Analysis Overview
SHA256
5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
Threat Level: Known bad
The file 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver was found to be: Known bad.
Malicious Activity Summary
Detects MeshAgent payload
Meshagent family
MeshAgent
Modifies Windows Firewall
Sets service image path in registry
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 18:28
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Meshagent family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 18:28
Reported
2024-10-12 18:31
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-2872745919-2748461613-2989606286-1000\"" | C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe" -fullinstall
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
/C "Get-Module -ListAvailable -Name netsecurity"
C:\Windows\System32\cmd.exe
/C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {bc4bdb64-9a42-468e-187b-26cca97e60b0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {bc4bdb64-9a42-468e-187b-26cca97e60b0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990
C:\Windows\System32\cmd.exe
/C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {98afc8fe-3de8-4884-0f74-47a4e09bbbfe}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {98afc8fe-3de8-4884-0f74-47a4e09bbbfe}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991
C:\Windows\System32\cmd.exe
/C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {6fa4648c-92fe-4381-68cf-6e696df0ff72}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {6fa4648c-92fe-4381-68cf-6e696df0ff72}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990
C:\Windows\System32\cmd.exe
/C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {8b16b0cf-e26f-4291-35ec-2c85bd13565e}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {8b16b0cf-e26f-4291-35ec-2c85bd13565e}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2872745919-2748461613-2989606286-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | control.tautolo.gy | udp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
Files
memory/2872-6-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2872-7-0x0000000002340000-0x0000000002348000-memory.dmp
\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 31c7fa68b69d8d229a6e9daa2949d895 |
| SHA1 | 2f5593e25a34cbb303901bce8942a8505ba2a38f |
| SHA256 | 5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f |
| SHA512 | 7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37 |
C:\Program Files\Mesh Agent\MeshAgent.db
| MD5 | ece09c0c3122993563b2318d19d624e0 |
| SHA1 | d2f2ed00ba285c2138a1ba13a520a23a737fc5ec |
| SHA256 | 8549831d76c8ff088cf7066625e9d327675a96cb5ff1b7a4b420fca1e346c536 |
| SHA512 | aec102de75d09d8d3987c22366ccc213130655741037e429eab2adaa19aaf19bf1989891b9f29a3abfd17a46b163113a6510c2b8897a09d45a4ce7bb3259e473 |
C:\Program Files\Mesh Agent\MeshAgent.msh
| MD5 | c2caa0b051fe5f485fae1bf815d6960d |
| SHA1 | f18e3e88b6740a063e4118a443c1a27944d355c8 |
| SHA256 | 4ae4265e705bd540cfd10e978b64d112cc74aa3fc3120a2391741250988572fa |
| SHA512 | 9f4859e250ad06a2eaef94acf099209231c622a398b9999806f2b6735fd5abad933dc900788c583ce082c26e4aa5741eb050b3e537f6276055fc6612a1162a34 |
C:\Program Files\Mesh Agent\MeshAgent.log
| MD5 | 9fd49b3d7d91f7ac15c751cd3d882d8f |
| SHA1 | 50391632f78543d0fad5f4a99cc9d932a4f33ce0 |
| SHA256 | 12aa91b9d98fcccca11865eb26e36858191d59c57b9ff81f0ffdfee2b7671786 |
| SHA512 | 8c5e89f1e221b6659dbb2fb3663e2806d3c7b0fcf0c37d8ce28e57332aac3206c1cdb63bb5b1abf4050224c1a947bf160054725555ab13fa0c31d4f11cd26cbc |
C:\Program Files\Mesh Agent\MeshAgent.log
| MD5 | 5c92fa3b0382e66a7da7e17d2dc06f0e |
| SHA1 | f93783dda95c77592f69120088e86b438a4dd3c4 |
| SHA256 | 8a0f7c006d9ccb092bdc779c17284c301125d7f2b617d46bffee123da8bcc2f8 |
| SHA512 | edecd46a67f49a6c1691e2b2fd5ac96fa6487067af79eb9c46fdd9d250553903b76ff23a4a5939ebf488250ec273abf3666616f78847971bb9c22d0254496faf |
C:\Program Files\Mesh Agent\MeshAgent.log
| MD5 | d41fe61d9e1cbd70a0fda07dc5221164 |
| SHA1 | 9df162d69e03c9ced287f93e94ad20a3045ff196 |
| SHA256 | 75b7d7f603ede2b3e6cc0124e11ed849cde7bf84d69e29cc0e54861fd5e813ea |
| SHA512 | 2e0a2cd4af1642dfcf84d1e0e5d4be00be723b255cb8c18d6d0eb4df02c61cc6e4414245b545369ad1af4896ab2723ed129c09247cf6a95ae51a8680af4a2ad4 |
C:\Program Files\Mesh Agent\MeshAgent.log
| MD5 | 0891f204b9c9a1dc23992280968591de |
| SHA1 | b2d2e91cb4709edcf3f99d01ebeb7f8e89f1aa3b |
| SHA256 | 28bb1ad2999634d399a2784b4853f0e348dd3eab074f908113420683bd3603ee |
| SHA512 | a6311f1a78217b681a0e9debcd4d936f6e2ba7494c4f39d3a971c80971aeb5c942fef6565980483f34eeae0c421624c3a19fb14b683b7a07ec4b50f6ac629e7f |
C:\Program Files\Mesh Agent\MeshAgent.log
| MD5 | d567eda5176ac3da505537c3118df170 |
| SHA1 | bdbf2e1a400ee84b58e37fe00f8e4a31a26b9afe |
| SHA256 | cf758a975b2852f84e9ea8e9ba173001d58567a187486ff83a78dc20196ff59c |
| SHA512 | 36b3193eb82401efbfb179082a0b5b919ea82be13d7230ad5f06c27d29a5e65ff229acac24a6f38d9f280af1ab9ab92d7590fac9db0185fa18c2b9f01fb131a4 |
C:\Program Files\Mesh Agent\MeshAgent.log
| MD5 | a9d2beadd2c6ee3c7bc689b34f59dca6 |
| SHA1 | 2d0c53e2c8adb9ee729e1b47b84466f29dfa2577 |
| SHA256 | b23eedcbe9d55ed0b8d2e3d6d91351fc69580d13d25e479870aff2e835956b77 |
| SHA512 | 3e69d5a8f0c8a2dbc86b8b5b1949e71c1eb5826531471a7a049786649ab0e5ca6230972b8183053adb62877266057eb8ac1566d692d7f3375a9665eb09e922f2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 18:28
Reported
2024-10-12 18:31
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MeshAgent
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-4050598569-1597076380-177084960-1000\"" | C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\symbols\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\9525BE8F0A02CF02CF5D9C363549B8E09446C328 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\version.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\oleaut32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\exe\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\80DE0A6A73FCC8CF134489DF5CC12F05F2244E40 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\C2A1AB4CC63AD0C4F00B9D2CECA5487956CB5E4F | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mesh Agent\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\exe\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.update.exe_unzipped | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.update.exe | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.update.exe | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\DLL\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\symbols\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732313341298267" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.update.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe" -fullinstall
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
/C "Get-Module -ListAvailable -Name netsecurity"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4050598569-1597076380-177084960-1000"
C:\Windows\System32\wbem\wmic.exe
wmic bios get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic BASEBOARD get /VALUE
C:\Windows\System32\wbem\wmic.exe
wmic CSProduct get /VALUE
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\cmd.exe
cmd /C wmic service "Mesh Agent" call stopservice & "C:\Program Files\Mesh Agent\MeshAgent.update.exe" -b64exec dHJ5CnsKICAgIHZhciBzZXJ2aWNlTG9jYXRpb24gPSBwcm9jZXNzLmFyZ3YucG9wKCk7CiAgICByZXF1aXJlKCdwcm9jZXNzLW1hbmFnZXInKS5lbnVtZXJhdGVQcm9jZXNzZXMoKS50aGVuKGZ1bmN0aW9uIChwcm9jKQogICAgewogICAgICAgIGZvciAodmFyIHAgaW4gcHJvYykKICAgICAgICB7CiAgICAgICAgICAgIGlmIChwcm9jW3BdLnBhdGggPT0gc2VydmljZUxvY2F0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwcm9jZXNzLmtpbGwocHJvY1twXS5waWQpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHByb2Nlc3MuZXhpdCgpOwogICAgfSk7Cn0KY2F0Y2goZSkKewogICAgcHJvY2Vzcy5leGl0KCk7Cn0= "C:\Program Files\Mesh Agent\MeshAgent.exe" & copy "C:\Program Files\Mesh Agent\MeshAgent.update.exe" "C:\Program Files\Mesh Agent\MeshAgent.exe" & wmic service "Mesh Agent" call startservice & erase "C:\Program Files\Mesh Agent\MeshAgent.update.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic service "Mesh Agent" call stopservice
C:\Program Files\Mesh Agent\MeshAgent.update.exe
"C:\Program Files\Mesh Agent\MeshAgent.update.exe" -b64exec dHJ5CnsKICAgIHZhciBzZXJ2aWNlTG9jYXRpb24gPSBwcm9jZXNzLmFyZ3YucG9wKCk7CiAgICByZXF1aXJlKCdwcm9jZXNzLW1hbmFnZXInKS5lbnVtZXJhdGVQcm9jZXNzZXMoKS50aGVuKGZ1bmN0aW9uIChwcm9jKQogICAgewogICAgICAgIGZvciAodmFyIHAgaW4gcHJvYykKICAgICAgICB7CiAgICAgICAgICAgIGlmIChwcm9jW3BdLnBhdGggPT0gc2VydmljZUxvY2F0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwcm9jZXNzLmtpbGwocHJvY1twXS5waWQpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHByb2Nlc3MuZXhpdCgpOwogICAgfSk7Cn0KY2F0Y2goZSkKewogICAgcHJvY2Vzcy5leGl0KCk7Cn0= "C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic service "Mesh Agent" call startservice
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4050598569-1597076380-177084960-1000"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | control.tautolo.gy | udp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| US | 8.8.8.8:53 | 220.249.48.20.in-addr.arpa | udp |
| CA | 20.48.249.220:443 | control.tautolo.gy | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2948-2-0x00000253C9180000-0x00000253C91A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enysce05.nwt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2948-21-0x00000253C9530000-0x00000253C953E000-memory.dmp
memory/2948-22-0x00000253C9560000-0x00000253C957A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | b5f63423f55e96fabcd1b186b27ce0c4 |
| SHA1 | 581b488265a2f159836409853f4b97eb5941bd48 |
| SHA256 | 451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a |
| SHA512 | f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fc08d9efbf45b4045fdf2cfc507ddceb |
| SHA1 | 7a1095765f0b9ed6a04afeb084f4e78cc25aed5c |
| SHA256 | b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e |
| SHA512 | 2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b50e76049fec4d6f2aaff1b49521c2f |
| SHA1 | 4cc854f1ed8f94067b742271cb69ffefc8355cd7 |
| SHA256 | 752054e3c44795d033e05aae7a251dd48ff6bccb524c6884994bebf53c08620c |
| SHA512 | 836749249b39f8d335dcc4103b5587340b5b2a5f3c84db91d307a90e1fb622b02d8dd903b76ecc274c68d48fda75247284c4b571d081daeae57b634c5e40a1a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | afd0a743508cdc5ba7d3c45e8be63316 |
| SHA1 | 7ad41e8c15174e65c3d4905b44fa2639d9867c6d |
| SHA256 | c0c04903981b71444d4928eb46610d58b798d4190cd25666cb614c5789236294 |
| SHA512 | 05cc5945fe0015ab6feaa32c1059c310bc0ade51a90aa6e03af7192b9807c9d58d3b8f5b438aa3bab05617ffe83fb486a08a3d2414256686987535f6c953342b |
C:\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 31c7fa68b69d8d229a6e9daa2949d895 |
| SHA1 | 2f5593e25a34cbb303901bce8942a8505ba2a38f |
| SHA256 | 5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f |
| SHA512 | 7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37 |
C:\Program Files\Mesh Agent\MeshAgent.update.exe
| MD5 | cc990bd595f607cf8b9fd686524913ce |
| SHA1 | 0859e146238b48ce64da2307c9c4cb7b9d1123d2 |
| SHA256 | 0e9a4e62e5d0c1809d21e4d9708aca61a4285025347dd0c8b6ed02a1ac063cd8 |
| SHA512 | 091ec6bbdee7e34b4bd13bf4d7bf81ec4fe36ea0a50687ab5298c1fe88c7328da09411c56d4e451405b4c074f24889ed6449a37b96f22c2a68076144b34f0633 |
C:\Program Files\Mesh Agent\MeshAgent.update.exe
| MD5 | d63d1f77d0bbaacb826330b6c7ec87b2 |
| SHA1 | 2127974e685725237ae5e3ca5a720e529f893a1b |
| SHA256 | 8993d212be2993fb5742fe3f253e002e41ecd40a736ffb483fe3e2cccf5dbcb6 |
| SHA512 | 44be62bd8d424ca76a958bc574aa8a77517e351dd7ad0a5475d57e24ea5dac8a67f68bbc49201f790ba6a8965ff9e628245557e218c1c0defc8565cd83b8e797 |
C:\Program Files\Mesh Agent\MeshAgent.msh
| MD5 | c2caa0b051fe5f485fae1bf815d6960d |
| SHA1 | f18e3e88b6740a063e4118a443c1a27944d355c8 |
| SHA256 | 4ae4265e705bd540cfd10e978b64d112cc74aa3fc3120a2391741250988572fa |
| SHA512 | 9f4859e250ad06a2eaef94acf099209231c622a398b9999806f2b6735fd5abad933dc900788c583ce082c26e4aa5741eb050b3e537f6276055fc6612a1162a34 |
C:\Program Files\Mesh Agent\MeshAgent.db
| MD5 | 598e7761af3c3e51c1e97c6c0ef90b10 |
| SHA1 | 79339d6e8e403d7be70c4dbd34ce9cdb032058fd |
| SHA256 | c6f98d199b63b10fd72841110d4af749a19fb4cb5d50edeb42e92ce94fbd5606 |
| SHA512 | 8f1e33acddaa54d1270dfa9e2b8f8437184ad9bf6a2cba3c8325deeee335cf6ac3630c2fb5a102285f092a780652fe8942fc815b2822ec0fb0b9223c108d4d57 |
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B344CF7F573D290944F8AF7B5131BF6CD2B7EA6E
| MD5 | 1d9aee6645a387018ee7fac7f1863c20 |
| SHA1 | d3f66c488282965d5853c1f1a70e47f7e87b2447 |
| SHA256 | 4cb236c139457155a14d6767ae26f5ea9b8fb6866008fbf80b25e3ae0ab067fe |
| SHA512 | 17da861e51fccf7b271cd80aa7ff8c51ea9b49847a172042762678424e9ca730da345626f2a0a45e73707834555f89469f08bb639945477689f734381c31e1c5 |
memory/2300-181-0x000001F11EEE0000-0x000001F11EF24000-memory.dmp
memory/2300-182-0x000001F11EFB0000-0x000001F11F026000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.db.tmp
| MD5 | 956d0a651036d77e4020a1a465437dea |
| SHA1 | dca45d94263d43240a5f05992b609fd6ae0e514e |
| SHA256 | 5186a5c1707a0d977942d3d124a01e407ba21cb6482aea5ba887195a85e176d3 |
| SHA512 | ef95d460330f091e3263372400e4ae6d488fa9bb811b827199e98d2284088b0a4a88910878117c3578931c8bf8ac67bcd8db277519363becd0232ae5b0083282 |