Behavioral analysis of a dropper-style executable that deploys mpv media player to display a distraction video while injecting into system processes and evading defenses via delayed execution.
Dropper executable that drops and executes multiple binaries, injects into system processes, and uses timeout delays to evade sandbox analysis.
ERMAKOB.exe and Twoofthem.exe are identical dropper executables (only the embedded video file differs). They are unsigned 46.2 MB PE binaries that masquerade as harmless programs.
Upon execution, the binary drops a bundle of files into %TEMP%\Barebones\ — including a portable mpv media player, a configuration file, a video file (virus.mp4), and a secondary executable (noadmincrash.exe). It then launches the video as a distraction while performing suspicious system activities in the background.
1. Drops and executes files. Extracts a batch script (bat.bat), mpv player, video file, configuration, fonts config, and a secondary EXE (noadmincrash.exe) into a temp directory. Uses cmd.exe /c to execute the batch script orchestrating the payload.
2. Plays a distraction video. Launches mpv.exe virus.mp4 — a video plays on screen, drawing the user's attention while background processes execute. This is a social engineering technique to mask suspicious activity.
3. Delays execution (defense evasion). Runs timeout /t 40 /nobreak — a 40-second delay that forces sandbox environments to wait, potentially exceeding analysis time windows. Tagged as defense_evasion by the sandbox.
4. Injects into system processes. Uses WriteProcessMemory to inject code: ERMAKOB.exe writes to cmd.exe, cmd.exe then writes to mpv.exe and timeout.exe. This cross-process injection chain is not behavior of legitimate software.
5. Uses suspicious API calls. Calls FindShellTrayWindow (system tray enumeration) and SetWindowsHookEx (potential input interception/keylogging) from the dropped mpv.exe — functions not expected from a simple media player in this context.
6. Checks geolocation. Queries the registry key Control Panel\International\Geo\Nation to determine the victim's country — a technique commonly used by malware to exclude certain regions from execution.
Unsigned PE with large file size. A 46 MB executable with no digital signature that drops executables into temp directories is a strong indicator of a packed dropper or bundled malware.
Process injection chain. Legitimate applications do not use WriteProcessMemory to inject code into cmd.exe and child processes. This is a classic trojan behavior pattern.
Defense evasion via timeout. The 40-second timeout delay is specifically designed to outlast short-lived sandbox analysis windows.
Geo-checking. Querying the victim's country from the registry is a hallmark of targeted malware campaigns, particularly those of CIS-origin threat actors.
If you ran it: Run a full antivirus scan. Check %TEMP%\Barebones\ for dropped files and delete them. Monitor for unusual process activity. Consider changing passwords if keylogging is suspected.
If you didn't run it: Delete the file. Do not execute unsigned EXEs from untrusted sources.
YonSeSecurity Threat Score: 7.0 / 10 — HIGH. Dropper with process injection and defense evasion capabilities.
An unsigned 46.2 MB PE executable named ERMAKOB.exe (also distributed as Twoofthem.exe — functionally identical, differing only in the embedded video payload) was submitted for dynamic behavioral analysis at the request of a YonSeSecurity user.
The sample was detonated in two sandbox environments (Windows 10 v2004 and Windows 11) with consistent results across both runs. The executable operates as a dropper: it extracts a bundle of files into %AppData%\Local\Temp\Barebones\, launches a distraction video via an embedded mpv media player, and performs process injection via WriteProcessMemory across a cmd.exe execution chain.
The malware employs a 40-second timeout delay as a defense evasion technique and performs geolocation checks via registry queries. The secondary dropped binary noadmincrash.exe suggests the payload may have additional capabilities that were not fully observed during the analysis window.
Classification: Trojan.Dropper with Defense Evasion and Process Injection
| Field | Value |
|---|---|
| Filename | ERMAKOB.exe / Twoofthem.exe |
| Size | 46.2 MB |
| SHA256 | 44b40e1fd7b5a8e4f4612ce8f5cb7612b3ac015872d236a76c49de68a78bf4e4 |
| Analysis ID | 260324-xl893se18j |
| Platform (run 1) | Windows 10 v2004 (build 20260130-en) |
| Platform (run 2) | Windows 11 (build 20260130-en) |
| Runtime (kernel) | 13s (Win10) / 15s (Win11) |
| Runtime (network) | 57s (Win10) / N/A (Win11) |
| Submitted | 2026-03-24 18:57 |
| Signature | Unsigned PE |
| Tags | defense_evasion |
User receives ERMAKOB.exe (or Twoofthem.exe) — a 46.2 MB unsigned executable. The large file size helps avoid suspicion and may bypass some file-size-based scanning limits.
Upon execution, the binary extracts files into C:\Users\Admin\AppData\Local\Temp\Barebones\: bat.bat (orchestration script), mpv.exe (media player), mpv.conf (configuration), fonts.conf, virus.mp4 (distraction video), and noadmincrash.exe (secondary payload).
Launches cmd.exe /c bat.bat which orchestrates: (1) mpv.exe virus.mp4 — plays distraction video, (2) timeout /t 40 /nobreak — 40-second delay for evasion, (3) noadmincrash.exe — secondary payload execution.
ERMAKOB.exe injects code into cmd.exe via WriteProcessMemory. The injected cmd.exe in turn writes to mpv.exe and timeout.exe memory. This multi-stage injection chain hides malicious behavior inside legitimate system processes.
Checks victim's geolocation via registry (Geo\Nation), enumerates physical storage devices, and uses FindShellTrayWindow to enumerate the system tray — standard victim fingerprinting behavior.
Color legend: malicious, suspicious, legitimate, system.
The batch script runs timeout /t 40 /nobreak before launching the secondary payload noadmincrash.exe. This 40-second delay is a well-known technique to outlast sandbox analysis windows that typically run for 30-60 seconds.
The /nobreak flag prevents user interruption of the delay — indicating deliberate intent to enforce the full wait period.
The executable has no digital signature. While this alone is not malicious, it is a strong indicator when combined with dropper behavior, process injection, and defense evasion. Unsigned PEs bypass Authenticode trust verification entirely.
Launching a video via mpv player serves as a social engineering distraction — the user sees a video playing and assumes the executable did nothing harmful. Meanwhile, background processes perform the actual malicious activity.
WriteProcessMemory calls across process boundaries. Consistent across both behavioral runs.
| Source (PID) | Target (PID) | Source Process | Target Process |
|---|---|---|---|
| 1668 | 4312 | ERMAKOB.exe | cmd.exe |
| 4312 | 4480 | cmd.exe | Barebones\mpv.exe |
| 4312 | 2872 | cmd.exe | timeout.exe |
| Source (PID) | Target (PID) | Source Process | Target Process |
|---|---|---|---|
| 4440 | 3248 | ERMAKOB.exe | cmd.exe |
| 3248 | 2948 | cmd.exe | Barebones\mpv.exe |
| 3248 | 856 | cmd.exe | timeout.exe |
SetWindowsHookEx called by mpv.exe from the Barebones directory. While mpv can legitimately use window hooks for input handling, in the context of a dropped executable with process injection, this raises concern about potential keylogging or input interception.
Both ERMAKOB.exe and mpv.exe call FindShellTrayWindow — used to locate the Windows taskbar/system tray. Malware uses this to enumerate running applications, detect security tools, or inject into Explorer.exe.
| Technique | Detail | Significance |
|---|---|---|
| Geo\Nation (T1614) | REGISTRY\USER\S-1-5-21-...\Control Panel\International\Geo\Nation | Country-based targeting |
| Storage Enum (T1120) | Enumerates physical storage devices | Map drives & volumes |
| Registry Query (T1012) | Queries registry for system info | Victim fingerprinting |
| System Info (T1082) | System Information Discovery | Environment profiling |
| Shell Tray (T1010) | FindShellTrayWindow API | Running app enumeration |
All files dropped into C:\Users\Admin\AppData\Local\Temp\Barebones\
| File | Type | Purpose |
|---|---|---|
| bat.bat | Batch script | Orchestration — launches mpv, timeout, noadmincrash |
| mpv.exe | PE executable | Media player (used for distraction video) |
| mpv\mpv.conf | Config | mpv player configuration |
| mpv\fonts.conf | Config | Font rendering configuration |
| virus.mp4 | Video | Distraction video payload |
| noadmincrash.exe | PE executable | Secondary payload (executed after timeout) |
COMPOSITE THREAT SCORE: 7.0 / 10 — HIGH SEVERITY
%TEMP%\Barebones\noadmincrash.exeBarebones\ directory in %TEMP%timeout /t 40 /nobreak execution from temp directoriesWriteProcessMemory from unsigned executables to cmd.exe44b40e1fd7b5a8e4...a78bf4e4ERMAKOB.exe / Twoofthem.exe is a trojan dropper that extracts and executes multiple payloads from a temp directory. The use of a batch orchestration script, video distraction, and multi-stage execution is consistent with malware behavior.
WriteProcessMemory calls between ERMAKOB.exe → cmd.exe → mpv.exe/timeout.exe were observed consistently across both sandbox runs (Windows 10 and 11). No legitimate application uses this injection pattern.
The 40-second timeout delay and video distraction are deliberate evasion techniques. The timeout may cause short-lived sandbox runs to miss the full execution of noadmincrash.exe which launches after the delay.
The full capabilities of noadmincrash.exe were not fully observed within the analysis window. It is launched after a 40-second delay and may contain additional malicious functionality (persistence, data exfiltration, or C2 communication) that was not triggered during analysis.
No outbound network connections or C2 traffic was detected. This may indicate the sample is a first-stage dropper that prepares the environment for a network-dependent second stage, or the C2 component was not triggered within the analysis timeframe.