Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im WindowsServiceHost.exe
- '<SYSTEM32>\taskkill.exe' /f /im RMM.Agent.Console.exe
- '<SYSTEM32>\taskkill.exe' /f /im "WindowsServiceHost.exe"
- '<SYSTEM32>\taskkill.exe' /f /im svcguard.exe
Modifies file system
Creates the following files
- <Current directory>\windowsservicehost.exe
- %TEMP%\rmm_agent_crash.log
- <Current directory>\.installed
- %TEMP%\rmm_update_ddc3fef855db4cb190c19f4f8a81ed9a.zip
- %TEMP%\rmm_update_2fa878f033544fee87f2c90c4bd3f1dd\windowsservicehost.exe
- %TEMP%\rmm_update_2fa878f033544fee87f2c90c4bd3f1dd\rmm.agent.console.exe
- %TEMP%\rmm_update_2fa878f033544fee87f2c90c4bd3f1dd\appsettings.json
- %TEMP%\rmm_update_2fa878f033544fee87f2c90c4bd3f1dd\vcruntime140.dll
- <Current directory>\.updating
- %TEMP%\6864b95102354f789798a4aa008741c6.ps1
- %TEMP%\rmm_update_d79f90b24c9e4841865070545c87c733.bat
- nul
- <Current directory>.rollback\.installed
- <Current directory>.rollback\.updating
- <Current directory>.rollback\<File name>.exe
- <Current directory>.rollback\windowsservicehost.exe
- <Current directory>\appsettings.json
- <Current directory>\rmm.agent.console.exe
- <Current directory>\vcruntime140.dll
- %TEMP%\rmm_update_8d7b54380a9343f0bd2da66641111bb4.zip
- %TEMP%\rmm_update_bb6129be9e2146428425b3863aa68e25\windowsservicehost.exe
- %TEMP%\rmm_update_bb6129be9e2146428425b3863aa68e25\rmm.agent.console.exe
- %TEMP%\rmm_update_bb6129be9e2146428425b3863aa68e25\appsettings.json
- %TEMP%\rmm_update_bb6129be9e2146428425b3863aa68e25\vcruntime140.dll
- %TEMP%\5bab032a325640e4b3f1e02d2235646d.ps1
- %TEMP%\rmm_update_2ec2e659a5244b179c00605ad1563459.bat
- <Current directory>.rollback\appsettings.json
- <Current directory>.rollback\rmm.agent.console.exe
- <Current directory>.rollback\vcruntime140.dll
- %TEMP%\rmm_update_3e377efff9d14664b2dd4a6ab7baff98.zip
- %TEMP%\rmm_update_9cac530d2d6e44829c5e5d4d5e6f73dd\windowsservicehost.exe
- %TEMP%\rmm_update_9cac530d2d6e44829c5e5d4d5e6f73dd\rmm.agent.console.exe
- %TEMP%\rmm_update_9cac530d2d6e44829c5e5d4d5e6f73dd\appsettings.json
- %TEMP%\rmm_update_9cac530d2d6e44829c5e5d4d5e6f73dd\vcruntime140.dll
- %TEMP%\004a943f612a48cdb13a16e808304f79.ps1
- %TEMP%\rmm_update_0e63a04380b84945951b575f42fe7abf.bat
- %TEMP%\rmm_update_64f1d6dcc1ad4973b4fd845920494d31.zip
- %TEMP%\rmm_update_66ed86f0cdb441dca8f254147a234951\windowsservicehost.exe
- %TEMP%\rmm_update_66ed86f0cdb441dca8f254147a234951\rmm.agent.console.exe
- %TEMP%\rmm_update_66ed86f0cdb441dca8f254147a234951\appsettings.json
- %TEMP%\rmm_update_66ed86f0cdb441dca8f254147a234951\vcruntime140.dll
- %TEMP%\8569b19d060c44a79ba0db9ca57d4bd2.ps1
- %TEMP%\rmm_update_8b252c9ec5c942059f2c6990c5f6294b.bat
Deletes following files that it created itself
- %TEMP%\6864b95102354f789798a4aa008741c6.ps1
- %TEMP%\5bab032a325640e4b3f1e02d2235646d.ps1
- %TEMP%\004a943f612a48cdb13a16e808304f79.ps1
- %TEMP%\8569b19d060c44a79ba0db9ca57d4bd2.ps1
Network activity
Connects to
- 'x1.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
Other
- 'st####galaktika.com':443
- 'ap#.#pify.org':443
UDP
- DNS ASK st####galaktika.com
- DNS ASK x1.#.lencr.org
- DNS ASK ap#.#pify.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<Current directory>\windowsservicehost.exe' --silent --force
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\6864b95102354f789798a4aa008741c6.ps1"
- '<Current directory>\windowsservicehost.exe' --healthcheck
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\5bab032a325640e4b3f1e02d2235646d.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\004a943f612a48cdb13a16e808304f79.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\8569b19d060c44a79ba0db9ca57d4bd2.ps1"
Executes the following
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "<Current directory>\" /t REG_DWORD /d 0 /f
- '<SYSTEM32>\icacls.exe' <Current directory> /reset /T /C /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_d79f90b24c9e4841865070545c87c733.bat"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\sc.exe' failure "WindowsServiceHost" reset= 0 actions= ""/""/""
- '<SYSTEM32>\sc.exe' stop "WindowsServiceHost"
- '<SYSTEM32>\ping.exe' -n 3 127.0.0.1
- '<SYSTEM32>\ping.exe' -n 2 127.0.0.1
- '<SYSTEM32>\xcopy.exe' "<Current directory>\*" "<Current directory>.rollback\" /E /Y /Q
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_2fa878f033544fee87f2c90c4bd3f1dd\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\xcopy.exe' "<Current directory>.rollback\*" "<Current directory>\" /E /Y /Q
- '<SYSTEM32>\sc.exe' failure "WindowsServiceHost" reset= 86400 actions= restart/1000/restart/2000/restart/5000
- '<SYSTEM32>\sc.exe' failureflag "WindowsServiceHost" 1
- '<SYSTEM32>\sc.exe' start "WindowsServiceHost"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_2ec2e659a5244b179c00605ad1563459.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_bb6129be9e2146428425b3863aa68e25\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_0e63a04380b84945951b575f42fe7abf.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_9cac530d2d6e44829c5e5d4d5e6f73dd\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_8b252c9ec5c942059f2c6990c5f6294b.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_66ed86f0cdb441dca8f254147a234951\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\449a1c54c3544a83a88ffa9311be1859.ps1"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_941c47cddda847ada5f5e68d69c69ad2.bat"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_d79f90b24c9e4841865070545c87c733.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_2ec2e659a5244b179c00605ad1563459.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_0e63a04380b84945951b575f42fe7abf.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_8b252c9ec5c942059f2c6990c5f6294b.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_941c47cddda847ada5f5e68d69c69ad2.bat"' (with hidden window)
