arrow_back
search
close

PUA.Win32.Mesh.A

January 07, 2022
 Analysis by: Maria Emreen Viray
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

  TECHNICAL DETAILS

File Size:

4,348,224 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

04 Jan 2022

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Potentially Unwanted Application accepts the following parameters:

  • Valid MeshCentral actions:
    • Route - Map a local TCP port to a remote computer.
    • AmtConfig - Setup Intel AMT on this computer.
  • Valid local actions:
    • SMBios - Display System Management BIOS tables for this computer.
    • RawSMBios - Display RAW System Management BIOS tables for this computer.
    • MicroLMS - Run MicroLMS, allowing local access to Intel AMT.
    • AmtInfo - Show Intel AMT version and activation state.
    • AmtVersions - Show all Intel ME version information.
    • AmtHashes - Show all Intel AMT trusted activation hashes.
    • AmtCCM - Activate Intel AMT into Client Control Mode.
    • AmtDeactivate - Deactivate Intel AMT if activated in Client Control mode.
    • AmtAcmDeactivate - Deactivate Intel AMT if activated in Admin Control mode.
  • Valid local or remote actions:
    • MeshCommander - Launch a local MeshCommander web server.
    • AmtUUID - Show Intel AMT unique identifier.
    • AmtEventLog - Show the Intel AMT event log.
    • AmtAuditLog - Show the Intel AMT audit log.
    • AmtLoadWebApp - Load MeshCommander in Intel AMT 11.6+ firmware.
    • AmtClearWebApp - Clear everything from Intel AMT web storage.
    • AmtStorageState - Show contents of the Intel AMT web storage.
    • AmtSaveState - Save all Intel AMT WSMAN object to file.
    • AmtPresence - Heartbeat a local Intel AMT watchdog agent.
    • AmtPower - Perform remote Intel AMT power operation.
    • AmtIDER - Mount local disk image to remote computer.
    • AmtFeatures - Intel AMT features & user consent.
    • AmtNetwork - Intel AMT network interface settings.
    • AmtScan - Search local network for Intel AMT devices.
    • AmtWifi - Intel AMT Wifi interface settings.
    • AmtWake - Intel AMT Wake Alarms.Help on a specific action using:
  • meshcmd help [action]

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

  SOLUTION

Minimum Scan Engine:

9.800

SSAPI PATTERN File:

2.477.00

SSAPI PATTERN Date:

06 Jan 2022

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as PUA.Win32.Mesh.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.