Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 18:28

General

  • Target

    2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe

  • Size

    2.9MB

  • MD5

    31c7fa68b69d8d229a6e9daa2949d895

  • SHA1

    2f5593e25a34cbb303901bce8942a8505ba2a38f

  • SHA256

    5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f

  • SHA512

    7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37

  • SSDEEP

    49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

Home

C2

http://control.tautolo.gy:443/agent.ashx

Attributes
  • mesh_id

    0x18936942A3E5AE65DF8836B6EEFA3FD5DD375127CA3DA1852C2EC2DBA43786A498AA27456851B49C48A8683629B450EB

  • server_id

    08C4CDB1491A60BC30D0136004508FDDA3818CAB78A02628E44948AE98F2E0A2B4D87C34CBD4C18D959886F9B49EB33A

  • wss

    wss://control.tautolo.gy:443/agent.ashx

Signatures

  • Detects MeshAgent payload 2 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies data under HKEY_USERS 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4664
    • C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        /C "Get-Module -ListAvailable -Name netsecurity"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2008
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4050598569-1597076380-177084960-1000"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\System32\wbem\wmic.exe
      wmic bios get /VALUE
      2⤵
        PID:3648
      • C:\Windows\System32\wbem\wmic.exe
        wmic BASEBOARD get /VALUE
        2⤵
          PID:2812
        • C:\Windows\System32\wbem\wmic.exe
          wmic CSProduct get /VALUE
          2⤵
            PID:4056
          • C:\Windows\system32\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
              PID:4296
            • C:\Windows\System32\wbem\wmic.exe
              wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
                PID:216
              • C:\Windows\System32\wbem\wmic.exe
                wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:4180
                • C:\Windows\System32\wbem\wmic.exe
                  wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                    PID:1516
                  • C:\Windows\System32\wbem\wmic.exe
                    wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                    2⤵
                      PID:3664
                    • C:\Windows\System32\wbem\wmic.exe
                      wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                      2⤵
                      • Detects videocard installed
                      PID:5112
                    • C:\Windows\System32\wbem\wmic.exe
                      wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                      2⤵
                        PID:4920
                      • C:\Windows\System32\wbem\wmic.exe
                        wmic SystemEnclosure get ChassisTypes
                        2⤵
                          PID:2672
                        • C:\Windows\System32\wbem\wmic.exe
                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                          2⤵
                            PID:1532
                          • C:\Windows\system32\cmd.exe
                            cmd /C wmic service "Mesh Agent" call stopservice & "C:\Program Files\Mesh Agent\MeshAgent.update.exe" -b64exec dHJ5CnsKICAgIHZhciBzZXJ2aWNlTG9jYXRpb24gPSBwcm9jZXNzLmFyZ3YucG9wKCk7CiAgICByZXF1aXJlKCdwcm9jZXNzLW1hbmFnZXInKS5lbnVtZXJhdGVQcm9jZXNzZXMoKS50aGVuKGZ1bmN0aW9uIChwcm9jKQogICAgewogICAgICAgIGZvciAodmFyIHAgaW4gcHJvYykKICAgICAgICB7CiAgICAgICAgICAgIGlmIChwcm9jW3BdLnBhdGggPT0gc2VydmljZUxvY2F0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwcm9jZXNzLmtpbGwocHJvY1twXS5waWQpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHByb2Nlc3MuZXhpdCgpOwogICAgfSk7Cn0KY2F0Y2goZSkKewogICAgcHJvY2Vzcy5leGl0KCk7Cn0= "C:\Program Files\Mesh Agent\MeshAgent.exe" & copy "C:\Program Files\Mesh Agent\MeshAgent.update.exe" "C:\Program Files\Mesh Agent\MeshAgent.exe" & wmic service "Mesh Agent" call startservice & erase "C:\Program Files\Mesh Agent\MeshAgent.update.exe"
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4020
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic service "Mesh Agent" call stopservice
                              3⤵
                                PID:4068
                              • C:\Program Files\Mesh Agent\MeshAgent.update.exe
                                "C:\Program Files\Mesh Agent\MeshAgent.update.exe" -b64exec dHJ5CnsKICAgIHZhciBzZXJ2aWNlTG9jYXRpb24gPSBwcm9jZXNzLmFyZ3YucG9wKCk7CiAgICByZXF1aXJlKCdwcm9jZXNzLW1hbmFnZXInKS5lbnVtZXJhdGVQcm9jZXNzZXMoKS50aGVuKGZ1bmN0aW9uIChwcm9jKQogICAgewogICAgICAgIGZvciAodmFyIHAgaW4gcHJvYykKICAgICAgICB7CiAgICAgICAgICAgIGlmIChwcm9jW3BdLnBhdGggPT0gc2VydmljZUxvY2F0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwcm9jZXNzLmtpbGwocHJvY1twXS5waWQpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHByb2Nlc3MuZXhpdCgpOwogICAgfSk7Cn0KY2F0Y2goZSkKewogICAgcHJvY2Vzcy5leGl0KCk7Cn0= "C:\Program Files\Mesh Agent\MeshAgent.exe"
                                3⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4384
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic service "Mesh Agent" call startservice
                                3⤵
                                  PID:5084
                            • C:\Program Files\Mesh Agent\MeshAgent.exe
                              "C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4050598569-1597076380-177084960-1000"
                              1⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Program Files directory
                              • Modifies data under HKEY_USERS
                              • Suspicious use of WriteProcessMemory
                              PID:4892
                              • C:\Windows\System32\wbem\wmic.exe
                                wmic SystemEnclosure get ChassisTypes
                                2⤵
                                  PID:3144
                                • C:\Windows\system32\wbem\wmic.exe
                                  wmic os get oslanguage /FORMAT:LIST
                                  2⤵
                                    PID:4984
                                  • C:\Windows\System32\wbem\wmic.exe
                                    wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                    2⤵
                                      PID:2156
                                    • C:\Windows\system32\wbem\wmic.exe
                                      wmic os get oslanguage /FORMAT:LIST
                                      2⤵
                                        PID:408
                                      • C:\Windows\System32\wbem\wmic.exe
                                        wmic SystemEnclosure get ChassisTypes
                                        2⤵
                                          PID:236
                                        • C:\Windows\System32\wbem\wmic.exe
                                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                          2⤵
                                            PID:2536
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -noprofile -nologo -command -
                                            2⤵
                                            • Drops file in System32 directory
                                            • Command and Scripting Interpreter: PowerShell
                                            • Modifies data under HKEY_USERS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2300

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files\Mesh Agent\MeshAgent.db

                                          Filesize

                                          28KB

                                          MD5

                                          598e7761af3c3e51c1e97c6c0ef90b10

                                          SHA1

                                          79339d6e8e403d7be70c4dbd34ce9cdb032058fd

                                          SHA256

                                          c6f98d199b63b10fd72841110d4af749a19fb4cb5d50edeb42e92ce94fbd5606

                                          SHA512

                                          8f1e33acddaa54d1270dfa9e2b8f8437184ad9bf6a2cba3c8325deeee335cf6ac3630c2fb5a102285f092a780652fe8942fc815b2822ec0fb0b9223c108d4d57

                                        • C:\Program Files\Mesh Agent\MeshAgent.db.tmp

                                          Filesize

                                          133KB

                                          MD5

                                          956d0a651036d77e4020a1a465437dea

                                          SHA1

                                          dca45d94263d43240a5f05992b609fd6ae0e514e

                                          SHA256

                                          5186a5c1707a0d977942d3d124a01e407ba21cb6482aea5ba887195a85e176d3

                                          SHA512

                                          ef95d460330f091e3263372400e4ae6d488fa9bb811b827199e98d2284088b0a4a88910878117c3578931c8bf8ac67bcd8db277519363becd0232ae5b0083282

                                        • C:\Program Files\Mesh Agent\MeshAgent.exe

                                          Filesize

                                          2.9MB

                                          MD5

                                          31c7fa68b69d8d229a6e9daa2949d895

                                          SHA1

                                          2f5593e25a34cbb303901bce8942a8505ba2a38f

                                          SHA256

                                          5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f

                                          SHA512

                                          7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37

                                        • C:\Program Files\Mesh Agent\MeshAgent.msh

                                          Filesize

                                          24KB

                                          MD5

                                          c2caa0b051fe5f485fae1bf815d6960d

                                          SHA1

                                          f18e3e88b6740a063e4118a443c1a27944d355c8

                                          SHA256

                                          4ae4265e705bd540cfd10e978b64d112cc74aa3fc3120a2391741250988572fa

                                          SHA512

                                          9f4859e250ad06a2eaef94acf099209231c622a398b9999806f2b6735fd5abad933dc900788c583ce082c26e4aa5741eb050b3e537f6276055fc6612a1162a34

                                        • C:\Program Files\Mesh Agent\MeshAgent.update.exe

                                          Filesize

                                          319KB

                                          MD5

                                          cc990bd595f607cf8b9fd686524913ce

                                          SHA1

                                          0859e146238b48ce64da2307c9c4cb7b9d1123d2

                                          SHA256

                                          0e9a4e62e5d0c1809d21e4d9708aca61a4285025347dd0c8b6ed02a1ac063cd8

                                          SHA512

                                          091ec6bbdee7e34b4bd13bf4d7bf81ec4fe36ea0a50687ab5298c1fe88c7328da09411c56d4e451405b4c074f24889ed6449a37b96f22c2a68076144b34f0633

                                        • C:\Program Files\Mesh Agent\MeshAgent.update.exe

                                          Filesize

                                          3.3MB

                                          MD5

                                          d63d1f77d0bbaacb826330b6c7ec87b2

                                          SHA1

                                          2127974e685725237ae5e3ca5a720e529f893a1b

                                          SHA256

                                          8993d212be2993fb5742fe3f253e002e41ecd40a736ffb483fe3e2cccf5dbcb6

                                          SHA512

                                          44be62bd8d424ca76a958bc574aa8a77517e351dd7ad0a5475d57e24ea5dac8a67f68bbc49201f790ba6a8965ff9e628245557e218c1c0defc8565cd83b8e797

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          3KB

                                          MD5

                                          b5f63423f55e96fabcd1b186b27ce0c4

                                          SHA1

                                          581b488265a2f159836409853f4b97eb5941bd48

                                          SHA256

                                          451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a

                                          SHA512

                                          f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          64B

                                          MD5

                                          1a11402783a8686e08f8fa987dd07bca

                                          SHA1

                                          580df3865059f4e2d8be10644590317336d146ce

                                          SHA256

                                          9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

                                          SHA512

                                          5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          fc08d9efbf45b4045fdf2cfc507ddceb

                                          SHA1

                                          7a1095765f0b9ed6a04afeb084f4e78cc25aed5c

                                          SHA256

                                          b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e

                                          SHA512

                                          2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4b50e76049fec4d6f2aaff1b49521c2f

                                          SHA1

                                          4cc854f1ed8f94067b742271cb69ffefc8355cd7

                                          SHA256

                                          752054e3c44795d033e05aae7a251dd48ff6bccb524c6884994bebf53c08620c

                                          SHA512

                                          836749249b39f8d335dcc4103b5587340b5b2a5f3c84db91d307a90e1fb622b02d8dd903b76ecc274c68d48fda75247284c4b571d081daeae57b634c5e40a1a8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          afd0a743508cdc5ba7d3c45e8be63316

                                          SHA1

                                          7ad41e8c15174e65c3d4905b44fa2639d9867c6d

                                          SHA256

                                          c0c04903981b71444d4928eb46610d58b798d4190cd25666cb614c5789236294

                                          SHA512

                                          05cc5945fe0015ab6feaa32c1059c310bc0ade51a90aa6e03af7192b9807c9d58d3b8f5b438aa3bab05617ffe83fb486a08a3d2414256686987535f6c953342b

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enysce05.nwt.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B344CF7F573D290944F8AF7B5131BF6CD2B7EA6E

                                          Filesize

                                          1KB

                                          MD5

                                          1d9aee6645a387018ee7fac7f1863c20

                                          SHA1

                                          d3f66c488282965d5853c1f1a70e47f7e87b2447

                                          SHA256

                                          4cb236c139457155a14d6767ae26f5ea9b8fb6866008fbf80b25e3ae0ab067fe

                                          SHA512

                                          17da861e51fccf7b271cd80aa7ff8c51ea9b49847a172042762678424e9ca730da345626f2a0a45e73707834555f89469f08bb639945477689f734381c31e1c5

                                        • memory/2300-181-0x000001F11EEE0000-0x000001F11EF24000-memory.dmp

                                          Filesize

                                          272KB

                                        • memory/2300-182-0x000001F11EFB0000-0x000001F11F026000-memory.dmp

                                          Filesize

                                          472KB

                                        • memory/2948-2-0x00000253C9180000-0x00000253C91A2000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/2948-22-0x00000253C9560000-0x00000253C957A000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/2948-21-0x00000253C9530000-0x00000253C953E000-memory.dmp

                                          Filesize

                                          56KB