meshagent | 854717a4571738e4ed8d49e7d1f9c77cf02f2aa26d7fd49cd4195b68aa44cb94

Analysis

max time kernel
131s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

14b3ba84931f9d0d261decb8ccbaf079
SHA1

a77659ab265213a2b38384b2ae8e1a722c1d7b2e
SHA256

854717a4571738e4ed8d49e7d1f9c77cf02f2aa26d7fd49cd4195b68aa44cb94
SHA512

97c65b9d2390b0e8af2a7a4510130a92c0be4c90399223b8f5b70eddc1b916329cb005fda7c3c5209c7d83a4c4637605a4cff37304960965e2a5af045d390b98
SSDEEP

49152:iiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJR:3g7hRdj9iMlHBSFBWZR

Score

10^/10

meshagent personal backdoor discovery evasion persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

Personal

http://heimdall.hostedhero.com:443/agent.ashx

Attributes

mesh_id
0x012DB6DDE7E65372F345CC35A1186B518B2A8BBA6502557EEDF03299CB0153F34D79A8C46FF331BD838E3903EF9E37A4
server_id
316B450D4320A8D7AF354D9F06DF347C98693E4AA9014FC7CFEF9940F3F338B0853FADD2076DF2D06D5810331C87BF50
wss
wss://heimdall.hostedhero.com:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016ab9-20.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
2756	netsh.exe
2760	netsh.exe
2640	netsh.exe
636	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-4177215427-74451935-3209572229-1000\""	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

Executes dropped EXE 2 IoCs

Processes:

MeshAgent.exe

pid	Process
480
2996	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exeMeshAgent.exe

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

wmic.exepowershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeIncreaseQuotaPrivilege	332	wmic.exe
Token: SeSecurityPrivilege	332	wmic.exe
Token: SeTakeOwnershipPrivilege	332	wmic.exe
Token: SeLoadDriverPrivilege	332	wmic.exe
Token: SeSystemProfilePrivilege	332	wmic.exe
Token: SeSystemtimePrivilege	332	wmic.exe
Token: SeProfSingleProcessPrivilege	332	wmic.exe
Token: SeIncBasePriorityPrivilege	332	wmic.exe
Token: SeCreatePagefilePrivilege	332	wmic.exe
Token: SeBackupPrivilege	332	wmic.exe
Token: SeRestorePrivilege	332	wmic.exe
Token: SeShutdownPrivilege	332	wmic.exe
Token: SeDebugPrivilege	332	wmic.exe
Token: SeSystemEnvironmentPrivilege	332	wmic.exe
Token: SeRemoteShutdownPrivilege	332	wmic.exe
Token: SeUndockPrivilege	332	wmic.exe
Token: SeManageVolumePrivilege	332	wmic.exe
Token: 33	332	wmic.exe
Token: 34	332	wmic.exe
Token: 35	332	wmic.exe
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2116 wrote to memory of 332	2116	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	31
PID 2116 wrote to memory of 332	2116	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	31
PID 2116 wrote to memory of 332	2116	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	31
PID 2116 wrote to memory of 576	2116	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	35
PID 2116 wrote to memory of 576	2116	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	35
PID 2116 wrote to memory of 576	2116	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	35
PID 576 wrote to memory of 2820	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	37
PID 576 wrote to memory of 2820	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	37
PID 576 wrote to memory of 2820	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	37
PID 576 wrote to memory of 2848	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	39
PID 576 wrote to memory of 2848	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	39
PID 576 wrote to memory of 2848	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	39
PID 2848 wrote to memory of 2756	2848	cmd.exe	41
PID 2848 wrote to memory of 2756	2848	cmd.exe	41
PID 2848 wrote to memory of 2756	2848	cmd.exe	41
PID 576 wrote to memory of 2620	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	42
PID 576 wrote to memory of 2620	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	42
PID 576 wrote to memory of 2620	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	42
PID 2620 wrote to memory of 2760	2620	cmd.exe	44
PID 2620 wrote to memory of 2760	2620	cmd.exe	44
PID 2620 wrote to memory of 2760	2620	cmd.exe	44
PID 576 wrote to memory of 2600	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	45
PID 576 wrote to memory of 2600	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	45
PID 576 wrote to memory of 2600	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	45
PID 2600 wrote to memory of 2640	2600	cmd.exe	47
PID 2600 wrote to memory of 2640	2600	cmd.exe	47
PID 2600 wrote to memory of 2640	2600	cmd.exe	47
PID 576 wrote to memory of 940	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	48
PID 576 wrote to memory of 940	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	48
PID 576 wrote to memory of 940	576	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	48
PID 940 wrote to memory of 636	940	cmd.exe	50
PID 940 wrote to memory of 636	940	cmd.exe	50
PID 940 wrote to memory of 636	940	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {f7e25239-abbd-4f84-c233-6004e40b35a0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {f7e25239-abbd-4f84-c233-6004e40b35a0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2756
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {a5bff042-43d4-4b8f-3523-1c03756611c7}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {a5bff042-43d4-4b8f-3523-1c03756611c7}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2760
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {6c63f4e6-0be7-4992-7019-721d240bbd3a}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {6c63f4e6-0be7-4992-7019-721d240bbd3a}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2640
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {0b54bc66-c0f9-4194-e225-4e9ec7616e86}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {0b54bc66-c0f9-4194-e225-4e9ec7616e86}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:636

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4177215427-74451935-3209572229-1000"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
14b3ba84931f9d0d261decb8ccbaf079

SHA1
a77659ab265213a2b38384b2ae8e1a722c1d7b2e

SHA256
854717a4571738e4ed8d49e7d1f9c77cf02f2aa26d7fd49cd4195b68aa44cb94

SHA512
97c65b9d2390b0e8af2a7a4510130a92c0be4c90399223b8f5b70eddc1b916329cb005fda7c3c5209c7d83a4c4637605a4cff37304960965e2a5af045d390b98

Download Submit
memory/2820-6-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-7-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download