698C MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys MeshAgent.exe File opened for modification C:\Windows\System32\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb MeshAgent.exe -
Drops file in Program Files directory 6 IoCs
Processes:
MeshAgent.exeQS1.exedescription ioc process File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.exe QS1.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1532 powershell.exe 4116 powershell.exe 1572 powershell.exe 3188 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeMeshAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717229876064941" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3188 powershell.exe 3188 powershell.exe 1532 powershell.exe 1532 powershell.exe 4116 powershell.exe 4116 powershell.exe 1572 powershell.exe 1572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4436 wmic.exe Token: SeSecurityPrivilege 4436 wmic.exe Token: SeTakeOwnershipPrivilege 4436 wmic.exe Token: SeLoadDriverPrivilege 4436 wmic.exe Token: SeSystemProfilePrivilege 4436 wmic.exe Token: SeSystemtimePrivilege 4436 wmic.exe Token: SeProfSingleProcessPrivilege 4436 wmic.exe Token: SeIncBasePriorityPrivilege 4436 wmic.exe Token: SeCreatePagefilePrivilege 4436 wmic.exe Token: SeBackupPrivilege 4436 wmic.exe Token: SeRestorePrivilege 4436 wmic.exe Token: SeShutdownPrivilege 4436 wmic.exe Token: SeDebugPrivilege 4436 wmic.exe Token: SeSystemEnvironmentPrivilege 4436 wmic.exe Token: SeRemoteShutdownPrivilege 4436 wmic.exe Token: SeUndockPrivilege 4436 wmic.exe Token: SeManageVolumePrivilege 4436 wmic.exe Token: 33 4436 wmic.exe Token: 34 4436 wmic.exe Token: 35 4436 wmic.exe Token: 36 4436 wmic.exe Token: SeIncreaseQuotaPrivilege 4436 wmic.exe Token: SeSecurityPrivilege 4436 wmic.exe Token: SeTakeOwnershipPrivilege 4436 wmic.exe Token: SeLoadDriverPrivilege 4436 wmic.exe Token: SeSystemProfilePrivilege 4436 wmic.exe Token: SeSystemtimePrivilege 4436 wmic.exe Token: SeProfSingleProcessPrivilege 4436 wmic.exe Token: SeIncBasePriorityPrivilege 4436 wmic.exe Token: SeCreatePagefilePrivilege 4436 wmic.exe Token: SeBackupPrivilege 4436 wmic.exe Token: SeRestorePrivilege 4436 wmic.exe Token: SeShutdownPrivilege 4436 wmic.exe Token: SeDebugPrivilege 4436 wmic.exe Token: SeSystemEnvironmentPrivilege 4436 wmic.exe Token: SeRemoteShutdownPrivilege 4436 wmic.exe Token: SeUndockPrivilege 4436 wmic.exe Token: SeManageVolumePrivilege 4436 wmic.exe Token: 33 4436 wmic.exe Token: 34 4436 wmic.exe Token: 35 4436 wmic.exe Token: 36 4436 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2692 wmic.exe Token: SeIncreaseQuotaPrivilege 2692 wmic.exe Token: SeSecurityPrivilege 2692 wmic.exe Token: SeTakeOwnershipPrivilege 2692 wmic.exe Token: SeLoadDriverPrivilege 2692 wmic.exe Token: SeSystemtimePrivilege 2692 wmic.exe Token: SeBackupPrivilege 2692 wmic.exe Token: SeRestorePrivilege 2692 wmic.exe Token: SeShutdownPrivilege 2692 wmic.exe Token: SeSystemEnvironmentPrivilege 2692 wmic.exe Token: SeUndockPrivilege 2692 wmic.exe Token: SeManageVolumePrivilege 2692 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2692 wmic.exe Token: SeIncreaseQuotaPrivilege 2692 wmic.exe Token: SeSecurityPrivilege 2692 wmic.exe Token: SeTakeOwnershipPrivilege 2692 wmic.exe Token: SeLoadDriverPrivilege 2692 wmic.exe Token: SeSystemtimePrivilege 2692 wmic.exe Token: SeBackupPrivilege 2692 wmic.exe Token: SeRestorePrivilege 2692 wmic.exe Token: SeShutdownPrivilege 2692 wmic.exe Token: SeSystemEnvironmentPrivilege 2692 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
QS1.exeMeshAgent.execmd.execmd.exedescription pid process target process PID 2560 wrote to memory of 4436 2560 QS1.exe wmic.exe PID 2560 wrote to memory of 4436 2560 QS1.exe wmic.exe PID 2560 wrote to memory of 924 2560 QS1.exe QS1.exe PID 2560 wrote to memory of 924 2560 QS1.exe QS1.exe PID 740 wrote to memory of 2692 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 2692 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 5072 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 5072 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 4340 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 4340 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 1912 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 1912 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 4568 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 4568 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 2384 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 2384 740 MeshAgent.exe wmic.exe PID 740 wrote to memory of 3188 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 3188 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 1532 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 1532 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 4116 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 4116 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 1572 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 1572 740 MeshAgent.exe powershell.exe PID 740 wrote to memory of 2148 740 MeshAgent.exe cmd.exe PID 740 wrote to memory of 2148 740 MeshAgent.exe cmd.exe PID 2148 wrote to memory of 4420 2148 cmd.exe manage-bde.exe PID 2148 wrote to memory of 4420 2148 cmd.exe manage-bde.exe PID 740 wrote to memory of 4792 740 MeshAgent.exe cmd.exe PID 740 wrote to memory of 4792 740 MeshAgent.exe cmd.exe PID 4792 wrote to memory of 3460 4792 cmd.exe manage-bde.exe PID 4792 wrote to memory of 3460 4792 cmd.exe manage-bde.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QS1.exe"C:\Users\Admin\AppData\Local\Temp\QS1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\QS1.exe"C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall2⤵
- Sets service image path in registry
- Drops file in Program Files directory
PID:924
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:5072
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4340
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1912
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4568
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2384
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1572 -
C:\Windows\system32\cmd.exe/c manage-bde -protectors -get C: -Type recoverypassword2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\manage-bde.exemanage-bde -protectors -get C: -Type recoverypassword3⤵PID:4420
-
C:\Windows\system32\cmd.exe/c manage-bde -protectors -get F: -Type recoverypassword2⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\manage-bde.exemanage-bde -protectors -get F: -Type recoverypassword3⤵PID:3460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5f8d15271bbace86ee8e8a3310065ac93
SHA10beb317a18787c3e574332ac0c4114f2b110517f
SHA25678daeced42769d8b06e47d7257ef9cfe126e84188818e2bf3cc59ba6fabe544b
SHA512b8160baa14c95a95e9e16d915f321d6c67e3bf1db02a233773ec1a3e6bb94b7fd54d2cefc8e27c31d878ccecd0ce36c0e4fd1b07fd15f4b95514a002ea36c42b
-
Filesize
3.3MB
MD5407da4828b3b9126d6a0b6aa25a081c4
SHA13aeee655ab024657da645f9a05b53d40c9456d76
SHA256a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
SHA5126f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD506d16fea6ab505097d16fcaa32949d47
SHA10c1c719831fa41cd102d0d72d61c0f46ec5b8de8
SHA25654e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723
SHA51203c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize2KB
MD52c0bdf06d302688498d4e7f9cd669ab5
SHA118186323d93499e03f737f137b4ad795eb7f470b
SHA25686cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6
SHA512f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize2KB
MD5eb3ef0f644137e818b7f8aa2d04b3f16
SHA1c4465d34bb0906aeb2f8de2774a8c81b14bb0fba
SHA256197e2b4ff0068651cee86675fce5e775acb4e0b45e16c93da75eaafbb0248515
SHA5125346fc1bf262fb42c901c9a51f4d7f7f0466d9e04bf3cb9e44b49b1ddd05c48b135c0196749cdb638b7c74c373f0713331aa871917ad20e6f65700bfd0ed840f