meshagent | 36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
20/03/2025, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeshAgent.exe
Size

3.3MB
MD5

5c716fd89b27969847a91d7048ac9d31
SHA1

081586960b6b6093fa0473413b4c8584e081e0b9
SHA256

36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c
SHA512

76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d
SSDEEP

49152:ldZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5bg:XHvfGfZvZj1/N/z/owJg

Score

10^/10

meshagent test backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

test

http://81.199.130.130:443/agent.ashx

Attributes

mesh_id
0x47DDDC52FC2F31C47AD1DB7EB4B7C5D38C64AAD2FC943360B44270FE0EA5E8B1A96E47D75411E0868F92FE77C2BFBAD0
server_id
C3CEF30878AE341001284FF387E3BB7A7922403931F7265230ABB853B779EF5C3E73D0B368F566EC7B73BFB88E64D995
wss
wss://81.199.130.130:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002b285-2.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	MeshAgent.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A5B6D200C3D039ACF47E9D754458AAD40223A1DF	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5543C23EF20C5549731ED3DA4AD438A74CA554A6	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\88D4E329437B3F7E5143987C36AF4935050C7375	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3884	powershell.exe
1684	powershell.exe
1004	powershell.exe
2004	powershell.exe
4996	powershell.exe
4976	powershell.exe
5132	powershell.exe
2804	powershell.exe
1264	powershell.exe
5204	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2804	powershell.exe
2804	powershell.exe
3884	powershell.exe
3884	powershell.exe
1264	powershell.exe
1264	powershell.exe
5204	powershell.exe
5204	powershell.exe
1684	powershell.exe
1684	powershell.exe
1004	powershell.exe
1004	powershell.exe
2004	powershell.exe
2004	powershell.exe
4996	powershell.exe
4996	powershell.exe
4976	powershell.exe
4976	powershell.exe
5132	powershell.exe
5132	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	5204	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 5400	4796	MeshAgent.exe	86
PID 4796 wrote to memory of 5400	4796	MeshAgent.exe	86
PID 2136 wrote to memory of 2804	2136	MeshAgent.exe	91
PID 2136 wrote to memory of 2804	2136	MeshAgent.exe	91
PID 2136 wrote to memory of 3884	2136	MeshAgent.exe	93
PID 2136 wrote to memory of 3884	2136	MeshAgent.exe	93
PID 2136 wrote to memory of 1264	2136	MeshAgent.exe	95
PID 2136 wrote to memory of 1264	2136	MeshAgent.exe	95
PID 2136 wrote to memory of 5204	2136	MeshAgent.exe	97
PID 2136 wrote to memory of 5204	2136	MeshAgent.exe	97
PID 2136 wrote to memory of 5568	2136	MeshAgent.exe	99
PID 2136 wrote to memory of 5568	2136	MeshAgent.exe	99
PID 5568 wrote to memory of 5460	5568	cmd.exe	101
PID 5568 wrote to memory of 5460	5568	cmd.exe	101
PID 2136 wrote to memory of 5600	2136	MeshAgent.exe	102
PID 2136 wrote to memory of 5600	2136	MeshAgent.exe	102
PID 5600 wrote to memory of 6128	5600	cmd.exe	104
PID 5600 wrote to memory of 6128	5600	cmd.exe	104
PID 2136 wrote to memory of 1684	2136	MeshAgent.exe	105
PID 2136 wrote to memory of 1684	2136	MeshAgent.exe	105
PID 2136 wrote to memory of 1004	2136	MeshAgent.exe	107
PID 2136 wrote to memory of 1004	2136	MeshAgent.exe	107
PID 2136 wrote to memory of 2004	2136	MeshAgent.exe	109
PID 2136 wrote to memory of 2004	2136	MeshAgent.exe	109
PID 2136 wrote to memory of 5028	2136	MeshAgent.exe	111
PID 2136 wrote to memory of 5028	2136	MeshAgent.exe	111
PID 5028 wrote to memory of 5648	5028	cmd.exe	113
PID 5028 wrote to memory of 5648	5028	cmd.exe	113
PID 2136 wrote to memory of 3080	2136	MeshAgent.exe	114
PID 2136 wrote to memory of 3080	2136	MeshAgent.exe	114
PID 3080 wrote to memory of 3792	3080	cmd.exe	116
PID 3080 wrote to memory of 3792	3080	cmd.exe	116
PID 2136 wrote to memory of 4996	2136	MeshAgent.exe	117
PID 2136 wrote to memory of 4996	2136	MeshAgent.exe	117
PID 2136 wrote to memory of 4976	2136	MeshAgent.exe	119
PID 2136 wrote to memory of 4976	2136	MeshAgent.exe	119
PID 2136 wrote to memory of 5132	2136	MeshAgent.exe	121
PID 2136 wrote to memory of 5132	2136	MeshAgent.exe	121
PID 2136 wrote to memory of 1672	2136	MeshAgent.exe	123
PID 2136 wrote to memory of 1672	2136	MeshAgent.exe	123
PID 1672 wrote to memory of 3940	1672	cmd.exe	125
PID 1672 wrote to memory of 3940	1672	cmd.exe	125
PID 2136 wrote to memory of 2784	2136	MeshAgent.exe	126
PID 2136 wrote to memory of 2784	2136	MeshAgent.exe	126
PID 2784 wrote to memory of 4032	2784	cmd.exe	128
PID 2784 wrote to memory of 4032	2784	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe
"C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe
  "C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:5400

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5204
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5568
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:5460
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5600
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:6128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:5648
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5132
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:3940
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
bd49ca59799faf7ae4b5d26a5d5e9444

SHA1
261c48a6f5e98bf3cea89918aca2184b77557bcb

SHA256
ef6197558cb44d9411d03d3146197cf134c070ab89f358b4772833a33e5deab9

SHA512
1ad74079df8295642ee8c3298263ec1bbd6bff1f558ebb293b56f717f905608b46f16499445f1d36dba3fb852e64bf72ca588eba8fa329de293f1bed1521a92d

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
451a6e95576e7fa309cb9d976debe1a6

SHA1
56b261b6c37901d3e779af5cb56ac95c74a600b1

SHA256
c1b37d63965014274965b2ffecde70ee7171e6a2a7acc52d3392b101f6ac8a74

SHA512
aabba9987fa97c719ede75ef01559410b3585404d811e093e5f31d87276d789c05fc066e294cc40e64116b67650c63f93c773bc0d4347cf2809c10a3bb31203b

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
5c716fd89b27969847a91d7048ac9d31

SHA1
081586960b6b6093fa0473413b4c8584e081e0b9

SHA256
36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c

SHA512
76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_gktk0f3t.zw0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
33450c74228338fd1e72e5aabca1371f

SHA1
698c49898b151c3aae2062a46f4056df4ab4fb13

SHA256
37c29e867f619c0df2a044313ca2ce33020765eab0e66d0578094d24c240a108

SHA512
7b3b3ffe148585ed82a95a60720e0c3ce3e466bfcfa292d920fb2f370e21f59e68a47ed65d0a9a013ca1f5063c52ca0b3f71073ae05ae11d12732c44ecea005b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
a00a4c6c494f40f21f49f32512d0eb8c

SHA1
8c5c0d29631e279f9d55978204924918cd109a7c

SHA256
0f1f497759f3a0867fb375a11314f6a2067bb56fdd828528067944d67cea0477

SHA512
188411c1a947d3bc0824b69176bf3aa40d66d97e4d9d15e8a5590f408835b756c59c7c99da3dc87c0b97a864ef83b4028567d43dc881e172e19f97b2e820356b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
e432eecc526099225e7e17e9e656e791

SHA1
1f73e3b892605834fd1982c51278e539442b3770

SHA256
fcc92b14b530f772d7312728f6806bbdbed436a0d27f1ca2cd65895696177c61

SHA512
4228d4c4c8aff8e29eb522d8b4a9e1dca22455c9e01c5f957c1aea465766823c31203c4298e6bfd0c6c3fae20311b1c406730f1640b6918762bf55a1d821c753

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
6546a95c5308ff8cd9717de3c0c50a68

SHA1
3780aee6947c865bb3c65b4b8546c5d61ecf25b5

SHA256
d3c7bd053fcab1349032e082a73e0222d0dca206d59ffab007473d96a5548e31

SHA512
ed08ebe0efa96db2a0f716e3648565ce95c2b9f6614b965c496685ae7439239e970f56ea0e0ec4639164e717290eac0681dc39cc204b0f27c2b35b5ce4145fd7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
54bc0ddbb2e09049f36f8ddacd408c64

SHA1
6a7a0509d504fc5f5fb06c92510530b3e153c57b

SHA256
b9eec392df949cc4cfcd02659e44ec7bbb7adef029b489d81fbd54fa1303102d

SHA512
2cdf7fc62458c0ffb18830f0380ac4f7d6e6be526ebab4d52d1074d5bdf72900cf27747038897e3ece2e53e317c750023d510b30e3650a24b410705b2dffb241

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
e3c847fe6e89835f61a6e6fda6b0ba2f

SHA1
da08855d67710512792d67292507c00adeb1c357

SHA256
aeb76579c9a6b83846656189be378ad90910c11e246041ad9d5649217798750e

SHA512
03232ad043b13f8d44d050915ed5f6842984378cc65980ca88dfc24b3cb2d9c55d3ebe98817e5775e2ffc87d4f61d47cfe76de753a7e4980a2ba94be9b319c8f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
1c926ffdde8e1ccc983154a6509a2cb6

SHA1
04b1ec96a06d9a960044daea144bb970bd3349be

SHA256
0b41e22e20a1527a992d34df2825c0bad75fda572630159f11068447f1ba32e5

SHA512
f6b97ee93789e901a17039d61c191dfaf1f72cfbb47f0da1dbecd2f2fafe637e552da6172d85c4c5044376591d17b3f19177cb8dc24a25519b5c9785c59f93bc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
ec7033c559f2e16ac40f820c0f4e64eb

SHA1
8ab9a4cbf292618e77279fe8f88650c17bb01b2b

SHA256
33d97ae6504aae83a0f0cafe2a9935e7640b83ead52f5f9c302bf1d736827efa

SHA512
a645e2721107d8aa3adc3709f251c07ed6714c6f7c44aee143edd570bb9ff07010a3f549209e03784edcd1bdbdccf681e41b37f0ca33cb46714186db844c167e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
cb8e0c64f55fed6a58a425f2849e6faf

SHA1
51778ab5742494e1268657adb16efbcf55585389

SHA256
65bffe0f28901ff908f421d833e8af2520164091b1362f365c69b67eff447a8e

SHA512
279cfe5a4baa3e0826089f392af81b3ab8697306468356d1d26940bd187f6b36ae577e0bd06bce5f7dd694798dd148908e709ce781c02ccba87db08212e11c01

Download Submit
memory/2804-18-0x000001CA68CB0000-0x000001CA68CD2000-memory.dmp

Filesize
136KB

Download
memory/2804-27-0x000001CA69110000-0x000001CA69156000-memory.dmp

Filesize
280KB

Download
memory/5132-176-0x000002533B710000-0x000002533B7C3000-memory.dmp

Filesize
716KB

Download
memory/5204-83-0x000001BDDA3E0000-0x000001BDDA3EA000-memory.dmp

Filesize
40KB

Download
memory/5204-89-0x000001BDDA540000-0x000001BDDA54A000-memory.dmp

Filesize
40KB

Download
memory/5204-88-0x000001BDDA4F0000-0x000001BDDA4F6000-memory.dmp

Filesize
24KB

Download
memory/5204-87-0x000001BDDA4E0000-0x000001BDDA4E8000-memory.dmp

Filesize
32KB

Download
memory/5204-86-0x000001BDDA520000-0x000001BDDA53A000-memory.dmp

Filesize
104KB

Download
memory/5204-85-0x000001BDDA3F0000-0x000001BDDA3FA000-memory.dmp

Filesize
40KB

Download
memory/5204-84-0x000001BDDA500000-0x000001BDDA51C000-memory.dmp

Filesize
112KB

Download
memory/5204-82-0x000001BDDA420000-0x000001BDDA4D3000-memory.dmp

Filesize
716KB

Download
memory/5204-81-0x000001BDDA400000-0x000001BDDA41C000-memory.dmp

Filesize
112KB

Download