File name:	2025-03-24_4ef3b4c519ca0a24f26ba640a9f24ae7_coinminer_ismagent_ryuk_sliver
Full analysis:	https://app.any.run/tasks/72d97f27-fcd2-429a-ac75-46c035d62073
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 15:42:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	meshagent rmm-tool websocket
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	4EF3B4C519CA0A24F26BA640A9F24AE7
SHA1:	8A6254CA32AF1E187B5ABB3BB856CB8280659DC2
SHA256:	83F07790FA75755362D8BD23F6774F83B9CA5FBADC5944777271F43B9D4DFCE3
SSDEEP:	98304:7/NkRdEtqLdOvOSWHO2mSxzbOep2irTPj5:R+dJ5

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2022:12:09 20:12:49+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	2122240
InitializedDataSize:	1475072
UninitializedDataSize:	-
EntryPoint:	0x1d9d8c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	MeshCentral Background Service Agent
FileVersion:	2022-Dec-2 11:42:16-0800
LegalCopyright:	Apache 2.0 License
ProductName:	MeshCentral Agent
ProductVersion:	Commit: 2022-Dec-2 11:42:16-0800


(PID) Process:	(7760) 2025-03-24_4ef3b4c519ca0a24f26ba640a9f24ae7_coinminer_ismagent_ryuk_sliver.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:	write	Name:	ImagePath
Value: "C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry
Operation:	write	Name:	TraceTimeLast
Value: E749CF70D39CDB01
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\MeshAgent2
Operation:	write	Name:	KeyStore
Value: Microsoft Software Key Storage Provider
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent
Operation:	write	Name:	NodeId
Value: D4bUt2dRlVI9ottPWwe8PrOZx7cj@LUSTzUMCRTuoFk5SlkcgjUNXg2CknF0qtQE
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent
Operation:	write	Name:	AgentHash
Value: AD262CB981431433AB750285F81DB1A6F2A5F7A5663217903039840607C593697A82D8E07654D409A7A0EBFDABF30985
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent
Operation:	write	Name:	MeshId
Value: fAAdDUdgJ@wT8EydDFT02VHSogvEei0RDqLzvKIqqZL@xcw4$1P2UXhc95gJkfcP
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent
Operation:	write	Name:	CommitDate
Value: 2022-Dec-2 11:42:16-0800
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent
Operation:	write	Name:	MeshServerUrl
Value: wss://meshcentral.mines-ales.fr:443/agent.ashx
(PID) Process:	(7884) MeshAgent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent
Operation:	write	Name:	MeshServerId
Value: 175C41AA52F8FD7A243FB1660CF1C07133842DE99A41F32D894277478AADD03C3DBB81E76DB68494689B9143632C83C7
(PID) Process:	(7760) 2025-03-24_4ef3b4c519ca0a24f26ba640a9f24ae7_coinminer_ismagent_ryuk_sliver.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:	write	Name:	_InstalledBy
Value: S-1-5-21-1693682860-607145093-2874071422-1001

PID	Process	Filename		Type
7884	MeshAgent.exe	C:\Program Files\Mesh Agent\MeshAgent.msh		text
		MD5:DB6AADA123AED563C9CD8910C9D6F732	SHA256:941A1DCA43A4B261723534FCE64337EE27015F2E808CCD93DE70606D91905050
7760	2025-03-24_4ef3b4c519ca0a24f26ba640a9f24ae7_coinminer_ismagent_ryuk_sliver.exe	C:\Program Files\Mesh Agent\MeshAgent.exe		executable
		MD5:4EF3B4C519CA0A24F26BA640A9F24AE7	SHA256:83F07790FA75755362D8BD23F6774F83B9CA5FBADC5944777271F43B9D4DFCE3
7884	MeshAgent.exe	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C00A616A158E8363A34A53C5E0DACBE5F19732FC		binary
		MD5:902AB88791B57F6312719935E28FA371	SHA256:86451B76EEF00316459124EC9CCD1695D6ECEB3FA3EE58826A31E951449F35A0
7884	MeshAgent.exe	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\56D161BCD19F16A908C7F9FF48078F874B3CAAC5		binary
		MD5:97432800A20044D0C03ADAD1DA86A07C	SHA256:48E84F2EE1049E1E999FB7123C9AA63B19812B2DFC0BC70603D8CB2121BA570B
7884	MeshAgent.exe	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A8D02D728D3B1C54CE240D1A60E1F74D7FB4B36F		binary
		MD5:BA21BF4E824D14AF177DBB0BA27F2ABA	SHA256:D36EC6909FB3BFB9E361BF645A579412FE460E80350EA43830C868E51EECC679
7884	MeshAgent.exe	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\CC016094FDD174E0890DA30C2ABFD83218A49412		binary
		MD5:1C29E5E9B9DD3E0156BEBF44B4FA0F6D	SHA256:D4F87A47FAC6990535BBBD15B55575526FB6A3EEA6671EB2CACBBC8CAE89F7D1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7884	MeshAgent.exe	159.31.19.48:443	meshcentral.mines-ales.fr	Renater	FR	whitelisted
6972	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6584	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
meshcentral.mines-ales.fr	159.31.19.48	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request

General Info

2025-03-24_4ef3b4c519ca0a24f26ba640a9f24ae7_coinminer_ismagent_ryuk_sliver

4EF3B4C519CA0A24F26BA640A9F24AE7

8A6254CA32AF1E187B5ABB3BB856CB8280659DC2

83F07790FA75755362D8BD23F6774F83B9CA5FBADC5944777271F43B9D4DFCE3

98304:7/NkRdEtqLdOvOSWHO2mSxzbOep2irTPj5:R+dJ5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Uses WMIC.EXE to obtain operating system information

Reads security settings of Internet Explorer

Application launched itself

Reads the date of Windows installation

Executable content was dropped or overwritten

Executes as Windows Service

Creates or modifies Windows services

Creates a software uninstall entry

There is functionality for taking screenshot (YARA)

MeshAgent potential remote access (YARA)

INFO

Reads the computer name

Reads the machine GUID from the registry

The sample compiled with english language support

Checks supported languages

Reads security settings of Internet Explorer

Process checks computer location settings

Creates files in the program directory

MESHAGENT has been detected

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings