Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/03/2025, 21:24
General
-
Target
meshagent64-test (3).exe
-
Size
3.3MB
-
MD5
fa15b312bb0e5999a2d818f8a4baf0bc
-
SHA1
f874d91384cfa3bacaaaa33fc1cc6444e007c891
-
SHA256
ae283e92827c85e5dcf6bbd837ade5fa77b3372b164a21148de99c77a4dbfce9
-
SHA512
7d0ea6117857331ebe4c98048e84200490423477f884e8c3ea79f34b69ccbb5bdca2178660eb49bcc208e3811642770f2cc57abdbb670c8a0a05b7abdfd785c9
-
SSDEEP
49152:PdZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5b4:1HvfGfZvZj1/N/z/owJ4
Malware Config
Extracted
Family
meshagent
Version
2
Botnet
test
Attributes
-
mesh_id
0xBAAC9AE409F4814112B0BCB6CEC1BB2060FF988AAC5B1EBC37305F946B7DD19682DAA25FE0EA403C76A50EC593316E5F
-
server_id
6BCD039A3454760E09EE7BFA6EB2A0F65A5F903D90EBA25FEA531F167630DF6B89F39F9E1CEF9D75CAD4B57AC61E0644
-
wss
localhost
Signatures
-
Detects MeshAgent payload 1 IoCs
resource yara_rule behavioral1/files/0x001a00000002b26e-1.dat family_meshagent -
Meshagent family
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " meshagent64-test (3).exe -
Executes dropped EXE 1 IoCs
pid Process 2244 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\dll\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\System32\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\System32\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\kernel32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb MeshAgent.exe File opened for modification C:\Windows\System32\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F1336B98E4CD66A36CF7F1528FC297290AAE3ADD MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\54FF7B9117BBC5AD6CDE0BEDA528FD698304003A MeshAgent.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb MeshAgent.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.exe meshagent64-test (3).exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868930991064229" MeshAgent.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4720 wrote to memory of 1988 4720 meshagent64-test (3).exe 80 PID 4720 wrote to memory of 1988 4720 meshagent64-test (3).exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\meshagent64-test (3).exe"C:\Users\Admin\AppData\Local\Temp\meshagent64-test (3).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\meshagent64-test (3).exe"C:\Users\Admin\AppData\Local\Temp\meshagent64-test (3).exe" -fullinstall2⤵
- Sets service image path in registry
- Drops file in Program Files directory
PID:1988
-
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5fa15b312bb0e5999a2d818f8a4baf0bc
SHA1f874d91384cfa3bacaaaa33fc1cc6444e007c891
SHA256ae283e92827c85e5dcf6bbd837ade5fa77b3372b164a21148de99c77a4dbfce9
SHA5127d0ea6117857331ebe4c98048e84200490423477f884e8c3ea79f34b69ccbb5bdca2178660eb49bcc208e3811642770f2cc57abdbb670c8a0a05b7abdfd785c9