50ec352e8fc4fca55815578c83ceeade7fe769aac4716c160bf697542f14e2d8

General

Target

NEAS.ff109cfa365767a8433d3672d8b910e0.exe
Size

170KB
MD5

ff109cfa365767a8433d3672d8b910e0
SHA1

983e48c22c1c359a9649fa0e7be6caeedc931be1
SHA256

50ec352e8fc4fca55815578c83ceeade7fe769aac4716c160bf697542f14e2d8
SHA512

cf79f03c95a5b19af607a25ccf4e6b1c3ec3d6dea674fa014eb2fe0082319dfcb8d3aa2670b50737f1fb02a8200cbc42f66aaa3cb272802df5a1c8d88f2c4d38
SSDEEP

3072:+5ERKdsNSE8jWf+FnGevgjFA+WzmLpJhJ4RpS:+wB8qonGeoFA0lyp

Score

8^/10

evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1424	lrunner.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	NEAS.ff109cfa365767a8433d3672d8b910e0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lrunner.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	lrunner.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	lrunner.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe
1424	lrunner.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1424	2344	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	28
PID 2344 wrote to memory of 1424	2344	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	28
PID 2344 wrote to memory of 1424	2344	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	28
PID 2344 wrote to memory of 1424	2344	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.ff109cfa365767a8433d3672d8b910e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ff109cfa365767a8433d3672d8b910e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\ln259414218\lrunner.exe
  "C:\Users\Admin\AppData\Local\Temp\\ln259414218\lrunner.exe" --bpl="eyJjbGlfdmVyIjogMiwgImluc3RhbGxfdXJsIjogImh0dHBzOi8vZ29zb2Z0ZGwubWFpbC5ydS9zd2l0Y2hlcl9wZF8zXzkuZXhlIiwgImxvY2F0aW9uX2lkIjogImxhbmRfcGFydG5lcl9saXRlIiwgInF1ZXJ5X3N0cmluZyI6ICJwYXJ0bmVyX25ld191cmw9aHR0cCUzQSUyRiUyRmJyby1mcmVlLWxpdGUucnUlMkZhcGklMkZleHBlcmltZW50JTJGaW5zdGFsbCUzRnBiJTNEaHR0cCUzQSUyRiUyRnVuaXZlcnNhbHNyYy5jb20lMkZhcGklMkZnb2FsJTNGdmlzaXRpZCUzREJvNFBMNFo5OUhGNEwtdmYmb3ZyPSUyNF9fT1ZSJmd1aWQ9JTI0X19HVUlEJnJmcj04NzAwMDAmdWlkPTBFRDNGMUZDLTA0QTItNTM0Ny04RUU5LUZCNzYyN0RCQjU2QSZleHRfaW5zdGFsbF9jYWxsYmFjaz1odHRwJTNBJTJGJTJGdW5pdmVyc2Fsc3JjLmNvbSUyRmFwaSUyRmdvYWwlM0Z2aXNpdGlkJTNEQm80UEw0Wjk5SEY0TC12ZiZhY3Rpb249aW5zdGFsbCZjb21wPSU3QmNvbXBvbmVudCU3RCZwYWlkPSU3QnBhaWQlN0QmcGE9JTdCcGFpZEFjdGlvbiU3RCZwYj0lN0JwYWlkQnJvd3NlciU3RCZicj0lN0Jicm93c2VyJTdEJmJjMT0lN0Jicm93c2VyQ2xhc3MxJTdEJmJjMj0lN0Jicm93c2VyQ2xhc3MyJTdEJmlpZD0lN0JpbnN0YWxsSWQlN0QmcmZyPSU3QnJmciU3RCZleHRfb25saW5lX2NhbGxiYWNrPWh0dHAlM0ElMkYlMkZ1bml2ZXJzYWxzcmMuY29tJTJGYXBpJTJGZ29hbCUzRnZpc2l0aWQlM0RCbzRQTDRaOTlIRjRMLXZmJmFjdGlvbj1vbmxpbmUmY29tcD0lN0Jjb21wb25lbnQlN0QmcGFpZD0lN0JwYWlkJTdEJnBhPSU3QnBhaWRBY3Rpb24lN0QmcGI9JTdCcGFpZEJyb3dzZXIlN0QmYnI9JTdCYnJvd3NlciU3RCZiYzE9JTdCYnJvd3NlckNsYXNzMSU3RCZiYzI9JTdCYnJvd3NlckNsYXNzMiU3RCZpaWQ9JTdCaW5zdGFsbElkJTdEJnJmcj0lN0JyZnIlN0QmZXh0X3BhcnRuZXJpZD1kc2UuMSUzQTgxMzM4MyUyQ2RzZS4yJTNBODEzNTgzJTJDaHAuMSUzQTgxMzMzMyUyQ2hwLjIlM0E4MTM1MzMlMkNydGIuMSUzQTgzMTE0NyUyQ3B1bHQuMSUzQTgxMzQzMyUyQ3B1bHQuMiUzQTgxMzYzMyUyQ3ZibS4xJTNBODEzNDMzJTJDdmJtLjIlM0E4MTM2MzMlMkNhbnkuMSUzQTgxMzQ4MyUyQ2FueS4yJTNBODEzNDgzJnBhcnRuZXJpZD04NzAwMDAmb2NsX3BhcmFtcz1odHRwJTNBJTJGJTJGdW5pdmVyc2Fsc3JjLmNvbSUyRmFwaSUyRmdvYWwlM0Z2aXNpdGlkJTNEQm80UEw0Wjk5SEY0TC12ZiZndWlkPSU3Qmd1aWQlN0QmY29tcD1vY2wmb2NsX3BhcnRuZXJpZD04NCIsICJ0cyI6IDE2OTgxNDU2MzF9"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mail.Ru\Id

Filesize
38B

MD5
385344820624767005c3417742f2e0e8

SHA1
50322257ae332a4ba76914604855920839edc59f

SHA256
87461fe32f0590dee6200656a0717d812e042e75f6d0691e0fdc440f158b3692

SHA512
db19ce4f206ff21f9a9da2c6ccda929bc4a3db43cbf38833ef57d744a8b9e66c3b8e08de0ab77737aa3eaae255dea5bbc2959c939ec76eeee9782494e9188cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ln259414218\lrunner.exe

Filesize
1.9MB

MD5
59ec4314e2a54053778d3862368d639c

SHA1
a6e7e4383d2a49460f90f46d81bf31260fb71a50

SHA256
8dca302c817de6eab1783ed87139cbe2c0da2be2ccc077cabac12ac3237dab91

SHA512
48ec36e24c66df5951a35ff366aa80b70aef005119438e1a97dcc81b21e726a4f1eb7e9000026a75811e1fd7ef51255df28647b30140d136af223acf4e968834

Download Submit
\Users\Admin\AppData\Local\Temp\ln259414218\lrunner.exe

Filesize
1.9MB

MD5
59ec4314e2a54053778d3862368d639c

SHA1
a6e7e4383d2a49460f90f46d81bf31260fb71a50

SHA256
8dca302c817de6eab1783ed87139cbe2c0da2be2ccc077cabac12ac3237dab91

SHA512
48ec36e24c66df5951a35ff366aa80b70aef005119438e1a97dcc81b21e726a4f1eb7e9000026a75811e1fd7ef51255df28647b30140d136af223acf4e968834

Download Submit

Analysis

Sharing