8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa

General

Target

8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe
Size

3.0MB
MD5

af3941f3fc043b11c44b712682ba76f1
SHA1

0a006f1c27e78073d5f370619cf1045cff2a802a
SHA256

8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa
SHA512

76bf65c0d2737cc887b027092191a95c0780d089db780aa1b2450c2de5ed1fd74713afed522d73df624843bb73167d29753943e777c4232f9ac0d5e219ae8de5
SSDEEP

49152:/D7IcQZ55eqcJMzFrtXi7+2d+ZVNnqMYGxTSmk3hHYuDRs9h07wW4KwulM55lBGq:/5QZjrFG73dUqyZSFhHUh07d40GQb77A

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4260	NewsLeecher 3.9 Beta 6 EN Warning.exe
2908	nl_setup_beta.exe
4996	is-GIT61.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e4b-135.dat	upx
behavioral2/files/0x0006000000022e4b-136.dat	upx
behavioral2/memory/4260-137-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4260-138-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4260	NewsLeecher 3.9 Beta 6 EN Warning.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4260	NewsLeecher 3.9 Beta 6 EN Warning.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1788	4628	8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe	79
PID 4628 wrote to memory of 1788	4628	8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe	79
PID 4628 wrote to memory of 1788	4628	8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe	79
PID 1788 wrote to memory of 4260	1788	cmd.exe	81
PID 1788 wrote to memory of 4260	1788	cmd.exe	81
PID 1788 wrote to memory of 4260	1788	cmd.exe	81
PID 1788 wrote to memory of 2908	1788	cmd.exe	82
PID 1788 wrote to memory of 2908	1788	cmd.exe	82
PID 1788 wrote to memory of 2908	1788	cmd.exe	82
PID 2908 wrote to memory of 4996	2908	nl_setup_beta.exe	83
PID 2908 wrote to memory of 4996	2908	nl_setup_beta.exe	83
PID 2908 wrote to memory of 4996	2908	nl_setup_beta.exe	83

C:\Users\Admin\AppData\Local\Temp\8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe
"C:\Users\Admin\AppData\Local\Temp\8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt2748.bat "C:\Users\Admin\AppData\Local\Temp\8627097c06a3e52e5ab86e1df5018e2e2e310d298f710e79a03b60b2664ae4fa.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\NewsLeecher 3.9 Beta 6 EN Warning.exe
    "C:\Users\Admin\AppData\Local\NewsLeecher 3.9 Beta 6 EN Warning.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4260
- - C:\Users\Admin\AppData\Local\nl_setup_beta.exe
    "C:\Users\Admin\AppData\Local\nl_setup_beta.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\is-30C0S.tmp\is-GIT61.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-30C0S.tmp\is-GIT61.tmp" /SL4 $4002C "C:\Users\Admin\AppData\Local\nl_setup_beta.exe" 2503971 52736
      4⤵
      Executes dropped EXE
      PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NewsLeecher 3.9 Beta 6 EN Warning.exe

Filesize
150KB

MD5
d76fb92e3b2f506a074573eba330416c

SHA1
a91fe079565e89676968a90a3b7651e5289a2c26

SHA256
5fcfb516779caa03c8f14d1261e1e983e042179347e6422d109b7a8bffce4805

SHA512
03e66099fda56e6d01ab7792e4eddd646fa59c7174c1990130f47293e89902a4c559dc387de62d9c94a69a1526502936589e7a00b92af71b0aecd34d218adb79

Download Submit
C:\Users\Admin\AppData\Local\NewsLeecher 3.9 Beta 6 EN Warning.exe

Filesize
150KB

MD5
d76fb92e3b2f506a074573eba330416c

SHA1
a91fe079565e89676968a90a3b7651e5289a2c26

SHA256
5fcfb516779caa03c8f14d1261e1e983e042179347e6422d109b7a8bffce4805

SHA512
03e66099fda56e6d01ab7792e4eddd646fa59c7174c1990130f47293e89902a4c559dc387de62d9c94a69a1526502936589e7a00b92af71b0aecd34d218adb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt2748.bat

Filesize
633B

MD5
482ef8e0dc983577f1f1fc4c4b622157

SHA1
1370e76247bb1a956961f91e1e319b976f5bb986

SHA256
613a0674e3fe1cd1ee3de75362b941b65397e07cf61f9e5089c22c717deb75c1

SHA512
02320eb441190ca90171f269049d2cdf64f88c965021032d75b86ff4853e3056ebd0e7b3287c43c4d942ac6b1043d1479178f3dd958f511e34b3542ef82044ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30C0S.tmp\is-GIT61.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30C0S.tmp\is-GIT61.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\nl_setup_beta.exe

Filesize
2.6MB

MD5
8a6140bd13e8041406046a1fa25e69f0

SHA1
81a524722ddc1742df137450d827ed1f284f9fac

SHA256
340da71e5efabde83782096a458c0d99b560dc7fa85e1a4657705f91b898b1ed

SHA512
92330c25169546dd74392933c170729808677150b5f62b5339f3b11518428e624e6988434641558dc075a33ee0721bdd5b196b73bbe69f34a473f092525afeaa

Download Submit
C:\Users\Admin\AppData\Local\nl_setup_beta.exe

Filesize
2.6MB

MD5
8a6140bd13e8041406046a1fa25e69f0

SHA1
81a524722ddc1742df137450d827ed1f284f9fac

SHA256
340da71e5efabde83782096a458c0d99b560dc7fa85e1a4657705f91b898b1ed

SHA512
92330c25169546dd74392933c170729808677150b5f62b5339f3b11518428e624e6988434641558dc075a33ee0721bdd5b196b73bbe69f34a473f092525afeaa

Download Submit
memory/2908-142-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2908-147-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4260-138-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4260-137-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing