Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im WindowsServiceHost.exe
- '<SYSTEM32>\taskkill.exe' /f /im RMM.Agent.Console.exe
- '<SYSTEM32>\taskkill.exe' /f /im "WindowsServiceHost.exe"
- '<SYSTEM32>\taskkill.exe' /f /im svcguard.exe
Modifies file system
Creates the following files
- <Current directory>\windowsservicehost.exe
- %TEMP%\rmm_agent_crash.log
- <Current directory>\.installed
- %TEMP%\rmm_update_cb5dd5b1d596489e937a1a98bd780cbf.zip
- %TEMP%\rmm_update_76b39ba836ac4a389bfba8682fb09caf\windowsservicehost.exe
- %TEMP%\rmm_update_76b39ba836ac4a389bfba8682fb09caf\rmm.agent.console.exe
- %TEMP%\rmm_update_76b39ba836ac4a389bfba8682fb09caf\appsettings.json
- %TEMP%\rmm_update_76b39ba836ac4a389bfba8682fb09caf\vcruntime140.dll
- <Current directory>\.updating
- %TEMP%\338aada06f664548b5c1215e2c68e69d.ps1
- %TEMP%\rmm_update_dcd698fe60234b34a494e89f62cad737.bat
- nul
- <Current directory>.rollback\.installed
- <Current directory>.rollback\.updating
- <Current directory>.rollback\<File name>.exe
- <Current directory>.rollback\windowsservicehost.exe
- <Current directory>\appsettings.json
- <Current directory>\rmm.agent.console.exe
- <Current directory>\vcruntime140.dll
- %TEMP%\rmm_update_7c148a0a105141bd97ff48cf126a9cf4.zip
- %TEMP%\rmm_update_b80c05b979944e3ca11edd63d433f13f\windowsservicehost.exe
- %TEMP%\rmm_update_b80c05b979944e3ca11edd63d433f13f\rmm.agent.console.exe
- %TEMP%\rmm_update_b80c05b979944e3ca11edd63d433f13f\appsettings.json
- %TEMP%\rmm_update_b80c05b979944e3ca11edd63d433f13f\vcruntime140.dll
- %TEMP%\083416292f564b298529b627f8bc2508.ps1
- %TEMP%\rmm_update_a7d761c952e0497b8ae879a8bf1e0b29.bat
- <Current directory>.rollback\appsettings.json
- <Current directory>.rollback\rmm.agent.console.exe
- <Current directory>.rollback\vcruntime140.dll
- %TEMP%\rmm_update_86fe41ff92b542f69bc31f0fa0d83d30.zip
- %TEMP%\rmm_update_837ea9b6ef84481aaf7ce5a97dbb3b0b\windowsservicehost.exe
- %TEMP%\rmm_update_837ea9b6ef84481aaf7ce5a97dbb3b0b\rmm.agent.console.exe
- %TEMP%\rmm_update_837ea9b6ef84481aaf7ce5a97dbb3b0b\appsettings.json
- %TEMP%\rmm_update_837ea9b6ef84481aaf7ce5a97dbb3b0b\vcruntime140.dll
- %TEMP%\bc2350d93e304a88bc36a025a174925d.ps1
- %TEMP%\rmm_update_b13068e75ea441fcb81dd19e0dabdea5.bat
- %TEMP%\rmm_update_7b86f857a9dd4d86b192f5fac77cdf6e.zip
- %TEMP%\rmm_update_8edbda8130a244269a21cde2cff5643d\windowsservicehost.exe
- %TEMP%\rmm_update_8edbda8130a244269a21cde2cff5643d\rmm.agent.console.exe
- %TEMP%\rmm_update_8edbda8130a244269a21cde2cff5643d\appsettings.json
- %TEMP%\rmm_update_8edbda8130a244269a21cde2cff5643d\vcruntime140.dll
- %TEMP%\e0829d15ce4143feaef92d639e087fd7.ps1
- %TEMP%\rmm_update_fc37780d89824882a858f7ab32becb70.bat
Deletes following files that it created itself
- %TEMP%\338aada06f664548b5c1215e2c68e69d.ps1
- %TEMP%\083416292f564b298529b627f8bc2508.ps1
- %TEMP%\bc2350d93e304a88bc36a025a174925d.ps1
- %TEMP%\e0829d15ce4143feaef92d639e087fd7.ps1
Network activity
Connects to
- 'x1.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
Other
- 'st####galaktika.com':443
- 'ap#.#pify.org':443
UDP
- DNS ASK st####galaktika.com
- DNS ASK x1.#.lencr.org
- DNS ASK ap#.#pify.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<Current directory>\windowsservicehost.exe' --silent --force
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\338aada06f664548b5c1215e2c68e69d.ps1"
- '<Current directory>\windowsservicehost.exe' --healthcheck
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\083416292f564b298529b627f8bc2508.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\bc2350d93e304a88bc36a025a174925d.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\e0829d15ce4143feaef92d639e087fd7.ps1"
Executes the following
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "<Current directory>\" /t REG_DWORD /d 0 /f
- '<SYSTEM32>\icacls.exe' <Current directory> /reset /T /C /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_dcd698fe60234b34a494e89f62cad737.bat"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\sc.exe' failure "WindowsServiceHost" reset= 0 actions= ""/""/""
- '<SYSTEM32>\sc.exe' stop "WindowsServiceHost"
- '<SYSTEM32>\ping.exe' -n 3 127.0.0.1
- '<SYSTEM32>\ping.exe' -n 2 127.0.0.1
- '<SYSTEM32>\xcopy.exe' "<Current directory>\*" "<Current directory>.rollback\" /E /Y /Q
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_76b39ba836ac4a389bfba8682fb09caf\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\xcopy.exe' "<Current directory>.rollback\*" "<Current directory>\" /E /Y /Q
- '<SYSTEM32>\sc.exe' failure "WindowsServiceHost" reset= 86400 actions= restart/1000/restart/2000/restart/5000
- '<SYSTEM32>\sc.exe' failureflag "WindowsServiceHost" 1
- '<SYSTEM32>\sc.exe' start "WindowsServiceHost"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_a7d761c952e0497b8ae879a8bf1e0b29.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_b80c05b979944e3ca11edd63d433f13f\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_b13068e75ea441fcb81dd19e0dabdea5.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_837ea9b6ef84481aaf7ce5a97dbb3b0b\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_fc37780d89824882a858f7ab32becb70.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_8edbda8130a244269a21cde2cff5643d\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\2fe08380d96e4db6a7a8ed53002a408e.ps1"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_65610fd372c6458c9b8cac67051e6b0e.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_1b9e806509b54b21b91d43afd6139229\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_dcd698fe60234b34a494e89f62cad737.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_a7d761c952e0497b8ae879a8bf1e0b29.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_b13068e75ea441fcb81dd19e0dabdea5.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_fc37780d89824882a858f7ab32becb70.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_65610fd372c6458c9b8cac67051e6b0e.bat"' (with hidden window)
