f28711542218b72a926ac9490ad33798b52a9f7789c53c995c06d7fd3025a445

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eroot 1.3.3.exe
Size

11.3MB
MD5

98757beed2c6ac95c2f4f67ae81e3067
SHA1

cc0578ec720aafc2ba36ee6feaffec5015c06126
SHA256

c3234bd1e72a0aef682074076090a03fb8cd8b845d6bcc09408412fa5ddf5a2c
SHA512

dc5f4ea035b53c9e7185fb1fdfd292266005b9997a6e937665158e94577c4813b6d9caba7d401e7b41534cb2a963c39efe43c7f51204a58bc75b37bfd9238a2d
SSDEEP

196608:a3YqLoZLK5V3DMSZPGCRZGCR/5uTRWfutLSI7RPyuzynnh71b9AtbAHAih2zB95j:aIc+LOVDD9BPBl5uTplve5wIAiQzxZm6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4960	bec.exe
1468	bec.exe

Loads dropped DLL 4 IoCs

pid	Process
4960	bec.exe
4960	bec.exe
1468	bec.exe
1468	bec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eroot 1.3.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1348	Eroot 1.3.3.exe
1348	Eroot 1.3.3.exe
1468	bec.exe
1468	bec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 4960	1348	Eroot 1.3.3.exe	82
PID 1348 wrote to memory of 4960	1348	Eroot 1.3.3.exe	82
PID 1348 wrote to memory of 4960	1348	Eroot 1.3.3.exe	82
PID 4960 wrote to memory of 1468	4960	bec.exe	84
PID 4960 wrote to memory of 1468	4960	bec.exe	84
PID 4960 wrote to memory of 1468	4960	bec.exe	84

C:\Users\Admin\AppData\Local\Temp\Eroot 1.3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Eroot 1.3.3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\bec.exe
  start-server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\bec.exe
    adb fork-server server
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\AdbWinApi.DLL

Filesize
94KB

MD5
47a6ee3f186b2c2f5057028906bac0c6

SHA1
fde9c22a2cfcd5e566cec2e987d942b78a4eeae8

SHA256
14a51482aa003db79a400f4b15c158397fe6d57ee6606b3d633fa431a7bfdf4b

SHA512
6a2675de0c445c75f7d5664ebe8f0e2f69c3312c50156161e483927e40235140d5e28e340112ac552d6462366143890a8ce32dbf65bd37e27cb1ea290fe14584

Download Submit
C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\AdbWinUsbApi.dll

Filesize
59KB

MD5
5f23f2f936bdfac90bb0a4970ad365cf

SHA1
12e14244b1a5d04a261759547c3d930547f52fa3

SHA256
041c6859bb4fc78d3a903dd901298cd1ecfb75b6be0646b74954cd722280a407

SHA512
49a7769d5e6cb2fda9249039d90465f7a4e612805bba48b7036456a3bbd230e4d13da72e4ade5155ddc08fe460735ec8d6df3bb11b72ff28e1149221e2fc3048

Download Submit
C:\Users\Admin\AppData\Roaming\ERoot\resource\bin\bec.exe

Filesize
1.2MB

MD5
996228fd22c2b03190a4e4c38a1efb5e

SHA1
ab8fab4fb5c0980c76490856ad044a5b7bff81a1

SHA256
575b1a26244c0762af689b5b55f3812f1293806364092962368cd5b581627c8f

SHA512
e57f94dbaa443aca0feddc7b7db565ef23b3d9180cf00d893c7d8b4390446f6fc087de03b2ca7178077d7d90182a5e07ef5ab923d07fd5b4a0086e3c821f2585

Download Submit
memory/1468-144-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-148-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-141-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-142-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-143-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-155-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-147-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-140-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-149-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-150-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-151-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-152-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-153-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1468-154-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4960-139-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download