93bc00efa83d62565ddff22e70a79adb834af2208ef03481947d75ebc801b892

Analysis

max time kernel
150s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Era.exe
Size

150.3MB
MD5

67bf9a932df8304336f6e09ee7bdc976
SHA1

dcf56279a51006ac457c36fd4f21a163197e6fde
SHA256

faa8c077c6670d2e190fdf5fe3109ebda48c776d0acbd931ab6e2950525a8c43
SHA512

839510ab65f8f90ba62b973173bdf1626d2e9a9582c6d1de73d310672bc3db1d95f024902b5e0369ae3e06f6c1d1f3357f6a7b9906fe19eedd5729d87353abad
SSDEEP

1572864:3oooF3VfXbsePcAR+emDcoIABdUCJZwbsuDu9p+gJqf/H+q0CwpMd1zowkfbODaT:QVwwoMCYoPVma

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2236	Era.exe
2236	Era.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Era.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Era.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Era.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Era.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Era.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Era.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Era.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era	Era.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era\URL Protocol	Era.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era\ = "URL:era"	Era.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era\shell\open\command	Era.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era\shell	Era.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era\shell\open	Era.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\era\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Era.exe\" \"%1\""	Era.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Era.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Era.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Era.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Era.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Era.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Era.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2236	Era.exe
2236	Era.exe
4368	Era.exe
4368	Era.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe
Token: SeShutdownPrivilege	2236	Era.exe
Token: SeCreatePagefilePrivilege	2236	Era.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2488	2236	Era.exe	78
PID 2236 wrote to memory of 2488	2236	Era.exe	78
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 2856	2236	Era.exe	80
PID 2236 wrote to memory of 4568	2236	Era.exe	81
PID 2236 wrote to memory of 4568	2236	Era.exe	81
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82
PID 2236 wrote to memory of 4808	2236	Era.exe	82

C:\Users\Admin\AppData\Local\Temp\Era.exe
"C:\Users\Admin\AppData\Local\Temp\Era.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\binaries\FortniteLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\binaries\FortniteLauncher.exe
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\Era.exe
  "C:\Users\Admin\AppData\Local\Temp\Era.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Era" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1728,i,3474468766660781008,7296920109073893338,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\Era.exe
  "C:\Users\Admin\AppData\Local\Temp\Era.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Era" --mojo-platform-channel-handle=1836 --field-trial-handle=1728,i,3474468766660781008,7296920109073893338,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\Era.exe
  "C:\Users\Admin\AppData\Local\Temp\Era.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Era" --app-user-model-id="Project Era" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2352 --field-trial-handle=1728,i,3474468766660781008,7296920109073893338,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg query "HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64" /v "Installed""
  2⤵
  PID:3876
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64" /v "Installed"
    3⤵
    PID:984
- C:\Users\Admin\AppData\Local\Temp\Era.exe
  "C:\Users\Admin\AppData\Local\Temp\Era.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\Era" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4152 --field-trial-handle=1728,i,3474468766660781008,7296920109073893338,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6c294ed9-0bf5-47b1-bb0f-99898aa1b9f9.tmp.node

Filesize
2.1MB

MD5
93c18445ea59474f96fc8b7c4b9004f6

SHA1
1fb6f10080ab3efe0371b6c1d716d05c64380ac2

SHA256
47be01d4abe6ad07748aeb9909b5c44749dab6912b3fcbd31b643f5eadd8155d

SHA512
a51d98eebe57422ecf35ab5a3f394169de03162710aa9e28d25b4b49c7c83b56c10de0653e5268c6b23fbbdbadb5e4e883d76e6f3e77988f0b425076a3dead38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca789d7f-10ad-4b68-ab70-f598206c4808.tmp.node

Filesize
261KB

MD5
0e722fcb4bfd093b7ac4be9a64ddc814

SHA1
71483f150d2524b1432f1c2213651194e5976122

SHA256
30cc2da146f0d67386bc8a8a6074055bcdb31b8370784a2b559f847d44cbfca5

SHA512
047b8ef568bfe6c1e6557e7f208be0fe81dff9cdf792d77fbb375bce24c9c15a1167414f79e09a92ef24811a277a516f092bd4d2939e505474725753da638b87

Download Submit
C:\Users\Admin\AppData\Roaming\Era\Network\Network Persistent State

Filesize
874B

MD5
5e0554e6b8835826d7e9d57a5a7e5240

SHA1
3b48ce3d92aab97f23e03f236422eb71ddd1f867

SHA256
039ee863dda88aeaaca1c89c63c14873ebd40e31f60656134655841ec7661de3

SHA512
8d11e7325a57ba2beeb44e182f8eab1709187437a170240d1a01383910b77c26561f4ae3f5624287da4c0758d2147ce4114729330c66b8ab8a61e55468e9e358

Download Submit
C:\Users\Admin\AppData\Roaming\Era\Network\Network Persistent State~RFe5899e9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Era\Network\TransportSecurity

Filesize
371B

MD5
65aa7fd0f43dc1c4ec4c310c175180f3

SHA1
31bdf2b2d508eea9fceb7751bae910fe439cfa7c

SHA256
77666263eee3c3f4b9008c91b0ba569a55864484cc2a313f91efb3d8be533649

SHA512
2de244fa8f0c434c07156f1a824510bc974a6ee22d1cb4debcd9701743c0c6aac1a61efd6ecce1c9b085b08f1cb004be968344336f69ea88198d8254ca4d9c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Era\Network\TransportSecurity~RFe57ef71.TMP

Filesize
371B

MD5
771a92ad6af7521ec6d7cac5b6cdeef7

SHA1
7c1dde26583269060776ee73e01d05743aff8637

SHA256
ac8ece15eb6b7fda95cc20e66d8ac68815fef697f29dfdf87aaac9c994b0749c

SHA512
a00c443a9868d35dd6c54e36a6496bececf717e6365ee450412753560ff49b38af02bb2fa528922ac64e3b5040c8ff0e624f3536d2ddf6b7402db21d8535883c

Download Submit
C:\Users\Admin\AppData\Roaming\Era\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2488-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2856-15-0x00007FFD6E9C0000-0x00007FFD6E9C1000-memory.dmp

Filesize
4KB

Download
memory/2856-80-0x0000021912F00000-0x0000021912F6F000-memory.dmp

Filesize
444KB

Download
memory/4368-140-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-132-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-133-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-134-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-138-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-139-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-142-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-144-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-145-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4368-147-0x000002C9CCEB0000-0x000002C9CCEB1000-memory.dmp

Filesize
4KB

Download
memory/4808-59-0x00007FFD6FC30000-0x00007FFD6FC31000-memory.dmp

Filesize
4KB

Download
memory/4808-81-0x000001CC14530000-0x000001CC1459F000-memory.dmp

Filesize
444KB

Download
memory/4808-60-0x00007FFD6F0B0000-0x00007FFD6F0B1000-memory.dmp

Filesize
4KB

Download