Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\dialersvc64
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\TOPSOCSR] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\TOPSOCSR] 'ImagePath' = '%ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe'
Creates the following services
- 'TOPSOCSR' %ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\dllhost.exe
- <SYSTEM32>\dialer.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\dwm.exe
- <SYSTEM32>\wudfhost.exe
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\sihost.exe
- <SYSTEM32>\taskhostw.exe
- %WINDIR%\explorer.exe
- <SYSTEM32>\runtimebroker.exe
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\oobe\useroobebroker.exe
- <SYSTEM32>\sppextcomobj.exe
- <SYSTEM32>\sc.exe
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\slui.exe
- <SYSTEM32>\powercfg.exe
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
the following user processes:
- iexplore.exe
- firefox.exe
- szlvtzbcbfby.exe
Hooks functions
in browsers
- iexplore.exe process, advapi32.dll module
- firefox.exe process, advapi32.dll module
Patches code
in dll
- dllhost.exe process, KERNEL32.dll module
- winlogon.exe process, pdh.dll module
- lsass.exe process, pdh.dll module
- svchost.exe process, pdh.dll module
- dwm.exe process, pdh.dll module
- wudfhost.exe process, pdh.dll module
- spoolsv.exe process, pdh.dll module
- sihost.exe process, pdh.dll module
- taskhostw.exe process, pdh.dll module
- runtimebroker.exe process, pdh.dll module
- runtimebroker.exe process, ADVAPI32.dll module
- securityhealthsystray.exe process, pdh.dll module
- iexplore.exe process, pdh.dll module
- firefox.exe process, pdh.dll module
- useroobebroker.exe process, pdh.dll module
- sc.exe process, pdh.dll module
- sc.exe process, SECHOST.dll module
- sc.exe process, ADVAPI32.dll module
- powercfg.exe process, pdh.dll module
- powercfg.exe process, SECHOST.dll module
- powercfg.exe process, ADVAPI32.dll module
- powershell.exe process, pdh.dll module
- powershell.exe process, SECHOST.dll module
- powershell.exe process, ADVAPI32.dll module
in AMSI dll
- powershell.exe process, Amsi.dll module
in NTDLL dll
- dllhost.exe process, ntdll.dll module
- sc.exe process, ntdll.dll module
- powercfg.exe process, ntdll.dll module
- powershell.exe process, ntdll.dll module
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
- <SYSTEM32>\dllhost.exe
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe
- %WINDIR%\temp\__psscriptpolicytest_cfnroexd.010.ps1
- %WINDIR%\temp\__psscriptpolicytest_xp1uggoo.aag.psm1
- %WINDIR%\temp\__psscriptpolicytest_p0yjy3fy.vx3.ps1
- %WINDIR%\temp\__psscriptpolicytest_rszbro35.vtj.psm1
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-18-322.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-18-538.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-18-638.dump
- %WINDIR%\temp\content\3340-5360-powershell.exe-17-05-18-638.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-18-794.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-18-825.dump
- %WINDIR%\temp\__psscriptpolicytest_uimzh44z.zab.ps1
- %WINDIR%\temp\__psscriptpolicytest_zecehtl1.zbx.psm1
- %WINDIR%\temp\content\3340-5360-powershell.exe-17-05-18-952.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-004.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-025.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-077.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-171.dump
- %WINDIR%\temp\content\3340-5360-powershell.exe-17-05-19-213.dump
- %WINDIR%\temp\content\3340-5360-powershell.exe-17-05-19-287.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-298.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-372.dump
- %WINDIR%\temp\content\3340-5360-powershell.exe-17-05-19-401.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-474.dump
- %WINDIR%\temp\content\3340-5360-powershell.exe-17-05-19-477.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-508.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-529.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-560.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-581.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-612.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-19-633.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-209.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-293.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-355.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-370.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-373.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-414.dump
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-438.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\content\5232-2012-powershell.exe-17-05-20-646.dump
- %WINDIR%\temp\srbznsqbrpmj.sys
- %WINDIR%\temp\__psscriptpolicytest_lkfpbswu.oj5.ps1
- %WINDIR%\temp\__psscriptpolicytest_nyg0ot30.5xd.psm1
- %WINDIR%\temp\content\2700-1864-powershell.exe-17-05-27-418.dump
- %WINDIR%\temp\content\2700-1864-powershell.exe-17-05-27-730.dump
- %WINDIR%\temp\content\2700-1864-powershell.exe-17-05-28-005.dump
- %WINDIR%\temp\content\2700-1864-powershell.exe-17-05-28-068.dump
- %WINDIR%\temp\content\2700-1864-powershell.exe-17-05-28-172.dump
- %WINDIR%\temp\content\2700-1864-powershell.exe-17-05-28-254.dump
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_cfnroexd.010.ps1
- %WINDIR%\temp\__psscriptpolicytest_xp1uggoo.aag.psm1
- %WINDIR%\temp\__psscriptpolicytest_p0yjy3fy.vx3.ps1
- %WINDIR%\temp\__psscriptpolicytest_rszbro35.vtj.psm1
- %WINDIR%\temp\__psscriptpolicytest_uimzh44z.zab.ps1
- %WINDIR%\temp\__psscriptpolicytest_zecehtl1.zbx.psm1
- <SYSTEM32>\tasks\dialersvc64
- %WINDIR%\temp\__psscriptpolicytest_lkfpbswu.oj5.ps1
- %WINDIR%\temp\__psscriptpolicytest_nyg0ot30.5xd.psm1
Network activity
UDP
- DNS ASK po##.#upportxmr.com
- DNS ASK 13#.###.thirdweb.com
- DNS ASK po####n.therpc.io
- DNS ASK po####n.drpc.org
Miscellaneous
Creates and executes the following
- '%ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\dialer.exe'
- '<SYSTEM32>\sc.exe' delete "TOPSOCSR"
- '<SYSTEM32>\sc.exe' create "TOPSOCSR" binpath= "%ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "TOPSOCSR"
- '<SYSTEM32>\cmd.exe' /c choice /C Y /N /D Y /T 3 & Del "<Full path to file>"
- '<SYSTEM32>\choice.exe' /C Y /N /D Y /T 3
- '<SYSTEM32>\dllhost.exe' /Processid:{2633e1a2-8835-4258-a26b-2c20b53740b6}
- '<SYSTEM32>\dllhost.exe' /Processid:{fa354775-68ac-45e2-a9f1-377cf3ae3a1e}
