Overview

overview

10

Static

static

10

2024-12-03...er.exe

windows7-x64

10

2024-12-03...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

  • Size

    2.9MB

  • MD5

    0aa9dc10bf05ec4c4d4b9baa5cbb6f1f

  • SHA1

    6f157cb52d687a9b960bf67aa2448fc7e5d2db17

  • SHA256

    cfc9778f772c8c8daa33a520e3adbfa7fad6b33ee0d5dd104f5580eaf52eed82

  • SHA512

    cb36426922341cf3586caa15cbf05982df8ed9df4cc4faccb1c9ac4e3c193a17ac04cc4c0987bcf6f6223c07e6ff3055be3d1d00b963fb65495887916179e13d

  • SSDEEP

    49152:iiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJn:3g7hRdj9iMlHBSFBWZn

Score
10/10
meshagenttestbackdoordiscoveryevasionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

test

C2

http://heimdall.hostedhero.com:443/agent.ashx

Attributes
  • mesh_id

    0x4E4070D78AFFA88AFDD57BD66456CDBE2034549498474E2723BF29A67E0608F067A66207C3C42FCD04E348988CD8E892

  • server_id

    316B450D4320A8D7AF354D9F06DF347C98693E4AA9014FC7CFEF9940F3F338B0853FADD2076DF2D06D5810331C87BF50

  • wss

    wss://heimdall.hostedhero.com:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

    rattrojanbackdoormeshagent
  • Meshagent family
    meshagent
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        /C "Get-Module -ListAvailable -Name netsecurity"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\System32\cmd.exe
        /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {bda3e1bd-c7e5-4d9c-4226-fabadce2cb90}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {bda3e1bd-c7e5-4d9c-4226-fabadce2cb90}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2824
      • C:\Windows\System32\cmd.exe
        /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {9e829013-404e-4790-e065-498673d8438f}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {9e829013-404e-4790-e065-498673d8438f}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2528
      • C:\Windows\System32\cmd.exe
        /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {e3dda573-d48a-4086-8998-7dd90f5f1bbd}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {e3dda573-d48a-4086-8998-7dd90f5f1bbd}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2772
      • C:\Windows\System32\cmd.exe
        /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {1f19d7a7-a357-4996-56b9-8fb02f371bfb}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {1f19d7a7-a357-4996-56b9-8fb02f371bfb}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:1224
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-3551809350-4263495960-1443967649-1000"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Mesh Agent\MeshAgent.exe
    Filesize

    2.9MB

    MD5

    0aa9dc10bf05ec4c4d4b9baa5cbb6f1f

    SHA1

    6f157cb52d687a9b960bf67aa2448fc7e5d2db17

    SHA256

    cfc9778f772c8c8daa33a520e3adbfa7fad6b33ee0d5dd104f5580eaf52eed82

    SHA512

    cb36426922341cf3586caa15cbf05982df8ed9df4cc4faccb1c9ac4e3c193a17ac04cc4c0987bcf6f6223c07e6ff3055be3d1d00b963fb65495887916179e13d

    Download Submit

  • memory/2764-6-0x000000001B540000-0x000000001B822000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2764-7-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download