Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 18:28
Behavioral task
behavioral1
Sample
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
Resource
win7-20240903-en
General
-
Target
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
-
Size
2.9MB
-
MD5
31c7fa68b69d8d229a6e9daa2949d895
-
SHA1
2f5593e25a34cbb303901bce8942a8505ba2a38f
-
SHA256
5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
-
SHA512
7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37
-
SSDEEP
49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p
Malware Config
Extracted
meshagent
2
Home
http://control.tautolo.gy:443/agent.ashx
-
mesh_id
0x18936942A3E5AE65DF8836B6EEFA3FD5DD375127CA3DA1852C2EC2DBA43786A498AA27456851B49C48A8683629B450EB
-
server_id
08C4CDB1491A60BC30D0136004508FDDA3818CAB78A02628E44948AE98F2E0A2B4D87C34CBD4C18D959886F9B49EB33A
-
wss
wss://control.tautolo.gy:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule \Program Files\Mesh Agent\MeshAgent.exe family_meshagent -
Modifies Windows Firewall 2 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 2812 netsh.exe 2004 netsh.exe 2388 netsh.exe 1232 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-2872745919-2748461613-2989606286-1000\"" 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe -
Executes dropped EXE 9 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exepid process 472 2152 MeshAgent.exe 2392 MeshAgent.exe 1512 MeshAgent.exe 1816 MeshAgent.exe 2644 MeshAgent.exe 840 MeshAgent.exe 2096 MeshAgent.exe 2680 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 20 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exe2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exeMeshAgent.exeMeshAgent.exedescription ioc process File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 8 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
wmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exepid process 2584 wmic.exe 1140 wmic.exe 1780 wmic.exe 1908 wmic.exe 2328 wmic.exe 2108 wmic.exe 2600 wmic.exe 2528 wmic.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2008 wmic.exe Token: SeSecurityPrivilege 2008 wmic.exe Token: SeTakeOwnershipPrivilege 2008 wmic.exe Token: SeLoadDriverPrivilege 2008 wmic.exe Token: SeSystemProfilePrivilege 2008 wmic.exe Token: SeSystemtimePrivilege 2008 wmic.exe Token: SeProfSingleProcessPrivilege 2008 wmic.exe Token: SeIncBasePriorityPrivilege 2008 wmic.exe Token: SeCreatePagefilePrivilege 2008 wmic.exe Token: SeBackupPrivilege 2008 wmic.exe Token: SeRestorePrivilege 2008 wmic.exe Token: SeShutdownPrivilege 2008 wmic.exe Token: SeDebugPrivilege 2008 wmic.exe Token: SeSystemEnvironmentPrivilege 2008 wmic.exe Token: SeRemoteShutdownPrivilege 2008 wmic.exe Token: SeUndockPrivilege 2008 wmic.exe Token: SeManageVolumePrivilege 2008 wmic.exe Token: 33 2008 wmic.exe Token: 34 2008 wmic.exe Token: 35 2008 wmic.exe Token: SeIncreaseQuotaPrivilege 2008 wmic.exe Token: SeSecurityPrivilege 2008 wmic.exe Token: SeTakeOwnershipPrivilege 2008 wmic.exe Token: SeLoadDriverPrivilege 2008 wmic.exe Token: SeSystemProfilePrivilege 2008 wmic.exe Token: SeSystemtimePrivilege 2008 wmic.exe Token: SeProfSingleProcessPrivilege 2008 wmic.exe Token: SeIncBasePriorityPrivilege 2008 wmic.exe Token: SeCreatePagefilePrivilege 2008 wmic.exe Token: SeBackupPrivilege 2008 wmic.exe Token: SeRestorePrivilege 2008 wmic.exe Token: SeShutdownPrivilege 2008 wmic.exe Token: SeDebugPrivilege 2008 wmic.exe Token: SeSystemEnvironmentPrivilege 2008 wmic.exe Token: SeRemoteShutdownPrivilege 2008 wmic.exe Token: SeUndockPrivilege 2008 wmic.exe Token: SeManageVolumePrivilege 2008 wmic.exe Token: 33 2008 wmic.exe Token: 34 2008 wmic.exe Token: 35 2008 wmic.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2232 wmic.exe Token: SeIncreaseQuotaPrivilege 2232 wmic.exe Token: SeSecurityPrivilege 2232 wmic.exe Token: SeTakeOwnershipPrivilege 2232 wmic.exe Token: SeLoadDriverPrivilege 2232 wmic.exe Token: SeSystemtimePrivilege 2232 wmic.exe Token: SeBackupPrivilege 2232 wmic.exe Token: SeRestorePrivilege 2232 wmic.exe Token: SeShutdownPrivilege 2232 wmic.exe Token: SeSystemEnvironmentPrivilege 2232 wmic.exe Token: SeUndockPrivilege 2232 wmic.exe Token: SeManageVolumePrivilege 2232 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2232 wmic.exe Token: SeIncreaseQuotaPrivilege 2232 wmic.exe Token: SeSecurityPrivilege 2232 wmic.exe Token: SeTakeOwnershipPrivilege 2232 wmic.exe Token: SeLoadDriverPrivilege 2232 wmic.exe Token: SeSystemtimePrivilege 2232 wmic.exe Token: SeBackupPrivilege 2232 wmic.exe Token: SeRestorePrivilege 2232 wmic.exe Token: SeShutdownPrivilege 2232 wmic.exe Token: SeSystemEnvironmentPrivilege 2232 wmic.exe Token: SeUndockPrivilege 2232 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.execmd.execmd.execmd.execmd.exeMeshAgent.exedescription pid process target process PID 1352 wrote to memory of 2008 1352 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe wmic.exe PID 1352 wrote to memory of 2008 1352 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe wmic.exe PID 1352 wrote to memory of 2008 1352 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe wmic.exe PID 1352 wrote to memory of 2740 1352 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe PID 1352 wrote to memory of 2740 1352 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe PID 1352 wrote to memory of 2740 1352 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe PID 2740 wrote to memory of 2872 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 2740 wrote to memory of 2872 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 2740 wrote to memory of 2872 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 2740 wrote to memory of 2960 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 2960 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 2960 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2960 wrote to memory of 2812 2960 cmd.exe netsh.exe PID 2960 wrote to memory of 2812 2960 cmd.exe netsh.exe PID 2960 wrote to memory of 2812 2960 cmd.exe netsh.exe PID 2740 wrote to memory of 2600 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 2600 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 2600 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2600 wrote to memory of 2004 2600 cmd.exe netsh.exe PID 2600 wrote to memory of 2004 2600 cmd.exe netsh.exe PID 2600 wrote to memory of 2004 2600 cmd.exe netsh.exe PID 2740 wrote to memory of 2176 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 2176 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 2176 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2176 wrote to memory of 2388 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 2388 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 2388 2176 cmd.exe netsh.exe PID 2740 wrote to memory of 1140 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 1140 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 2740 wrote to memory of 1140 2740 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe cmd.exe PID 1140 wrote to memory of 1232 1140 cmd.exe netsh.exe PID 1140 wrote to memory of 1232 1140 cmd.exe netsh.exe PID 1140 wrote to memory of 1232 1140 cmd.exe netsh.exe PID 2152 wrote to memory of 2232 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2232 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2232 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2012 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2012 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2012 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2536 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2536 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2536 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 264 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 264 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 264 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2024 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2024 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2024 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2236 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2236 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2236 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 924 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 924 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 924 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2468 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2468 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2468 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2328 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2328 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 2328 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 1656 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 1656 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 1656 2152 MeshAgent.exe wmic.exe PID 2152 wrote to memory of 1416 2152 MeshAgent.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe" -fullinstall2⤵
- Sets service image path in registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe/C "Get-Module -ListAvailable -Name netsecurity"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\System32\cmd.exe/C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {bc4bdb64-9a42-468e-187b-26cca97e60b0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"3⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {bc4bdb64-9a42-468e-187b-26cca97e60b0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=169904⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2812 -
C:\Windows\System32\cmd.exe/C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {98afc8fe-3de8-4884-0f74-47a4e09bbbfe}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {98afc8fe-3de8-4884-0f74-47a4e09bbbfe}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=169914⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2004 -
C:\Windows\System32\cmd.exe/C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {6fa4648c-92fe-4381-68cf-6e696df0ff72}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"3⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {6fa4648c-92fe-4381-68cf-6e696df0ff72}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=169904⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2388 -
C:\Windows\System32\cmd.exe/C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {8b16b0cf-e26f-4291-35ec-2c85bd13565e}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"3⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {8b16b0cf-e26f-4291-35ec-2c85bd13565e}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=169914⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1232
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:2012
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:2536
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:264
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2024
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2236
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:924
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2468
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:2328 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1656
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:1416 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2476
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2392 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:1904
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:2960
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:2620
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:2176
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:488
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2872
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2992
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2908
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:2108 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1620
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2944 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1016
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1512 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:1688
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:1572
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:552
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1916
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3048
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1520
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2156
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2656
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:2600 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2188
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:1436 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2856
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1816 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:1996
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:2012
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:1972
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:836
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1340
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1716
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1936
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1900
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:2528 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1772
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:1560 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1492
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2644 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:2904
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:1828
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:1552
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:2852
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2704
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3016
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1208
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2908
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:2584 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2780
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2808 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1956
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:840 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:2060
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:1888
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:1480
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1784
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2568
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2452
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:604
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2220
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:1140 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2920
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2956 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2628
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2096 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:1188
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:2944
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:836
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:2252
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1940
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2796
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1268
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2368
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:1780 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2360
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2408 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1520
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2680 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:1804
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:2616
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:2600
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1932
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2852
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1248
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2532
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2336
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:1908 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1972
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2520 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5ece09c0c3122993563b2318d19d624e0
SHA1d2f2ed00ba285c2138a1ba13a520a23a737fc5ec
SHA2568549831d76c8ff088cf7066625e9d327675a96cb5ff1b7a4b420fca1e346c536
SHA512aec102de75d09d8d3987c22366ccc213130655741037e429eab2adaa19aaf19bf1989891b9f29a3abfd17a46b163113a6510c2b8897a09d45a4ce7bb3259e473
-
Filesize
875B
MD59fd49b3d7d91f7ac15c751cd3d882d8f
SHA150391632f78543d0fad5f4a99cc9d932a4f33ce0
SHA25612aa91b9d98fcccca11865eb26e36858191d59c57b9ff81f0ffdfee2b7671786
SHA5128c5e89f1e221b6659dbb2fb3663e2806d3c7b0fcf0c37d8ce28e57332aac3206c1cdb63bb5b1abf4050224c1a947bf160054725555ab13fa0c31d4f11cd26cbc
-
Filesize
1KB
MD55c92fa3b0382e66a7da7e17d2dc06f0e
SHA1f93783dda95c77592f69120088e86b438a4dd3c4
SHA2568a0f7c006d9ccb092bdc779c17284c301125d7f2b617d46bffee123da8bcc2f8
SHA512edecd46a67f49a6c1691e2b2fd5ac96fa6487067af79eb9c46fdd9d250553903b76ff23a4a5939ebf488250ec273abf3666616f78847971bb9c22d0254496faf
-
Filesize
1KB
MD5d41fe61d9e1cbd70a0fda07dc5221164
SHA19df162d69e03c9ced287f93e94ad20a3045ff196
SHA25675b7d7f603ede2b3e6cc0124e11ed849cde7bf84d69e29cc0e54861fd5e813ea
SHA5122e0a2cd4af1642dfcf84d1e0e5d4be00be723b255cb8c18d6d0eb4df02c61cc6e4414245b545369ad1af4896ab2723ed129c09247cf6a95ae51a8680af4a2ad4
-
Filesize
1KB
MD50891f204b9c9a1dc23992280968591de
SHA1b2d2e91cb4709edcf3f99d01ebeb7f8e89f1aa3b
SHA25628bb1ad2999634d399a2784b4853f0e348dd3eab074f908113420683bd3603ee
SHA512a6311f1a78217b681a0e9debcd4d936f6e2ba7494c4f39d3a971c80971aeb5c942fef6565980483f34eeae0c421624c3a19fb14b683b7a07ec4b50f6ac629e7f
-
Filesize
1KB
MD5d567eda5176ac3da505537c3118df170
SHA1bdbf2e1a400ee84b58e37fe00f8e4a31a26b9afe
SHA256cf758a975b2852f84e9ea8e9ba173001d58567a187486ff83a78dc20196ff59c
SHA51236b3193eb82401efbfb179082a0b5b919ea82be13d7230ad5f06c27d29a5e65ff229acac24a6f38d9f280af1ab9ab92d7590fac9db0185fa18c2b9f01fb131a4
-
Filesize
1KB
MD5a9d2beadd2c6ee3c7bc689b34f59dca6
SHA12d0c53e2c8adb9ee729e1b47b84466f29dfa2577
SHA256b23eedcbe9d55ed0b8d2e3d6d91351fc69580d13d25e479870aff2e835956b77
SHA5123e69d5a8f0c8a2dbc86b8b5b1949e71c1eb5826531471a7a049786649ab0e5ca6230972b8183053adb62877266057eb8ac1566d692d7f3375a9665eb09e922f2
-
Filesize
24KB
MD5c2caa0b051fe5f485fae1bf815d6960d
SHA1f18e3e88b6740a063e4118a443c1a27944d355c8
SHA2564ae4265e705bd540cfd10e978b64d112cc74aa3fc3120a2391741250988572fa
SHA5129f4859e250ad06a2eaef94acf099209231c622a398b9999806f2b6735fd5abad933dc900788c583ce082c26e4aa5741eb050b3e537f6276055fc6612a1162a34
-
Filesize
2.9MB
MD531c7fa68b69d8d229a6e9daa2949d895
SHA12f5593e25a34cbb303901bce8942a8505ba2a38f
SHA2565036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
SHA5127fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37