Overview

overview

7

Static

static

L2NPC/HFExt.dll

windows7-x64

1

L2NPC/HFExt.dll

windows10-2004-x64

1

L2NPC/L2NPC.exe

windows7-x64

3

L2NPC/L2NPC.exe

windows10-2004-x64

3

L2Server/GGauth70.dll

windows7-x64

3

L2Server/GGauth70.dll

windows10-2004-x64

3

L2Server/HFExt.dll

windows7-x64

1

L2Server/HFExt.dll

windows10-2004-x64

1

L2Server/L2Server.exe

windows7-x64

3

L2Server/L2Server.exe

windows10-2004-x64

7

L2Server/Loader.exe

windows7-x64

3

L2Server/Loader.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    46s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2022 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    L2Server/L2Server.exe

  • Size

    12.6MB

  • MD5

    8235a379be7a063b9d90a38e276cbb30

  • SHA1

    b6174fc0b2de1aecb09c12fc73e9369e5a5b95c5

  • SHA256

    203e3300d1e76dbc45e0c0e1b5d0e0388e1143924333398954016c6003b45511

  • SHA512

    3f30fb08ee92a73a3a19dc22c3440b2afef2a5babc735dfdea04021180440b5baaf444d975c9bae502c73fe823ce9d0f419dd71ffdc9960f655071130e3152c3

  • SSDEEP

    98304:FayXbXfSoVXB8H7cyxOhtwTN2EBLBYFZpECfzIKOQG8GHk91bBqnA4WgX32daeH3:FlXbPDVXB27cXtwTN2EFBIFzIRQLmeH3

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\L2Server\L2Server.exe
    "C:\Users\Admin\AppData\Local\Temp\L2Server\L2Server.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir bak
      2⤵
        PID:1232
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move LinError.txt.*.bak bak\
        2⤵
          PID:980
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move minidump_*.dmp bak\
          2⤵
            PID:908

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1380-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

          Filesize

          8KB

          Download