50ec352e8fc4fca55815578c83ceeade7fe769aac4716c160bf697542f14e2d8

General

Target

NEAS.ff109cfa365767a8433d3672d8b910e0.exe
Size

170KB
MD5

ff109cfa365767a8433d3672d8b910e0
SHA1

983e48c22c1c359a9649fa0e7be6caeedc931be1
SHA256

50ec352e8fc4fca55815578c83ceeade7fe769aac4716c160bf697542f14e2d8
SHA512

cf79f03c95a5b19af607a25ccf4e6b1c3ec3d6dea674fa014eb2fe0082319dfcb8d3aa2670b50737f1fb02a8200cbc42f66aaa3cb272802df5a1c8d88f2c4d38
SSDEEP

3072:+5ERKdsNSE8jWf+FnGevgjFA+WzmLpJhJ4RpS:+wB8qonGeoFA0lyp

Score

8^/10

evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4200	lrunner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lrunner.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	lrunner.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	lrunner.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe
4200	lrunner.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4200	4104	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	91
PID 4104 wrote to memory of 4200	4104	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	91
PID 4104 wrote to memory of 4200	4104	NEAS.ff109cfa365767a8433d3672d8b910e0.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.ff109cfa365767a8433d3672d8b910e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ff109cfa365767a8433d3672d8b910e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\ln240666281\lrunner.exe
  "C:\Users\Admin\AppData\Local\Temp\\ln240666281\lrunner.exe" --bpl="eyJjbGlfdmVyIjogMiwgImluc3RhbGxfdXJsIjogImh0dHBzOi8vZ29zb2Z0ZGwubWFpbC5ydS9zd2l0Y2hlcl9wZF8zXzkuZXhlIiwgImxvY2F0aW9uX2lkIjogImxhbmRfcGFydG5lcl9saXRlIiwgInF1ZXJ5X3N0cmluZyI6ICJwYXJ0bmVyX25ld191cmw9aHR0cCUzQSUyRiUyRmJyby1mcmVlLWxpdGUucnUlMkZhcGklMkZleHBlcmltZW50JTJGaW5zdGFsbCUzRnBiJTNEaHR0cCUzQSUyRiUyRnVuaXZlcnNhbHNyYy5jb20lMkZhcGklMkZnb2FsJTNGdmlzaXRpZCUzREJvNFBMNFo5OUhGNEwtdmYmb3ZyPSUyNF9fT1ZSJmd1aWQ9JTI0X19HVUlEJnJmcj04NzAwMDAmdWlkPTBFRDNGMUZDLTA0QTItNTM0Ny04RUU5LUZCNzYyN0RCQjU2QSZleHRfaW5zdGFsbF9jYWxsYmFjaz1odHRwJTNBJTJGJTJGdW5pdmVyc2Fsc3JjLmNvbSUyRmFwaSUyRmdvYWwlM0Z2aXNpdGlkJTNEQm80UEw0Wjk5SEY0TC12ZiZhY3Rpb249aW5zdGFsbCZjb21wPSU3QmNvbXBvbmVudCU3RCZwYWlkPSU3QnBhaWQlN0QmcGE9JTdCcGFpZEFjdGlvbiU3RCZwYj0lN0JwYWlkQnJvd3NlciU3RCZicj0lN0Jicm93c2VyJTdEJmJjMT0lN0Jicm93c2VyQ2xhc3MxJTdEJmJjMj0lN0Jicm93c2VyQ2xhc3MyJTdEJmlpZD0lN0JpbnN0YWxsSWQlN0QmcmZyPSU3QnJmciU3RCZleHRfb25saW5lX2NhbGxiYWNrPWh0dHAlM0ElMkYlMkZ1bml2ZXJzYWxzcmMuY29tJTJGYXBpJTJGZ29hbCUzRnZpc2l0aWQlM0RCbzRQTDRaOTlIRjRMLXZmJmFjdGlvbj1vbmxpbmUmY29tcD0lN0Jjb21wb25lbnQlN0QmcGFpZD0lN0JwYWlkJTdEJnBhPSU3QnBhaWRBY3Rpb24lN0QmcGI9JTdCcGFpZEJyb3dzZXIlN0QmYnI9JTdCYnJvd3NlciU3RCZiYzE9JTdCYnJvd3NlckNsYXNzMSU3RCZiYzI9JTdCYnJvd3NlckNsYXNzMiU3RCZpaWQ9JTdCaW5zdGFsbElkJTdEJnJmcj0lN0JyZnIlN0QmZXh0X3BhcnRuZXJpZD1kc2UuMSUzQTgxMzM4MyUyQ2RzZS4yJTNBODEzNTgzJTJDaHAuMSUzQTgxMzMzMyUyQ2hwLjIlM0E4MTM1MzMlMkNydGIuMSUzQTgzMTE0NyUyQ3B1bHQuMSUzQTgxMzQzMyUyQ3B1bHQuMiUzQTgxMzYzMyUyQ3ZibS4xJTNBODEzNDMzJTJDdmJtLjIlM0E4MTM2MzMlMkNhbnkuMSUzQTgxMzQ4MyUyQ2FueS4yJTNBODEzNDgzJnBhcnRuZXJpZD04NzAwMDAmb2NsX3BhcmFtcz1odHRwJTNBJTJGJTJGdW5pdmVyc2Fsc3JjLmNvbSUyRmFwaSUyRmdvYWwlM0Z2aXNpdGlkJTNEQm80UEw0Wjk5SEY0TC12ZiZndWlkPSU3Qmd1aWQlN0QmY29tcD1vY2wmb2NsX3BhcnRuZXJpZD04NCIsICJ0cyI6IDE2OTgxNDU2MzF9"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mail.Ru\Id

Filesize
38B

MD5
4d76f0875ff53b638684fc4333253e49

SHA1
13fb8ba21fe5e159e022710799e34a21d4e83aaf

SHA256
39d3ee8542efc49ccc97e21763007b7daff0dc369f19494d4c88306e30c8dcce

SHA512
bf167ab637199092967a23b74f060f290dd3b51e30d76c3ebb6d65fe8a13dea215d7cac51234ddfede2d35c283c7c75157ef61cc1410b754f0807705bc3ffe88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ln240666281\lrunner.exe

Filesize
1.9MB

MD5
59ec4314e2a54053778d3862368d639c

SHA1
a6e7e4383d2a49460f90f46d81bf31260fb71a50

SHA256
8dca302c817de6eab1783ed87139cbe2c0da2be2ccc077cabac12ac3237dab91

SHA512
48ec36e24c66df5951a35ff366aa80b70aef005119438e1a97dcc81b21e726a4f1eb7e9000026a75811e1fd7ef51255df28647b30140d136af223acf4e968834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ln240666281\lrunner.exe

Filesize
1.9MB

MD5
59ec4314e2a54053778d3862368d639c

SHA1
a6e7e4383d2a49460f90f46d81bf31260fb71a50

SHA256
8dca302c817de6eab1783ed87139cbe2c0da2be2ccc077cabac12ac3237dab91

SHA512
48ec36e24c66df5951a35ff366aa80b70aef005119438e1a97dcc81b21e726a4f1eb7e9000026a75811e1fd7ef51255df28647b30140d136af223acf4e968834

Download Submit

Analysis

Sharing