Analysis

  • max time kernel
    41s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 11:42

General

  • Target

    meshagent64-test.exe

  • Size

    3.3MB

  • MD5

    e52b6be78231daeb79b9c4b9762d7d12

  • SHA1

    d0f917c17bc7ff215a9e80976e750022c9c4c3b4

  • SHA256

    039a212e4dcc0674e16c5262635ea6a45f6b1ee4b227760870c09a35527614ec

  • SHA512

    4e021776b9d9e9a0d69bf99852c758254aab9cf63bd9dddeaf1cb9b34da932e5e7829d105da939cf4bea37f8b08a8caf1043ef667fd4561189b69a486fcf7fc7

  • SSDEEP

    49152:6X3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qd:6lRsZ47/QXoHUOfAoj1x6d

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

test

Attributes
  • mesh_id

    0xF1DF4AA6E0D832A3D2603EBCC7CFB3E006E144DD6F930747AB16BFCDB45E8F91BE371BCD9C2BEFA3EEA5DD77B4398096

  • server_id

    8B9463D1C0ABF4B2372773F68F75E8CF492F34547121FB260D6761BF1A13653CB2040ADF58A28FD0610884011320ABF5

  • wss

    localhost

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe
    "C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
    • C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe
      "C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      PID:2456
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Mesh Agent\MeshAgent.exe

    Filesize

    3.3MB

    MD5

    e52b6be78231daeb79b9c4b9762d7d12

    SHA1

    d0f917c17bc7ff215a9e80976e750022c9c4c3b4

    SHA256

    039a212e4dcc0674e16c5262635ea6a45f6b1ee4b227760870c09a35527614ec

    SHA512

    4e021776b9d9e9a0d69bf99852c758254aab9cf63bd9dddeaf1cb9b34da932e5e7829d105da939cf4bea37f8b08a8caf1043ef667fd4561189b69a486fcf7fc7