Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 14:02
Behavioral task
behavioral1
Sample
mesh.exe
Resource
win10v2004-20241007-en
General
-
Target
mesh.exe
-
Size
3.3MB
-
MD5
66b49f392d3206fdf44c00d7d447ef95
-
SHA1
ae62bd12b1e5a35089b4e48bc8c9b32e25aa45af
-
SHA256
8e088bcdbdb7d2e9fe7ce1c03762b3a90863ae468db3c2322d48d521a155718a
-
SHA512
6bc90e0dd8dba6eaa8fddf8d5b7e7d6baf7d02529381ac9f14133fd659f4db62a82467763f637bac3ed15952df810f7dd1ad339cd12f18a1c5802f7b468eebe3
-
SSDEEP
49152:GX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QD:GlRsZ47/QXoHUOfAoj1x6D
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mesh.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation mesh.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2276 powershell.exe 3096 powershell.exe 2032 powershell.exe 2700 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
mesh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry mesh.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734745749280796" mesh.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3096 powershell.exe 3096 powershell.exe 3096 powershell.exe 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 2276 powershell.exe 2276 powershell.exe 2276 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2040 wmic.exe Token: SeSecurityPrivilege 2040 wmic.exe Token: SeTakeOwnershipPrivilege 2040 wmic.exe Token: SeLoadDriverPrivilege 2040 wmic.exe Token: SeSystemProfilePrivilege 2040 wmic.exe Token: SeSystemtimePrivilege 2040 wmic.exe Token: SeProfSingleProcessPrivilege 2040 wmic.exe Token: SeIncBasePriorityPrivilege 2040 wmic.exe Token: SeCreatePagefilePrivilege 2040 wmic.exe Token: SeBackupPrivilege 2040 wmic.exe Token: SeRestorePrivilege 2040 wmic.exe Token: SeShutdownPrivilege 2040 wmic.exe Token: SeDebugPrivilege 2040 wmic.exe Token: SeSystemEnvironmentPrivilege 2040 wmic.exe Token: SeRemoteShutdownPrivilege 2040 wmic.exe Token: SeUndockPrivilege 2040 wmic.exe Token: SeManageVolumePrivilege 2040 wmic.exe Token: 33 2040 wmic.exe Token: 34 2040 wmic.exe Token: 35 2040 wmic.exe Token: 36 2040 wmic.exe Token: SeIncreaseQuotaPrivilege 2040 wmic.exe Token: SeSecurityPrivilege 2040 wmic.exe Token: SeTakeOwnershipPrivilege 2040 wmic.exe Token: SeLoadDriverPrivilege 2040 wmic.exe Token: SeSystemProfilePrivilege 2040 wmic.exe Token: SeSystemtimePrivilege 2040 wmic.exe Token: SeProfSingleProcessPrivilege 2040 wmic.exe Token: SeIncBasePriorityPrivilege 2040 wmic.exe Token: SeCreatePagefilePrivilege 2040 wmic.exe Token: SeBackupPrivilege 2040 wmic.exe Token: SeRestorePrivilege 2040 wmic.exe Token: SeShutdownPrivilege 2040 wmic.exe Token: SeDebugPrivilege 2040 wmic.exe Token: SeSystemEnvironmentPrivilege 2040 wmic.exe Token: SeRemoteShutdownPrivilege 2040 wmic.exe Token: SeUndockPrivilege 2040 wmic.exe Token: SeManageVolumePrivilege 2040 wmic.exe Token: 33 2040 wmic.exe Token: 34 2040 wmic.exe Token: 35 2040 wmic.exe Token: 36 2040 wmic.exe Token: SeIncreaseQuotaPrivilege 4748 wmic.exe Token: SeSecurityPrivilege 4748 wmic.exe Token: SeTakeOwnershipPrivilege 4748 wmic.exe Token: SeLoadDriverPrivilege 4748 wmic.exe Token: SeSystemProfilePrivilege 4748 wmic.exe Token: SeSystemtimePrivilege 4748 wmic.exe Token: SeProfSingleProcessPrivilege 4748 wmic.exe Token: SeIncBasePriorityPrivilege 4748 wmic.exe Token: SeCreatePagefilePrivilege 4748 wmic.exe Token: SeBackupPrivilege 4748 wmic.exe Token: SeRestorePrivilege 4748 wmic.exe Token: SeShutdownPrivilege 4748 wmic.exe Token: SeDebugPrivilege 4748 wmic.exe Token: SeSystemEnvironmentPrivilege 4748 wmic.exe Token: SeRemoteShutdownPrivilege 4748 wmic.exe Token: SeUndockPrivilege 4748 wmic.exe Token: SeManageVolumePrivilege 4748 wmic.exe Token: 33 4748 wmic.exe Token: 34 4748 wmic.exe Token: 35 4748 wmic.exe Token: 36 4748 wmic.exe Token: SeIncreaseQuotaPrivilege 4748 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
mesh.exe7zFM.exenotepad.exepid process 4788 mesh.exe 1528 7zFM.exe 1520 notepad.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
mesh.exemesh.execmd.execmd.exedescription pid process target process PID 4788 wrote to memory of 2040 4788 mesh.exe wmic.exe PID 4788 wrote to memory of 2040 4788 mesh.exe wmic.exe PID 4788 wrote to memory of 3704 4788 mesh.exe mesh.exe PID 4788 wrote to memory of 3704 4788 mesh.exe mesh.exe PID 3704 wrote to memory of 4748 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 4748 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 2928 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 2928 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 4380 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 4380 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 1780 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 1780 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 3464 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 3464 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 4580 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 4580 3704 mesh.exe wmic.exe PID 3704 wrote to memory of 3096 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 3096 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 2032 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 2032 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 2700 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 2700 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 2276 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 2276 3704 mesh.exe powershell.exe PID 3704 wrote to memory of 4664 3704 mesh.exe cmd.exe PID 3704 wrote to memory of 4664 3704 mesh.exe cmd.exe PID 4664 wrote to memory of 4852 4664 cmd.exe manage-bde.exe PID 4664 wrote to memory of 4852 4664 cmd.exe manage-bde.exe PID 3704 wrote to memory of 1364 3704 mesh.exe cmd.exe PID 3704 wrote to memory of 1364 3704 mesh.exe cmd.exe PID 1364 wrote to memory of 628 1364 cmd.exe manage-bde.exe PID 1364 wrote to memory of 628 1364 cmd.exe manage-bde.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mesh.exe"C:\Users\Admin\AppData\Local\Temp\mesh.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\mesh.exe"C:\Users\Admin\AppData\Local\Temp\mesh.exe" connect --disableUpdate=1 --hideConsole=1 --exitPID=47882⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST3⤵PID:2928
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"3⤵PID:4380
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST3⤵PID:1780
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes3⤵PID:3464
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"3⤵PID:4580
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\system32\cmd.exe/c manage-bde -protectors -get C: -Type recoverypassword3⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\manage-bde.exemanage-bde -protectors -get C: -Type recoverypassword4⤵PID:4852
-
C:\Windows\system32\cmd.exe/c manage-bde -protectors -get F: -Type recoverypassword3⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\manage-bde.exemanage-bde -protectors -get F: -Type recoverypassword4⤵PID:628
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\UseSelect.ocx"1⤵
- Suspicious use of FindShellTrayWindow
PID:1528
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Suspicious use of FindShellTrayWindow
PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD506d16fea6ab505097d16fcaa32949d47
SHA10c1c719831fa41cd102d0d72d61c0f46ec5b8de8
SHA25654e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723
SHA51203c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a
-
Filesize
2KB
MD5f2329759d5195d9bc1956de05b112aab
SHA14c0cc1b12a0f7b2e5f89b248c354f36acb3631f3
SHA2565485280090bd71cdbbb07f4fce6efec651065fa257aa14160327632dee1bfeca
SHA5122c5b4db3a88555f2059252d954b3d49f7dfd1ce8fa62484859a6507899382594611bdddbafbf77134b5270c7ad45990f44f1528654e8b0aace843f7edf67e6b5
-
Filesize
2KB
MD59d643a54ad9f8c54f49c0a2052d9c135
SHA1781ef96740afa86ef33c68ed123cd2ac92bfd273
SHA2566586bb3241194de4c1b0ab3aa68082fc34a04c209de79f3fd78262cd7c84b18b
SHA512778a8caf7c7b1c2793ccb23b97a4c9122991741ad53e5f966bd2468458b5a8ab8ed635c6f7cc68dc5839b46e2358f962cd3db0ca23807f0338ae1425de19ea57
-
Filesize
2KB
MD5013e7fbaca9ca5159fb32c493912b0b8
SHA1cf246aee873a6f3d22ce124331ae6498c5c40ecc
SHA256d86e135987a39b98666fdebdb0c4a72c7d677246e8bcda8b380513fd167bfbc4
SHA5125699692fb7cdd396115f28e15d9ab66db1e1729e88373d48b4a1c5c4beefae5237756b21823379f80ebc4e20668f10d3012b0401eb4e899c0f7276fd3397ce47
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
153KB
MD51631c517e09b2615adac5d22600a3c29
SHA11f640d9fcd227fd59242b5896d50b3335e5099d3
SHA2568f01c3af32f74feaf658e5735c5403fe234a14ecf13ab526728234d123d70d16
SHA512b82e9bd60aa3f32bef6d361e4784fb6e553c18d0b71f8cca73856807ea796b8a76be4cbabd57135565ec0c8580c5a1cad6e3a900371007a0e4413188e6d344c8