Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im WindowsServiceHost.exe
- '<SYSTEM32>\taskkill.exe' /f /im RMM.Agent.Console.exe
- '<SYSTEM32>\taskkill.exe' /f /im "WindowsServiceHost.exe"
- '<SYSTEM32>\taskkill.exe' /f /im svcguard.exe
Modifies file system
Creates the following files
- <Current directory>\windowsservicehost.exe
- %TEMP%\rmm_agent_crash.log
- <Current directory>\.installed
- %TEMP%\rmm_update_1fbb248bd6124dc7935c2fb09820b87e.zip
- %TEMP%\rmm_update_4a8f3b8734b44b0d9ce3b3d45b7d6474\windowsservicehost.exe
- %TEMP%\rmm_update_4a8f3b8734b44b0d9ce3b3d45b7d6474\rmm.agent.console.exe
- %TEMP%\rmm_update_4a8f3b8734b44b0d9ce3b3d45b7d6474\appsettings.json
- %TEMP%\rmm_update_4a8f3b8734b44b0d9ce3b3d45b7d6474\vcruntime140.dll
- <Current directory>\.updating
- %TEMP%\fbfddab71cf949dd8a32bca42ecf1ab9.ps1
- %TEMP%\rmm_update_82aa055a58e34e7da7870681e233eb55.bat
- nul
- <Current directory>.rollback\.installed
- <Current directory>.rollback\.updating
- <Current directory>.rollback\<File name>.exe
- <Current directory>.rollback\windowsservicehost.exe
- <Current directory>\appsettings.json
- <Current directory>\rmm.agent.console.exe
- <Current directory>\vcruntime140.dll
- %TEMP%\rmm_update_1515c1f6e57c441d97d0269061b9a3c1.zip
- %TEMP%\rmm_update_35850eac28f945709df78f4b0b3524b5\windowsservicehost.exe
- %TEMP%\rmm_update_35850eac28f945709df78f4b0b3524b5\rmm.agent.console.exe
- %TEMP%\rmm_update_35850eac28f945709df78f4b0b3524b5\appsettings.json
- %TEMP%\rmm_update_35850eac28f945709df78f4b0b3524b5\vcruntime140.dll
- %TEMP%\a8244d0cafcc44a2915b7f53b944dfcc.ps1
- %TEMP%\rmm_update_1217b387144f40c8a60a49f5565fd71e.bat
- <Current directory>.rollback\appsettings.json
- <Current directory>.rollback\rmm.agent.console.exe
- <Current directory>.rollback\vcruntime140.dll
- %TEMP%\rmm_update_4361d5d21e4640aaa3f160cf70b78106.zip
- %TEMP%\rmm_update_d5b681c6fd6645a7b733147d720ef94a\windowsservicehost.exe
- %TEMP%\rmm_update_d5b681c6fd6645a7b733147d720ef94a\rmm.agent.console.exe
- %TEMP%\rmm_update_d5b681c6fd6645a7b733147d720ef94a\appsettings.json
- %TEMP%\rmm_update_d5b681c6fd6645a7b733147d720ef94a\vcruntime140.dll
- %TEMP%\cc0d2e43054c4758a8625251156b5638.ps1
- %TEMP%\rmm_update_7e2c5192ceaa4a6cb0c608712f68294b.bat
- %TEMP%\rmm_update_c44698911a2e4353afafb001b7fb9fc7.zip
- %TEMP%\rmm_update_7a7cc789015740249867e40ecacdc724\windowsservicehost.exe
- %TEMP%\rmm_update_7a7cc789015740249867e40ecacdc724\rmm.agent.console.exe
- %TEMP%\rmm_update_7a7cc789015740249867e40ecacdc724\appsettings.json
- %TEMP%\rmm_update_7a7cc789015740249867e40ecacdc724\vcruntime140.dll
- %TEMP%\3756d04fd73b4555bd79ede7054a03bd.ps1
- %TEMP%\rmm_update_85a3f2e8bffa497396f910f0eeb6829e.bat
- %TEMP%\rmm_update_f527293e323d4d0497c5c09915a820d4.zip
- %TEMP%\rmm_update_61ac811a2f1c4f45bc866ec64da1d64d\windowsservicehost.exe
- %TEMP%\rmm_update_61ac811a2f1c4f45bc866ec64da1d64d\rmm.agent.console.exe
- %TEMP%\rmm_update_61ac811a2f1c4f45bc866ec64da1d64d\appsettings.json
- %TEMP%\rmm_update_61ac811a2f1c4f45bc866ec64da1d64d\vcruntime140.dll
- %TEMP%\7839f31563aa4210ad8bd3ea0f60a03b.ps1
- %TEMP%\rmm_update_9eecd459f3cf4f5fa93c427c757f5264.bat
Deletes following files that it created itself
- %TEMP%\fbfddab71cf949dd8a32bca42ecf1ab9.ps1
- %TEMP%\a8244d0cafcc44a2915b7f53b944dfcc.ps1
- %TEMP%\cc0d2e43054c4758a8625251156b5638.ps1
- %TEMP%\3756d04fd73b4555bd79ede7054a03bd.ps1
- %TEMP%\7839f31563aa4210ad8bd3ea0f60a03b.ps1
Network activity
Connects to
- 'x1.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
Other
- 'st####galaktika.com':443
- 'ap#.#pify.org':443
UDP
- DNS ASK st####galaktika.com
- DNS ASK x1.#.lencr.org
- DNS ASK ap#.#pify.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<Current directory>\windowsservicehost.exe' --silent --force
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\fbfddab71cf949dd8a32bca42ecf1ab9.ps1"
- '<Current directory>\windowsservicehost.exe' --healthcheck
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\a8244d0cafcc44a2915b7f53b944dfcc.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\cc0d2e43054c4758a8625251156b5638.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\3756d04fd73b4555bd79ede7054a03bd.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\7839f31563aa4210ad8bd3ea0f60a03b.ps1"
Executes the following
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "<Current directory>\" /t REG_DWORD /d 0 /f
- '<SYSTEM32>\icacls.exe' <Current directory> /reset /T /C /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_82aa055a58e34e7da7870681e233eb55.bat"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\sc.exe' failure "WindowsServiceHost" reset= 0 actions= ""/""/""
- '<SYSTEM32>\sc.exe' stop "WindowsServiceHost"
- '<SYSTEM32>\ping.exe' -n 3 127.0.0.1
- '<SYSTEM32>\ping.exe' -n 2 127.0.0.1
- '<SYSTEM32>\xcopy.exe' "<Current directory>\*" "<Current directory>.rollback\" /E /Y /Q
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_4a8f3b8734b44b0d9ce3b3d45b7d6474\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\xcopy.exe' "<Current directory>.rollback\*" "<Current directory>\" /E /Y /Q
- '<SYSTEM32>\sc.exe' failure "WindowsServiceHost" reset= 86400 actions= restart/1000/restart/2000/restart/5000
- '<SYSTEM32>\sc.exe' failureflag "WindowsServiceHost" 1
- '<SYSTEM32>\sc.exe' start "WindowsServiceHost"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_1217b387144f40c8a60a49f5565fd71e.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_35850eac28f945709df78f4b0b3524b5\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_7e2c5192ceaa4a6cb0c608712f68294b.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_d5b681c6fd6645a7b733147d720ef94a\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_85a3f2e8bffa497396f910f0eeb6829e.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_7a7cc789015740249867e40ecacdc724\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_9eecd459f3cf4f5fa93c427c757f5264.bat"
- '<SYSTEM32>\xcopy.exe' "%TEMP%\rmm_update_61ac811a2f1c4f45bc866ec64da1d64d\*" "<Current directory>" /E /Y /Q
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -WindowStyle Hidden -File "%TEMP%\7b3d029e0ce4428fa433abe5120e6c6c.ps1"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_93344f7330dd471a8f79cc5d031b0875.bat"
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_82aa055a58e34e7da7870681e233eb55.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_1217b387144f40c8a60a49f5565fd71e.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_7e2c5192ceaa4a6cb0c608712f68294b.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_85a3f2e8bffa497396f910f0eeb6829e.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_9eecd459f3cf4f5fa93c427c757f5264.bat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\rmm_update_93344f7330dd471a8f79cc5d031b0875.bat"' (with hidden window)
