Analysis
-
max time kernel
91s -
max time network
284s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-09-2024 07:28
Behavioral task
behavioral1
Sample
QS1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QS1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
QS1.exe
Resource
win10v2004-20240802-en
General
-
Target
QS1.exe
-
Size
3.3MB
-
MD5
407da4828b3b9126d6a0b6aa25a081c4
-
SHA1
3aeee655ab024657da645f9a05b53d40c9456d76
-
SHA256
a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
-
SHA512
6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d
-
SSDEEP
49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u
Malware Config
Extracted
meshagent
2
QS1
http://mc.kaminet.eu:443/agent.ashx
-
mesh_id
0xEE89D60F5CD6BC8AD4C27EB31F4E89CB92C52B0E217F715BD63BD9491D17D4F7427AB13D0C72EA406672528F6DC79861
-
server_id
A417F6622B66C84C5A6A0F6363F7C42AB877B26FD42E54C556B38C8026CBA894EE3DA91B087D9EC0AB62208B541506F6
-
wss
wss://mc.kaminet.eu:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Program Files\Mesh Agent\MeshAgent.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
QS1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " QS1.exe -
Executes dropped EXE 1 IoCs
Processes:
MeshAgent.exepid process 4332 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
MeshAgent.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\kernel32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb MeshAgent.exe File opened for modification C:\Windows\System32\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\09170613DE92CF6D0081016E77A16A6315F214E1 MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\sechost.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\MeshService64.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\09170613DE92CF6D0081016E77A16A6315F214E1 MeshAgent.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\53778E7467E64C68F9023AFFF7BD988A7B5A895E MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ntasn1.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\046A31934854C4134E037FD745BFA4E0EAB0B05E MeshAgent.exe File opened for modification C:\Windows\System32\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb MeshAgent.exe -
Drops file in Program Files directory 6 IoCs
Processes:
MeshAgent.exeQS1.exedescription ioc process File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.exe QS1.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1676 powershell.exe 5536 powershell.exe 2964 powershell.exe 5104 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
MeshAgent.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717229898846795" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1676 powershell.exe 1676 powershell.exe 5536 powershell.exe 5536 powershell.exe 2964 powershell.exe 2964 powershell.exe 5104 powershell.exe 5104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3180 wmic.exe Token: SeSecurityPrivilege 3180 wmic.exe Token: SeTakeOwnershipPrivilege 3180 wmic.exe Token: SeLoadDriverPrivilege 3180 wmic.exe Token: SeSystemProfilePrivilege 3180 wmic.exe Token: SeSystemtimePrivilege 3180 wmic.exe Token: SeProfSingleProcessPrivilege 3180 wmic.exe Token: SeIncBasePriorityPrivilege 3180 wmic.exe Token: SeCreatePagefilePrivilege 3180 wmic.exe Token: SeBackupPrivilege 3180 wmic.exe Token: SeRestorePrivilege 3180 wmic.exe Token: SeShutdownPrivilege 3180 wmic.exe Token: SeDebugPrivilege 3180 wmic.exe Token: SeSystemEnvironmentPrivilege 3180 wmic.exe Token: SeRemoteShutdownPrivilege 3180 wmic.exe Token: SeUndockPrivilege 3180 wmic.exe Token: SeManageVolumePrivilege 3180 wmic.exe Token: 33 3180 wmic.exe Token: 34 3180 wmic.exe Token: 35 3180 wmic.exe Token: 36 3180 wmic.exe Token: SeIncreaseQuotaPrivilege 3180 wmic.exe Token: SeSecurityPrivilege 3180 wmic.exe Token: SeTakeOwnershipPrivilege 3180 wmic.exe Token: SeLoadDriverPrivilege 3180 wmic.exe Token: SeSystemProfilePrivilege 3180 wmic.exe Token: SeSystemtimePrivilege 3180 wmic.exe Token: SeProfSingleProcessPrivilege 3180 wmic.exe Token: SeIncBasePriorityPrivilege 3180 wmic.exe Token: SeCreatePagefilePrivilege 3180 wmic.exe Token: SeBackupPrivilege 3180 wmic.exe Token: SeRestorePrivilege 3180 wmic.exe Token: SeShutdownPrivilege 3180 wmic.exe Token: SeDebugPrivilege 3180 wmic.exe Token: SeSystemEnvironmentPrivilege 3180 wmic.exe Token: SeRemoteShutdownPrivilege 3180 wmic.exe Token: SeUndockPrivilege 3180 wmic.exe Token: SeManageVolumePrivilege 3180 wmic.exe Token: 33 3180 wmic.exe Token: 34 3180 wmic.exe Token: 35 3180 wmic.exe Token: 36 3180 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4168 wmic.exe Token: SeIncreaseQuotaPrivilege 4168 wmic.exe Token: SeSecurityPrivilege 4168 wmic.exe Token: SeTakeOwnershipPrivilege 4168 wmic.exe Token: SeLoadDriverPrivilege 4168 wmic.exe Token: SeSystemtimePrivilege 4168 wmic.exe Token: SeBackupPrivilege 4168 wmic.exe Token: SeRestorePrivilege 4168 wmic.exe Token: SeShutdownPrivilege 4168 wmic.exe Token: SeSystemEnvironmentPrivilege 4168 wmic.exe Token: SeUndockPrivilege 4168 wmic.exe Token: SeManageVolumePrivilege 4168 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4168 wmic.exe Token: SeIncreaseQuotaPrivilege 4168 wmic.exe Token: SeSecurityPrivilege 4168 wmic.exe Token: SeTakeOwnershipPrivilege 4168 wmic.exe Token: SeLoadDriverPrivilege 4168 wmic.exe Token: SeSystemtimePrivilege 4168 wmic.exe Token: SeBackupPrivilege 4168 wmic.exe Token: SeRestorePrivilege 4168 wmic.exe Token: SeShutdownPrivilege 4168 wmic.exe Token: SeSystemEnvironmentPrivilege 4168 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
QS1.exeMeshAgent.execmd.execmd.exedescription pid process target process PID 1148 wrote to memory of 3180 1148 QS1.exe wmic.exe PID 1148 wrote to memory of 3180 1148 QS1.exe wmic.exe PID 1148 wrote to memory of 4452 1148 QS1.exe QS1.exe PID 1148 wrote to memory of 4452 1148 QS1.exe QS1.exe PID 4332 wrote to memory of 4168 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 4168 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1252 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1252 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1048 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1048 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 872 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 872 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1996 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1996 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 2060 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 2060 4332 MeshAgent.exe wmic.exe PID 4332 wrote to memory of 1676 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 1676 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 5536 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 5536 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 2964 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 2964 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 5104 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 5104 4332 MeshAgent.exe powershell.exe PID 4332 wrote to memory of 3444 4332 MeshAgent.exe cmd.exe PID 4332 wrote to memory of 3444 4332 MeshAgent.exe cmd.exe PID 3444 wrote to memory of 5020 3444 cmd.exe manage-bde.exe PID 3444 wrote to memory of 5020 3444 cmd.exe manage-bde.exe PID 4332 wrote to memory of 2484 4332 MeshAgent.exe cmd.exe PID 4332 wrote to memory of 2484 4332 MeshAgent.exe cmd.exe PID 2484 wrote to memory of 5192 2484 cmd.exe manage-bde.exe PID 2484 wrote to memory of 5192 2484 cmd.exe manage-bde.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QS1.exe"C:\Users\Admin\AppData\Local\Temp\QS1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\QS1.exe"C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall2⤵
- Sets service image path in registry
- Drops file in Program Files directory
PID:4452
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1252
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1048
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:872
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1996
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5104 -
C:\Windows\system32\cmd.exe/c manage-bde -protectors -get C: -Type recoverypassword2⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\manage-bde.exemanage-bde -protectors -get C: -Type recoverypassword3⤵PID:5020
-
C:\Windows\system32\cmd.exe/c manage-bde -protectors -get F: -Type recoverypassword2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\manage-bde.exemanage-bde -protectors -get F: -Type recoverypassword3⤵PID:5192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD50717e2bbee03d2f5184a3dfdd7954951
SHA1162452e62fd2e78efc53debf803238744008069f
SHA256e0cc8f974f973108636dc2be1631f7cf8cd42e659081def8ef84351b58b6d544
SHA512626dea9ef891b000e42afbd879a5f50b428ba9c4ed85263e86d5f36905c8b4ae62798a176513fa57bcb17b1a746cd9bfad92a596d5eb0a4917f9701e5f89179a
-
Filesize
3.3MB
MD5407da4828b3b9126d6a0b6aa25a081c4
SHA13aeee655ab024657da645f9a05b53d40c9456d76
SHA256a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
SHA5126f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize1KB
MD59274c2c9a4e2973024a6a45cc59ea982
SHA19d8dc5f596e8384fd2e97f77531b83855033544b
SHA25623575f692024020e1cbc6f716ca9aedb436d06f7fff1088109561374ed045d05
SHA51266560f9001c15d4bde5d44a535e7e0fc153423c6af1337f1204b919535f2ec480b71b022f4101841baf1b61ea62d5714aaf860a2aa4e1899b5285ad4be7a6c75
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize1KB
MD527c89c41a1eaa307b93a14b61197b717
SHA1ae17aa045f1cc8875842bad7537cd4ce30c81294
SHA256f36e4bc274085c7afed3372be7dee8e376ef53b63955922c70077db59b1fcdb4
SHA5125bc44126b73110103df9260dacacf21ecf396c8fc9bc0d9479e6b28ae8520eb258bbd98b0c3450ec099c646654e4bd4a5a4ac98fb60d1e488b0a12a4f5c70daa
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize1KB
MD536689773469dd22140cd5fb2e0fe159f
SHA137ff6fc154f5f1c2c86835d2383e1deb06415f87
SHA256be2185c5181d3af79bd6b6e566d923850b3ec7ec1253952fc7c7b2a97e844aa4
SHA5128cd7847540bcf5e4ba3904469af1c1418730a026b4caacd279181b1e51665c205f7abf5407a24632d1c3832060967db70658ea732114d878e9adea6ff7e30281