Analysis

  • max time kernel
    272s
  • max time network
    281s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 07:28

General

  • Target

    QS1.exe

  • Size

    3.3MB

  • MD5

    407da4828b3b9126d6a0b6aa25a081c4

  • SHA1

    3aeee655ab024657da645f9a05b53d40c9456d76

  • SHA256

    a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2

  • SHA512

    6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d

  • SSDEEP

    49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

QS1

C2

http://mc.kaminet.eu:443/agent.ashx

Attributes
  • mesh_id

    0xEE89D60F5CD6BC8AD4C27EB31F4E89CB92C52B0E217F715BD63BD9491D17D4F7427AB13D0C72EA406672528F6DC79861

  • server_id

    A417F6622B66C84C5A6A0F6363F7C42AB877B26FD42E54C556B38C8026CBA894EE3DA91B087D9EC0AB62208B541506F6

  • wss

    wss://mc.kaminet.eu:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QS1.exe
    "C:\Users\Admin\AppData\Local\Temp\QS1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4436
    • C:\Users\Admin\AppData\Local\Temp\QS1.exe
      "C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      PID:924
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:5072
      • C:\Windows\System32\wbem\wmic.exe
        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
        2⤵
          PID:4340
        • C:\Windows\system32\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
            PID:1912
          • C:\Windows\System32\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
              PID:4568
            • C:\Windows\System32\wbem\wmic.exe
              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
                PID:2384
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -noprofile -nologo -command -
                2⤵
                • Drops file in System32 directory
                • Command and Scripting Interpreter: PowerShell
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:3188
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -noprofile -nologo -command -
                2⤵
                • Drops file in System32 directory
                • Command and Scripting Interpreter: PowerShell
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:1532
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -noprofile -nologo -command -
                2⤵
                • Drops file in System32 directory
                • Command and Scripting Interpreter: PowerShell
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:4116
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -noprofile -nologo -command -
                2⤵
                • Drops file in System32 directory
                • Command and Scripting Interpreter: PowerShell
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:1572
              • C:\Windows\system32\cmd.exe
                /c manage-bde -protectors -get C: -Type recoverypassword
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2148
                • C:\Windows\system32\manage-bde.exe
                  manage-bde -protectors -get C: -Type recoverypassword
                  3⤵
                    PID:4420
                • C:\Windows\system32\cmd.exe
                  /c manage-bde -protectors -get F: -Type recoverypassword
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4792
                  • C:\Windows\system32\manage-bde.exe
                    manage-bde -protectors -get F: -Type recoverypassword
                    3⤵
                      PID:3460

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Mesh Agent\MeshAgent.db.tmp

                  Filesize

                  151KB

                  MD5

                  f8d15271bbace86ee8e8a3310065ac93

                  SHA1

                  0beb317a18787c3e574332ac0c4114f2b110517f

                  SHA256

                  78daeced42769d8b06e47d7257ef9cfe126e84188818e2bf3cc59ba6fabe544b

                  SHA512

                  b8160baa14c95a95e9e16d915f321d6c67e3bf1db02a233773ec1a3e6bb94b7fd54d2cefc8e27c31d878ccecd0ce36c0e4fd1b07fd15f4b95514a002ea36c42b

                • C:\Program Files\Mesh Agent\MeshAgent.exe

                  Filesize

                  3.3MB

                  MD5

                  407da4828b3b9126d6a0b6aa25a081c4

                  SHA1

                  3aeee655ab024657da645f9a05b53d40c9456d76

                  SHA256

                  a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2

                  SHA512

                  6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d

                • C:\Windows\Temp\__PSScriptPolicyTest_aouwf0fz.t4l.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  3KB

                  MD5

                  06d16fea6ab505097d16fcaa32949d47

                  SHA1

                  0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

                  SHA256

                  54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

                  SHA512

                  03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                  Filesize

                  2KB

                  MD5

                  2c0bdf06d302688498d4e7f9cd669ab5

                  SHA1

                  18186323d93499e03f737f137b4ad795eb7f470b

                  SHA256

                  86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

                  SHA512

                  f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                  Filesize

                  2KB

                  MD5

                  eb3ef0f644137e818b7f8aa2d04b3f16

                  SHA1

                  c4465d34bb0906aeb2f8de2774a8c81b14bb0fba

                  SHA256

                  197e2b4ff0068651cee86675fce5e775acb4e0b45e16c93da75eaafbb0248515

                  SHA512

                  5346fc1bf262fb42c901c9a51f4d7f7f0466d9e04bf3cb9e44b49b1ddd05c48b135c0196749cdb638b7c74c373f0713331aa871917ad20e6f65700bfd0ed840f

                • memory/1532-72-0x0000013FD67B0000-0x0000013FD67BA000-memory.dmp

                  Filesize

                  40KB

                • memory/1532-78-0x0000013FD6A00000-0x0000013FD6A0A000-memory.dmp

                  Filesize

                  40KB

                • memory/1532-70-0x0000013FD6850000-0x0000013FD686C000-memory.dmp

                  Filesize

                  112KB

                • memory/1532-71-0x0000013FD6910000-0x0000013FD69C5000-memory.dmp

                  Filesize

                  724KB

                • memory/1532-77-0x0000013FD69F0000-0x0000013FD69F6000-memory.dmp

                  Filesize

                  24KB

                • memory/1532-73-0x0000013FD69D0000-0x0000013FD69EC000-memory.dmp

                  Filesize

                  112KB

                • memory/1532-74-0x0000013FD6870000-0x0000013FD687A000-memory.dmp

                  Filesize

                  40KB

                • memory/1532-75-0x0000013FD6A10000-0x0000013FD6A2A000-memory.dmp

                  Filesize

                  104KB

                • memory/1532-76-0x0000013FD6880000-0x0000013FD6888000-memory.dmp

                  Filesize

                  32KB

                • memory/1572-122-0x000001223CB50000-0x000001223CB7A000-memory.dmp

                  Filesize

                  168KB

                • memory/1572-123-0x000001223CB50000-0x000001223CB74000-memory.dmp

                  Filesize

                  144KB

                • memory/3188-38-0x0000023871350000-0x0000023871394000-memory.dmp

                  Filesize

                  272KB

                • memory/3188-39-0x0000023871420000-0x0000023871496000-memory.dmp

                  Filesize

                  472KB

                • memory/3188-28-0x0000023870E90000-0x0000023870EB2000-memory.dmp

                  Filesize

                  136KB