Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\dialersvc64
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\TOPSOCSR] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\TOPSOCSR] 'ImagePath' = '%ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe'
Creates the following services
- 'TOPSOCSR' %ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\dllhost.exe
- <SYSTEM32>\dialer.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\dwm.exe
- <SYSTEM32>\wudfhost.exe
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\sihost.exe
- <SYSTEM32>\taskhostw.exe
- %WINDIR%\explorer.exe
- <SYSTEM32>\runtimebroker.exe
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\oobe\useroobebroker.exe
- <SYSTEM32>\sppextcomobj.exe
- <SYSTEM32>\sc.exe
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\slui.exe
- <SYSTEM32>\powercfg.exe
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
- <SYSTEM32>\werfault.exe
the following user processes:
- iexplore.exe
- firefox.exe
- szlvtzbcbfby.exe
Patches code
in dll
- dllhost.exe process, KERNEL32.dll module
- winlogon.exe process, pdh.dll module
- lsass.exe process, pdh.dll module
- svchost.exe process, pdh.dll module
- dwm.exe process, pdh.dll module
- wudfhost.exe process, pdh.dll module
- spoolsv.exe process, pdh.dll module
- sihost.exe process, pdh.dll module
- taskhostw.exe process, pdh.dll module
- runtimebroker.exe process, pdh.dll module
- runtimebroker.exe process, ADVAPI32.dll module
- securityhealthsystray.exe process, pdh.dll module
- iexplore.exe process, pdh.dll module
- firefox.exe process, pdh.dll module
- useroobebroker.exe process, pdh.dll module
- sc.exe process, pdh.dll module
- sc.exe process, SECHOST.dll module
- sc.exe process, ADVAPI32.dll module
- powercfg.exe process, pdh.dll module
- powercfg.exe process, SECHOST.dll module
- powercfg.exe process, ADVAPI32.dll module
- powershell.exe process, pdh.dll module
- powershell.exe process, SECHOST.dll module
- powershell.exe process, ADVAPI32.dll module
- werfault.exe process, pdh.dll module
- werfault.exe process, SECHOST.dll module
- werfault.exe process, ADVAPI32.dll module
in AMSI dll
- powershell.exe process, Amsi.dll module
in NTDLL dll
- dllhost.exe process, ntdll.dll module
- sc.exe process, ntdll.dll module
- powercfg.exe process, ntdll.dll module
- powershell.exe process, ntdll.dll module
- werfault.exe process, ntdll.dll module
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe
- %WINDIR%\temp\__psscriptpolicytest_ie1q0ewj.z0p.ps1
- %WINDIR%\temp\__psscriptpolicytest_0wj1olzd.rw0.psm1
- %WINDIR%\temp\__psscriptpolicytest_3k1zu4r4.u4x.ps1
- %WINDIR%\temp\__psscriptpolicytest_rkugbzth.qcl.psm1
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-29-720.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-29-985.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-100.dump
- %WINDIR%\temp\content\2192-1040-powershell.exe-06-10-30-143.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-303.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-334.dump
- %WINDIR%\temp\__psscriptpolicytest_vg01jo2y.dnf.ps1
- %WINDIR%\temp\__psscriptpolicytest_ckudzk2m.l2h.psm1
- %WINDIR%\temp\content\2192-1040-powershell.exe-06-10-30-485.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-518.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-540.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-582.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-674.dump
- %WINDIR%\temp\content\2192-1040-powershell.exe-06-10-30-730.dump
- %WINDIR%\temp\content\2192-1040-powershell.exe-06-10-30-783.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-794.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-876.dump
- %WINDIR%\temp\content\2192-1040-powershell.exe-06-10-30-931.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-30-976.dump
- %WINDIR%\temp\content\2192-1040-powershell.exe-06-10-30-997.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-008.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-029.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-062.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-083.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-104.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-133.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-571.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-649.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-735.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-750.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-839.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-31-885.dump
- %WINDIR%\temp\content\1356-4356-powershell.exe-06-10-32-114.dump
- %WINDIR%\temp\drgctzskopyy.sys
- %WINDIR%\temp\__psscriptpolicytest_phnxbieq.zpo.ps1
- %WINDIR%\temp\__psscriptpolicytest_nknqvaas.5z3.psm1
- %WINDIR%\temp\content\4620-3216-powershell.exe-06-10-39-063.dump
- %WINDIR%\temp\content\4620-3216-powershell.exe-06-10-39-730.dump
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_ie1q0ewj.z0p.ps1
- %WINDIR%\temp\__psscriptpolicytest_0wj1olzd.rw0.psm1
- %WINDIR%\temp\__psscriptpolicytest_3k1zu4r4.u4x.ps1
- %WINDIR%\temp\__psscriptpolicytest_rkugbzth.qcl.psm1
- %WINDIR%\temp\__psscriptpolicytest_vg01jo2y.dnf.ps1
- %WINDIR%\temp\__psscriptpolicytest_ckudzk2m.l2h.psm1
- <SYSTEM32>\tasks\dialersvc64
- %WINDIR%\temp\__psscriptpolicytest_phnxbieq.zpo.ps1
- %WINDIR%\temp\__psscriptpolicytest_nknqvaas.5z3.psm1
Network activity
Connects to
- 'po##.#upportxmr.com':9000
- 'en#####ts.omniatech.io':443
TCP
Other
- 'en#####ts.omniatech.io':443
- 'po##.#upportxmr.com':9000
UDP
- DNS ASK po##.#upportxmr.com
- DNS ASK en#####ts.omniatech.io
Miscellaneous
Creates and executes the following
- '%ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\dialer.exe'
- '<SYSTEM32>\sc.exe' delete "TOPSOCSR"
- '<SYSTEM32>\sc.exe' create "TOPSOCSR" binpath= "%ALLUSERSPROFILE%\rcmeotmtrtmm\szlvtzbcbfby.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "TOPSOCSR"
- '<SYSTEM32>\cmd.exe' /c choice /C Y /N /D Y /T 3 & Del "<Full path to file>"
- '<SYSTEM32>\choice.exe' /C Y /N /D Y /T 3
- '<SYSTEM32>\dllhost.exe' /Processid:{048b4c1d-d01c-4c9f-a380-3c0e168ea259}
