Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\Mesh Agent] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\Mesh Agent] 'ImagePath' = '"%ProgramFiles%\Mesh Agent\MeshAgent.exe"'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\Mesh Agent] 'ImagePath' = '"%ProgramFiles%\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1960123792-2022915161-3775307078-1001"'
Creates the following services
- 'Mesh Agent' "%ProgramFiles%\Mesh Agent\MeshAgent.exe"
- 'Mesh Agent' %ProgramFiles%\Mesh Agent\MeshAgent.exe
Malicious functions
Executes the following
- '%WINDIR%\syswow64\net.exe' stop tacticalagent
- '%WINDIR%\syswow64\net.exe' stop checkrunner
- '%WINDIR%\syswow64\net.exe' stop tacticalrpc
- '%WINDIR%\syswow64\taskkill.exe' /F /IM tacticalrmm.exe
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {e2113f95-9c5b-4a8f-01d3-d2e49db1dfa0}" action=allow description="Mesh Central Agent Management Traffic" dir=in program...
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {f78dc462-4888-4f9c-369d-a69102e14cc2}" action=allow description="Mesh Central Agent Management Traffic" dir=in program...
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {dd27fa7b-7127-449b-1ce3-2b0074e87dbd}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in pro...
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {75ad2ed3-ccc0-4c88-f63b-6007e7895cf1}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in pro...
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
Modifies file system
Creates the following files
- %WINDIR%\temp\winagent-v1.5.3.exe
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\systemcertificates\my\keys\4704ae9de2c8ef571204e4163b2ec7c9a2204b30
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\systemcertificates\my\certificates\99de831060a4beed42c838037809f16861e2dcd0
- %ProgramFiles%\mesh agent\meshagent.log
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\systemcertificates\my\keys\630ac7164185fa51ccc603962a350aa6820eb8a6
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\systemcertificates\my\certificates\e2f234cf756f1489e32b163d4d5cb6bd68c8082e
- %ALLUSERSPROFILE%\microsoft\crypto\systemkeys\8b4bb76343abb41b06ce4b46a614f4e1_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %ProgramFiles%\mesh agent\meshagent.db
- %ProgramFiles%\mesh agent\meshagent.exe
- %ProgramFiles%\tacticalagent\meshagent.exe
- %ProgramFiles%\tacticalagent\unins000.dat
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\tactical rmm agent.lnk
- %ProgramFiles%\tacticalagent\is-ubvgs.tmp
- %ProgramFiles%\tacticalagent\is-07a5g.tmp
- %ProgramFiles%\tacticalagent\is-4hvel.tmp
- %TEMP%\is-k8b25.tmp\_isetup\_setup64.tmp
- %TEMP%\setup log 2021-05-05 #001.txt
- %TEMP%\is-9s04r.tmp\winagent-v1.5.3.tmp
- %ALLUSERSPROFILE%\microsoft\crypto\systemkeys\2b79ee980b2ca5b7b7f99d5172da7dd2_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %ProgramFiles%\mesh agent\meshagent.msh
Deletes the following files
- %TEMP%\is-k8b25.tmp\_isetup\_setup64.tmp
- %TEMP%\is-9s04r.tmp\winagent-v1.5.3.tmp
- <SYSTEM32>\config\systemprofile\appdata\roaming\microsoft\systemcertificates\my\certificates\e2f234cf756f1489e32b163d4d5cb6bd68c8082e
Moves the following files
- from %ProgramFiles%\tacticalagent\is-4hvel.tmp to %ProgramFiles%\tacticalagent\unins000.exe
- from %ProgramFiles%\tacticalagent\is-07a5g.tmp to %ProgramFiles%\tacticalagent\tacticalrmm.exe
- from %ProgramFiles%\tacticalagent\is-ubvgs.tmp to %ProgramFiles%\tacticalagent\nssm.exe
Network activity
Connects to
- 'ex##.#acticalrmm.io':443
- 'ap#.##chnado.com.au':4222
- 'ap#.##chnado.com.au':443
- 'me##.##chnado.com.au':443
TCP
- 'ex##.#acticalrmm.io':443
- 'ap#.##chnado.com.au':443
UDP
- DNS ASK ex##.#acticalrmm.io
- DNS ASK ap#.##chnado.com.au
- DNS ASK me##.##chnado.com.au
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\temp\winagent-v1.5.3.exe' /VERYSILENT /SUPPRESSMSGBOXES
- '%TEMP%\is-9s04r.tmp\winagent-v1.5.3.tmp' /SL5="$F009A,3482683,824832,%WINDIR%\Temp\winagent-v1.5.3.exe" /VERYSILENT /SUPPRESSMSGBOXES
- '%ProgramFiles%\tacticalagent\tacticalrmm.exe' -m install --api https://api.technado.com.au --client-id 1 --site-id 23 --agent-type workstation --auth 8d289ff3f263472ef85ea86029bf108bcac698969a63663fce6b6cff92974348
- '%ProgramFiles%\tacticalagent\meshagent.exe' -fullinstall
- '%ProgramFiles%\mesh agent\meshagent.exe' --installedByUser="S-1-5-21-1960123792-2022915161-3775307078-1001"
- '%ProgramFiles%\mesh agent\meshagent.exe' -nodeid
- '%WINDIR%\syswow64\cmd.exe' /c net stop tacticalagent' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net stop checkrunner' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net stop tacticalrpc' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /F /IM tacticalrmm.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net start tacticalagent && ping 127.0.0.1 -n 2' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net start tacticalrpc' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c net stop tacticalagent
- '<SYSTEM32>\wbem\wmic.exe' diskdrive LIST BRIEF /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
- '<SYSTEM32>\wbem\wmic.exe' PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
- '<SYSTEM32>\wbem\wmic.exe' CPU LIST BRIEF /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
- '<SYSTEM32>\wbem\wmic.exe' PARTITION LIST /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
- '<SYSTEM32>\wbem\wmic.exe' OS GET /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
- '<SYSTEM32>\wbem\wmic.exe' MEMORYCHIP LIST /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
- '<SYSTEM32>\wbem\wmic.exe' os get oslanguage /FORMAT:LIST
- '<SYSTEM32>\wbem\wmic.exe' CSProduct get /VALUE
- '<SYSTEM32>\wbem\wmic.exe' BASEBOARD get /VALUE
- '<SYSTEM32>\wbem\wmic.exe' bios get /VALUE
- '<SYSTEM32>\cmd.exe' "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {75ad2ed3-ccc0-4c88-f63b-6007e7895cf1}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir...
- '<SYSTEM32>\cmd.exe' "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {dd27fa7b-7127-449b-1ce3-2b0074e87dbd}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir...
- '<SYSTEM32>\cmd.exe' "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {f78dc462-4888-4f9c-369d-a69102e14cc2}" action=allow description="Mesh Central Agent Management Traffic" dir=in ...
- '<SYSTEM32>\cmd.exe' "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {e2113f95-9c5b-4a8f-01d3-d2e49db1dfa0}" action=allow description="Mesh Central Agent Management Traffic" dir=in ...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "Get-Module -ListAvailable -Name netsecurity"
- '%WINDIR%\syswow64\net1.exe' start tacticalrpc
- '%WINDIR%\syswow64\net.exe' start tacticalrpc
- '%WINDIR%\syswow64\cmd.exe' /c net start tacticalrpc
- '%WINDIR%\syswow64\net1.exe' start tacticalagent
- '%WINDIR%\syswow64\net.exe' start tacticalagent
- '%WINDIR%\syswow64\cmd.exe' /c net start tacticalagent && ping 127.0.0.1 -n 2
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /F /IM tacticalrmm.exe
- '%WINDIR%\syswow64\net1.exe' stop tacticalrpc
- '%WINDIR%\syswow64\cmd.exe' /c net stop tacticalrpc
- '%WINDIR%\syswow64\net1.exe' stop checkrunner
- '%WINDIR%\syswow64\cmd.exe' /c net stop checkrunner
- '%WINDIR%\syswow64\net1.exe' stop tacticalagent
- '<SYSTEM32>\wbem\wmic.exe' SystemEnclosure get ChassisTypes
- '<SYSTEM32>\wbem\wmic.exe' ComputerSystem get PCSystemType /FORMAT:"<SYSTEM32>\wbem\en-US\csv"
