Analysis
-
max time kernel
214s -
max time network
282s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-09-2024 07:32
Behavioral task
behavioral1
Sample
meshagent64-IC_1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
meshagent64-IC_1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
meshagent64-IC_1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
meshagent64-IC_1.exe
Resource
win11-20240802-en
General
-
Target
meshagent64-IC_1.exe
-
Size
3.3MB
-
MD5
3fa7db51a5671e731aa216f72fdc7549
-
SHA1
f5e30b78f64aa775ec305bff20483cda805b2583
-
SHA256
c51ce13312c103a59af15e620e884b3abf0d9c97f0c2f23b61091e09f1376736
-
SHA512
eddc3941befe92728de552e474770c6cc581e55f8d311ac2bbda06bcaa209ab1ceb5acf13745d818b700cd60b605124bcc96e7db1069c8875833974be563fc7c
-
SSDEEP
49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Q8:hlRsZ47/QXoHUOfAoj1x68
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3264 wmic.exe Token: SeSecurityPrivilege 3264 wmic.exe Token: SeTakeOwnershipPrivilege 3264 wmic.exe Token: SeLoadDriverPrivilege 3264 wmic.exe Token: SeSystemProfilePrivilege 3264 wmic.exe Token: SeSystemtimePrivilege 3264 wmic.exe Token: SeProfSingleProcessPrivilege 3264 wmic.exe Token: SeIncBasePriorityPrivilege 3264 wmic.exe Token: SeCreatePagefilePrivilege 3264 wmic.exe Token: SeBackupPrivilege 3264 wmic.exe Token: SeRestorePrivilege 3264 wmic.exe Token: SeShutdownPrivilege 3264 wmic.exe Token: SeDebugPrivilege 3264 wmic.exe Token: SeSystemEnvironmentPrivilege 3264 wmic.exe Token: SeRemoteShutdownPrivilege 3264 wmic.exe Token: SeUndockPrivilege 3264 wmic.exe Token: SeManageVolumePrivilege 3264 wmic.exe Token: 33 3264 wmic.exe Token: 34 3264 wmic.exe Token: 35 3264 wmic.exe Token: 36 3264 wmic.exe Token: SeIncreaseQuotaPrivilege 3264 wmic.exe Token: SeSecurityPrivilege 3264 wmic.exe Token: SeTakeOwnershipPrivilege 3264 wmic.exe Token: SeLoadDriverPrivilege 3264 wmic.exe Token: SeSystemProfilePrivilege 3264 wmic.exe Token: SeSystemtimePrivilege 3264 wmic.exe Token: SeProfSingleProcessPrivilege 3264 wmic.exe Token: SeIncBasePriorityPrivilege 3264 wmic.exe Token: SeCreatePagefilePrivilege 3264 wmic.exe Token: SeBackupPrivilege 3264 wmic.exe Token: SeRestorePrivilege 3264 wmic.exe Token: SeShutdownPrivilege 3264 wmic.exe Token: SeDebugPrivilege 3264 wmic.exe Token: SeSystemEnvironmentPrivilege 3264 wmic.exe Token: SeRemoteShutdownPrivilege 3264 wmic.exe Token: SeUndockPrivilege 3264 wmic.exe Token: SeManageVolumePrivilege 3264 wmic.exe Token: 33 3264 wmic.exe Token: 34 3264 wmic.exe Token: 35 3264 wmic.exe Token: 36 3264 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
meshagent64-IC_1.exedescription pid process target process PID 1332 wrote to memory of 3264 1332 meshagent64-IC_1.exe wmic.exe PID 1332 wrote to memory of 3264 1332 meshagent64-IC_1.exe wmic.exe