meshagent | 39a7fd947f44b1916b412937848dceefb9ee06a514d8f35740cf15ddff3f71bf

Analysis

max time kernel
139s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-02-2025 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

9eb9c3fa9a8a4a673edf0e6b6057997c
SHA1

6d3456442b8b8bd40b85a580b90011fb8aa4ca44
SHA256

39a7fd947f44b1916b412937848dceefb9ee06a514d8f35740cf15ddff3f71bf
SHA512

a4a41b0e8ee7feebb1221e984050ca8253f7747060f8cbf8038f683761340105e906fdda496f436ad1ca601aefb1f51db0d06901bbaf57cffba1300a5efee1df
SSDEEP

49152:6iQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJK:Pg7hRdj9iMlHBSFBWZK

Score

10^/10

meshagent family backdoor defense_evasion discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

family

http://puta.dyndns.org:443/meshcentral/agent.ashx

Attributes

mesh_id
0xD4A168AB85CC42538347307026CFA907128B771A898DC41A668CAD35BE7E04146D0E7D4B81049883102F751C8D282B70
server_id
DF4AB92F3C8857999E467656003AE5A1785E8424F7659E7546274B911B930CAB20F5BCA3D8302EC6D3C5E7DFAC9F1A44
wss
wss://puta.dyndns.org:443/meshcentral/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cd8-21.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2732	netsh.exe
2764	netsh.exe
2056	netsh.exe
1520	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-3692679935-4019334568-335155002-1000\""	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
2588	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1244	wmic.exe
Token: SeSecurityPrivilege	1244	wmic.exe
Token: SeTakeOwnershipPrivilege	1244	wmic.exe
Token: SeLoadDriverPrivilege	1244	wmic.exe
Token: SeSystemProfilePrivilege	1244	wmic.exe
Token: SeSystemtimePrivilege	1244	wmic.exe
Token: SeProfSingleProcessPrivilege	1244	wmic.exe
Token: SeIncBasePriorityPrivilege	1244	wmic.exe
Token: SeCreatePagefilePrivilege	1244	wmic.exe
Token: SeBackupPrivilege	1244	wmic.exe
Token: SeRestorePrivilege	1244	wmic.exe
Token: SeShutdownPrivilege	1244	wmic.exe
Token: SeDebugPrivilege	1244	wmic.exe
Token: SeSystemEnvironmentPrivilege	1244	wmic.exe
Token: SeRemoteShutdownPrivilege	1244	wmic.exe
Token: SeUndockPrivilege	1244	wmic.exe
Token: SeManageVolumePrivilege	1244	wmic.exe
Token: 33	1244	wmic.exe
Token: 34	1244	wmic.exe
Token: 35	1244	wmic.exe
Token: SeIncreaseQuotaPrivilege	1244	wmic.exe
Token: SeSecurityPrivilege	1244	wmic.exe
Token: SeTakeOwnershipPrivilege	1244	wmic.exe
Token: SeLoadDriverPrivilege	1244	wmic.exe
Token: SeSystemProfilePrivilege	1244	wmic.exe
Token: SeSystemtimePrivilege	1244	wmic.exe
Token: SeProfSingleProcessPrivilege	1244	wmic.exe
Token: SeIncBasePriorityPrivilege	1244	wmic.exe
Token: SeCreatePagefilePrivilege	1244	wmic.exe
Token: SeBackupPrivilege	1244	wmic.exe
Token: SeRestorePrivilege	1244	wmic.exe
Token: SeShutdownPrivilege	1244	wmic.exe
Token: SeDebugPrivilege	1244	wmic.exe
Token: SeSystemEnvironmentPrivilege	1244	wmic.exe
Token: SeRemoteShutdownPrivilege	1244	wmic.exe
Token: SeUndockPrivilege	1244	wmic.exe
Token: SeManageVolumePrivilege	1244	wmic.exe
Token: 33	1244	wmic.exe
Token: 34	1244	wmic.exe
Token: 35	1244	wmic.exe
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 1244	108	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	30
PID 108 wrote to memory of 1244	108	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	30
PID 108 wrote to memory of 1244	108	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	30
PID 108 wrote to memory of 2948	108	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	33
PID 108 wrote to memory of 2948	108	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	33
PID 108 wrote to memory of 2948	108	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	33
PID 2948 wrote to memory of 2816	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	35
PID 2948 wrote to memory of 2816	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	35
PID 2948 wrote to memory of 2816	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	35
PID 2948 wrote to memory of 2864	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	37
PID 2948 wrote to memory of 2864	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	37
PID 2948 wrote to memory of 2864	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	37
PID 2864 wrote to memory of 2732	2864	cmd.exe	39
PID 2864 wrote to memory of 2732	2864	cmd.exe	39
PID 2864 wrote to memory of 2732	2864	cmd.exe	39
PID 2948 wrote to memory of 896	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	40
PID 2948 wrote to memory of 896	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	40
PID 2948 wrote to memory of 896	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	40
PID 896 wrote to memory of 2764	896	cmd.exe	42
PID 896 wrote to memory of 2764	896	cmd.exe	42
PID 896 wrote to memory of 2764	896	cmd.exe	42
PID 2948 wrote to memory of 2176	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	43
PID 2948 wrote to memory of 2176	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	43
PID 2948 wrote to memory of 2176	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	43
PID 2176 wrote to memory of 2056	2176	cmd.exe	45
PID 2176 wrote to memory of 2056	2176	cmd.exe	45
PID 2176 wrote to memory of 2056	2176	cmd.exe	45
PID 2948 wrote to memory of 1524	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	46
PID 2948 wrote to memory of 1524	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	46
PID 2948 wrote to memory of 1524	2948	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	46
PID 1524 wrote to memory of 1520	1524	cmd.exe	48
PID 1524 wrote to memory of 1520	1524	cmd.exe	48
PID 1524 wrote to memory of 1520	1524	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {44bd9f5b-dfe9-4e97-8838-5fa68bf52398}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {44bd9f5b-dfe9-4e97-8838-5fa68bf52398}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2732
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {67cb751c-0774-4a8b-7863-15189f3ab439}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {67cb751c-0774-4a8b-7863-15189f3ab439}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2764
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {219c6398-c920-4a87-2e33-f41dcbdd2b2b}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {219c6398-c920-4a87-2e33-f41dcbdd2b2b}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2056
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {9260cf49-2051-438d-b0c2-6013944e3eb9}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {9260cf49-2051-438d-b0c2-6013944e3eb9}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1520

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-3692679935-4019334568-335155002-1000"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
9eb9c3fa9a8a4a673edf0e6b6057997c

SHA1
6d3456442b8b8bd40b85a580b90011fb8aa4ca44

SHA256
39a7fd947f44b1916b412937848dceefb9ee06a514d8f35740cf15ddff3f71bf

SHA512
a4a41b0e8ee7feebb1221e984050ca8253f7747060f8cbf8038f683761340105e906fdda496f436ad1ca601aefb1f51db0d06901bbaf57cffba1300a5efee1df

Download Submit
memory/2816-6-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2816-7-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download