f28711542218b72a926ac9490ad33798b52a9f7789c53c995c06d7fd3025a445

General

Target

ERoot_1.3.1.exe
Size

11.4MB
MD5

474d78c12ea1cb232c6d7339cd9cd5d5
SHA1

5f4c6f5b379d741b5b163fed13e2a777673d2c1c
SHA256

9e14655f9acb4320817782b7a31f88f0ff7ee593e05cbbb9f1e88ffda4ce6641
SHA512

76206cb275deb643b69c9858bcee5c8b065f811c5e72e968fbb614bece502b76571471dcfb0bc53248dc9bc5b33544cb8f768ee763ca2652826c701cc06c73d4
SSDEEP

196608:23XqLoZar5u3DKhTwlZeGCRaGCRlIuTmEOutLSI7RPyuhUnVhtjbxqtzK5Aiz8bX:2Hc+aFCDoTEMBQBbIuTHlvotOgAiIbvH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2900	bec.exe
2920	bec.exe

Loads dropped DLL 6 IoCs

pid	Process
2764	ERoot_1.3.1.exe
2764	ERoot_1.3.1.exe
2900	bec.exe
2900	bec.exe
2920	bec.exe
2920	bec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ERoot_1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2764	ERoot_1.3.1.exe
2764	ERoot_1.3.1.exe
2920	bec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2900	2764	ERoot_1.3.1.exe	30
PID 2764 wrote to memory of 2900	2764	ERoot_1.3.1.exe	30
PID 2764 wrote to memory of 2900	2764	ERoot_1.3.1.exe	30
PID 2764 wrote to memory of 2900	2764	ERoot_1.3.1.exe	30
PID 2900 wrote to memory of 2920	2900	bec.exe	32
PID 2900 wrote to memory of 2920	2900	bec.exe	32
PID 2900 wrote to memory of 2920	2900	bec.exe	32
PID 2900 wrote to memory of 2920	2900	bec.exe	32

C:\Users\Admin\AppData\Local\Temp\ERoot_1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\ERoot_1.3.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\bec.exe
  start-server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\bec.exe
    adb fork-server server
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\AdbWinApi.DLL

Filesize
94KB

MD5
47a6ee3f186b2c2f5057028906bac0c6

SHA1
fde9c22a2cfcd5e566cec2e987d942b78a4eeae8

SHA256
14a51482aa003db79a400f4b15c158397fe6d57ee6606b3d633fa431a7bfdf4b

SHA512
6a2675de0c445c75f7d5664ebe8f0e2f69c3312c50156161e483927e40235140d5e28e340112ac552d6462366143890a8ce32dbf65bd37e27cb1ea290fe14584

Download Submit
C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\AdbWinUsbApi.dll

Filesize
59KB

MD5
5f23f2f936bdfac90bb0a4970ad365cf

SHA1
12e14244b1a5d04a261759547c3d930547f52fa3

SHA256
041c6859bb4fc78d3a903dd901298cd1ecfb75b6be0646b74954cd722280a407

SHA512
49a7769d5e6cb2fda9249039d90465f7a4e612805bba48b7036456a3bbd230e4d13da72e4ade5155ddc08fe460735ec8d6df3bb11b72ff28e1149221e2fc3048

Download Submit
C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\bec.exe

Filesize
1.2MB

MD5
996228fd22c2b03190a4e4c38a1efb5e

SHA1
ab8fab4fb5c0980c76490856ad044a5b7bff81a1

SHA256
575b1a26244c0762af689b5b55f3812f1293806364092962368cd5b581627c8f

SHA512
e57f94dbaa443aca0feddc7b7db565ef23b3d9180cf00d893c7d8b4390446f6fc087de03b2ca7178077d7d90182a5e07ef5ab923d07fd5b4a0086e3c821f2585

Download Submit
memory/2900-144-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-151-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-154-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-149-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-150-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-145-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-152-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-153-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-146-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-155-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-156-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-157-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-158-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-159-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2920-160-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing