Analysis

  • max time kernel
    1724s
  • max time network
    1152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 19:41

General

  • Target

    meshagent32-mesh.exe

  • Size

    3.7MB

  • MD5

    546157d9f4974c5b9871be88d6814a3e

  • SHA1

    8fa936396bca1454aa4bb8f8767394ca25763383

  • SHA256

    c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c

  • SHA512

    8369d845ecd5670abc2d257e9a794bf59c771f1496b8ae6a74d0987c25152483cf0ca15710bbf087c6aa816700b6a8774e4dd7744b91256e2f54094b65271117

  • SSDEEP

    49152:r8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5Qx:r8o8VOUs9joRbMc2tSW6x

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 17 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe
    "C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncRestart.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:5056
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd69d14-f492-40bf-a246-bd0cee62f055} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" gpu
        3⤵
          PID:1800
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {929a8287-d87c-429a-9895-01b5802ad0dc} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" socket
          3⤵
          • Checks processor information in registry
          PID:3056
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3188 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c3555a-f67b-4b2f-9c00-ffdbbeaa0fd0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
          3⤵
            PID:3384
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4248 -childID 2 -isForBrowser -prefsHandle 4240 -prefMapHandle 2712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc197ed2-47b4-469b-aab2-2eb58ec9d6f9} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
            3⤵
              PID:1812
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fcd362f-3703-42d2-9132-f5f21935ddf4} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility
              3⤵
              • Checks processor information in registry
              PID:2948
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a202bc2-5b20-4fbe-9475-7db73e22c2ef} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
              3⤵
                PID:1872
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a0577b1-c7fd-45b0-b297-b6ca43512971} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                3⤵
                  PID:1224
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc803fd-200d-46a4-9f55-e6547ffca931} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                  3⤵
                    PID:4368
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 5644 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37be502c-627b-4ce9-8809-23acc1d19a78} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                    3⤵
                      PID:2232
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -parentBuildID 20240401114208 -prefsHandle 6248 -prefMapHandle 6256 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4522765e-71fe-4d54-a6ef-cc2740b2e830} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" rdd
                      3⤵
                        PID:1904
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6244 -prefMapHandle 6252 -prefsLen 29357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723c157d-df65-498d-af78-111d906860ab} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility
                        3⤵
                        • Checks processor information in registry
                        PID:2092
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6608 -childID 7 -isForBrowser -prefsHandle 6628 -prefMapHandle 6008 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b4b168-c8d4-4434-8cb1-2edbd97cf8c0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                        3⤵
                          PID:3132
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6596 -childID 8 -isForBrowser -prefsHandle 6780 -prefMapHandle 6788 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b386081-2360-48d1-98fd-9a3fb2efd8e2} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
                          3⤵
                            PID:2976

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

                        Filesize

                        18KB

                        MD5

                        cdd138c50a19cfbc6241c9aa610216c8

                        SHA1

                        f97ac324758a2b4b8a67d95f0976110e34459bfb

                        SHA256

                        a0db5b6686d5e49be5b41ed8b28fd98151272b96e79e36aeeeeb8e7ca53379e8

                        SHA512

                        cbea2e0f576dfa1825a9d2263da5f1ffc8b672c6270891290636085913e78b00040ac461fe3d2b0dc768a5131232c0c985e71ea649b1ffca0af07293c94b92b7

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                        Filesize

                        264B

                        MD5

                        2f4085bcde8cc8001a0c66e1b3fa2c21

                        SHA1

                        5277d356def60a3af5c2889e2d03a127e56a2ce9

                        SHA256

                        da7c119ee3a61455ecf58770ede1961fd5cb34a3628fd4c6026e838a90addfae

                        SHA512

                        a965d37d91b348cc981102bcb15c1516daf3cb17f73b2ba74e6b4f009d26f0f8dd4e3d71b388f5fa77792d7fcbef17d4898012b60a45ecb1209c2fd94cf13d37

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

                        Filesize

                        7KB

                        MD5

                        8034bc285ad243194db4938c4607ff4e

                        SHA1

                        6ce6e6b96031df7bca239ff2ec362b7e351af5ed

                        SHA256

                        68bf6f78fc93dcd66bee61b7b84b5f9d22fa190a52c0e3c65bb63626d59f4bc6

                        SHA512

                        cf3985e1fff069711d49ee46177323c74e07dd2a8e01dbfe8968f9d5495795abf46774b4ab01ea980b0796b7eb36699cc54f9421aef01f2fc4799163efc1df8e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        5KB

                        MD5

                        8fa964548c7a9648ac35813f1474c452

                        SHA1

                        87c92d180059e475826ff69c8f97057e1cabe3b6

                        SHA256

                        b32d066668cdd56ce3640f63013cc6cac8a91540d258179644b3bbae4f007c2a

                        SHA512

                        374a8c16cbf0be9921c5cc46ed52b4849acb6d7c83dbcf21c14c4bfb09544e00c872fd541f927a44d5988deef8ed6d3879cde9319b7c23e29286265d6188ace0

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        6KB

                        MD5

                        c251f2a5094d1c61a7ad1b1761c3980b

                        SHA1

                        4873380573a78b3869ce64257d5f310b78366265

                        SHA256

                        ac7617133a8fcc840516c0b20a784c71ae36335dab9f5552468d72bfdcc2e344

                        SHA512

                        1302b6aefa036425175e7e5c779238643c6cc6bd892cda672dec14b5b99af0d3912b180b4af4c7e5e53fc6a352b5162f41666b0942e357a1b1a63cb2de5c8025

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\11670282-128a-4903-83d5-70b7b7331a2d

                        Filesize

                        982B

                        MD5

                        449f8fbfb92c9980fbb62de03dd433bb

                        SHA1

                        ebc7e8312c7c559b6afa0feba720d33c0278b232

                        SHA256

                        21c81de8e21c98b39c04a1cb606dee84997554b65abac4478d10363c42fb7eb8

                        SHA512

                        ee0ceddcbdd25c7a876775887f8864dbdbe6d0fbd533411a694193b64e4e813e72a0eecacf7867c513a09e938ab86080aa79b266a3e3b4a43ef041170354fab2

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\775b80d4-9596-41f6-bee8-ed0c1eea47f1

                        Filesize

                        25KB

                        MD5

                        6450f9dd849a6abd0f0bedbaec41aaab

                        SHA1

                        c32316a081fa16a98f886263e90aa58bdbd9249a

                        SHA256

                        7a290f9dbebcb32e601c85791652c25b71ba4cd42353234f0180ea1c59615fee

                        SHA512

                        10f451eecd82f4ca50281fa0d87ffcd60440a250edd3cb54f092a6af60b5cf89983c1c65eea9272e548b8ea8b7c006ddb73dfd30210d66af908c963e6e0db365

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\f5259a18-7aed-436a-bdc2-97212ea1887f

                        Filesize

                        671B

                        MD5

                        17561f7c0d8b95194834990415334c07

                        SHA1

                        8a9a755db1f6b758e0fb20933cd4d25c4c03fab2

                        SHA256

                        cc6e0ca5e7793dbb4740097b1f55ef9e85e8d3578b0a82158d181b758ea9e687

                        SHA512

                        e4f2a774b6b65fe323d3b5cea4a1b97023e87f5a61c081361c609d4442c2f6e980debc28bd354f169881a659b295fd6c43988121eb45d609098e286db2072b20

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

                        Filesize

                        11KB

                        MD5

                        18e69e4eb7db9a79bf44a9332cc70f03

                        SHA1

                        a73ec112a74e322f2254fc865ddeeaa6ff89dd81

                        SHA256

                        a5857af4e31940d81f0f6a3de1df68b61286f657a1f892bacbcc560f01fd619e

                        SHA512

                        c5a9671d7ff30af99554e8f6b3ce64a9222b7fd6e2a40e9c4d8b010c62aa2f568a65e27557302372aa976586f894d4412a25a31d2e74cfd0b4dd76334bc9ebef

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

                        Filesize

                        10KB

                        MD5

                        2e00c4c63aaeedbca09e5e84f0b06bab

                        SHA1

                        4b624fd49d1b755da75fcd87c52b4fcb59b5e80d

                        SHA256

                        4662405c126e441f913a1c9369262487d4bc5f8d721fb88e087c6599c74eeeca

                        SHA512

                        283bf2c11d278742037a23a863e8a2059b3a410352ab1ce48bdbfa1fc3fa05eedf0a2519a5063f37a9b40968e33b0d819a66d45bb354019ca01e2a18af1b0e12

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\cache\morgue\215\{b8341a55-e61c-4684-b693-b6404be9c5d7}.final

                        Filesize

                        192B

                        MD5

                        2a252393b98be6348c4ba18003cc3471

                        SHA1

                        40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

                        SHA256

                        04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

                        SHA512

                        07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\idb\1854707665yCt7-%iCt7-%r5ees6p2o.sqlite

                        Filesize

                        48KB

                        MD5

                        aacd22420c25dfac1d89d63129a34a56

                        SHA1

                        ea8161cf0e68ef70092e9dabb9908d1791a175e5

                        SHA256

                        70db4f9fcc68b7cd632a487f3e410ee6909c6e9de3ff5d41e0b12b081da9acfe

                        SHA512

                        681448c10fd2d6e450b6f1c91fa249d1ab5d3dff5d8b15c04fc80b34a94122bf2e87fd28500234133f85f3848cf91a980e6a7980ee8af0d79a4e63d9cb89b146

                      • memory/5056-13-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-63-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-9-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-8-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-7-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-18-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-17-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-59-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-62-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-60-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-61-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-16-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-10-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-15-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-11-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-4-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-14-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-12-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/5056-5-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-6-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-1-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB

                      • memory/5056-2-0x00007FFC10C6D000-0x00007FFC10C6E000-memory.dmp

                        Filesize

                        4KB

                      • memory/5056-3-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

                        Filesize

                        64KB