Overview
overview
7Static
static
3ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7ASP.NET精...pk.dll
windows7-x64
7ASP.NET精...pk.dll
windows10-2004-x64
7Apache2_cn...pk.dll
windows7-x64
7Apache2_cn...pk.dll
windows10-2004-x64
7Asp专题�...pk.dll
windows7-x64
7Asp专题�...pk.dll
windows10-2004-x64
7CPCW_DianN...pk.dll
windows7-x64
7CPCW_DianN...pk.dll
windows10-2004-x64
7DOS/lpk.dll
windows7-x64
7DOS/lpk.dll
windows10-2004-x64
7DOS高手�...pk.dll
windows7-x64
7DOS高手�...pk.dll
windows10-2004-x64
7Flash初�...pk.dll
windows7-x64
7Flash初�...pk.dll
windows10-2004-x64
7NAC ADNLB/lpk.dll
windows7-x64
7NAC ADNLB/lpk.dll
windows10-2004-x64
7Photoshop7...01.pdf
windows7-x64
3Photoshop7...01.pdf
windows10-2004-x64
3Photoshop7...02.pdf
windows7-x64
3Photoshop7...02.pdf
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/C#追捕/bin/Debug/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/C#追捕/bin/Debug/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/C#追捕/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/C#追捕/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/C#追捕/obj/Debug/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/C#追捕/obj/Debug/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/Visual Studio Projects/WindowsApplication1/obj/Debug/temp/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/Visual Studio Projects/WindowsApplication1/obj/Debug/temp/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/asp.net/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/bin/lpk.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
ASP.NET精彩编程百例(源码)/ASPNETSource/bin/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ASP.NET精彩编程百例(源码)/SOftware/lpk.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
ASP.NET精彩编程百例(源码)/SOftware/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Apache2_cn_sysc_exe/lpk.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral16
Sample
Apache2_cn_sysc_exe/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Asp专题文档集/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
Asp专题文档集/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
CPCW_DianNaoBao_2005/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
CPCW_DianNaoBao_2005/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
DOS/lpk.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral22
Sample
DOS/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
DOS高手速成手册 繁体中文版/lpk.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
DOS高手速成手册 繁体中文版/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Flash初级教材/lpk.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Flash初级教材/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
NAC ADNLB/lpk.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
NAC ADNLB/lpk.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Photoshop7百例/01.pdf
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
Photoshop7百例/01.pdf
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Photoshop7百例/02.pdf
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
Photoshop7百例/02.pdf
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
DOS/lpk.dll
-
Size
46KB
-
MD5
da13f824f78517b9d5306532b7d56492
-
SHA1
8b50d78846a38a79b16ca6163ab005ecb6247677
-
SHA256
3f9ed957a687c9b779b1f397fd8a486cc1f9d837df76a6e4b377f9b7eb2d092b
-
SHA512
5a9b1c54ef5a59ba8c9d7a5a51e1e0eeac8bccce718a4159d10cb5e0049d9f0573b6075399e0e6bf207d9d872900e15dffefbf8ce410aa73f169a66f74fc00c2
-
SSDEEP
768:hojY9Pta9++bwNwGYN9i+Cp2+UGj0W3eE1Y2avXooyzYojY9Po:0mG++bwNwqp27GjV3P1Yj4oyzxmg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2756 hrl2E22.tmp 2976 zmxrwm.exe -
Loads dropped DLL 3 IoCs
pid Process 2680 rundll32.exe 2680 rundll32.exe 2976 zmxrwm.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: zmxrwm.exe File opened (read-only) \??\U: zmxrwm.exe File opened (read-only) \??\X: zmxrwm.exe File opened (read-only) \??\H: zmxrwm.exe File opened (read-only) \??\J: zmxrwm.exe File opened (read-only) \??\N: zmxrwm.exe File opened (read-only) \??\P: zmxrwm.exe File opened (read-only) \??\S: zmxrwm.exe File opened (read-only) \??\Y: zmxrwm.exe File opened (read-only) \??\Z: zmxrwm.exe File opened (read-only) \??\E: zmxrwm.exe File opened (read-only) \??\R: zmxrwm.exe File opened (read-only) \??\W: zmxrwm.exe File opened (read-only) \??\G: zmxrwm.exe File opened (read-only) \??\I: zmxrwm.exe File opened (read-only) \??\L: zmxrwm.exe File opened (read-only) \??\O: zmxrwm.exe File opened (read-only) \??\V: zmxrwm.exe File opened (read-only) \??\K: zmxrwm.exe File opened (read-only) \??\M: zmxrwm.exe File opened (read-only) \??\Q: zmxrwm.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\zmxrwm.exe hrl2E22.tmp File opened for modification C:\Windows\SysWOW64\zmxrwm.exe hrl2E22.tmp File created C:\Windows\SysWOW64\hra33.dll zmxrwm.exe -
Drops file in Program Files directory 60 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\lpk.dll zmxrwm.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lpk.dll zmxrwm.exe File created C:\Program Files\Java\jre7\bin\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Minesweeper\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Office\Office14\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Mozilla Firefox\lpk.dll zmxrwm.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll zmxrwm.exe File created C:\Program Files\DVD Maker\lpk.dll zmxrwm.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Chess\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Office\Office14\lpk.dll zmxrwm.exe File created C:\Program Files\Mozilla Firefox\uninstall\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\lpk.dll zmxrwm.exe File created C:\Program Files\Internet Explorer\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Internet Explorer\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\7-Zip\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Java\jre7\bin\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Chess\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Mahjong\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\lpk.dll zmxrwm.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\FreeCell\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Purble Place\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\lpk.dll zmxrwm.exe File created C:\Program Files\Mozilla Firefox\lpk.dll zmxrwm.exe File created C:\Program Files\7-Zip\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\lpk.dll zmxrwm.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\lpk.dll zmxrwm.exe File created C:\Program Files\Google\Chrome\Application\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Solitaire\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Google\Chrome\Application\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\DVD Maker\lpk.dll zmxrwm.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\lpk.dll zmxrwm.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Hearts\lpk.dll zmxrwm.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\lpk.dll zmxrwm.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lpk.dll zmxrwm.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\lpk.dll zmxrwm.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\lpk.dll zmxrwm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\lpk.dll zmxrwm.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrl2E22.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmxrwm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2756 hrl2E22.tmp 2756 hrl2E22.tmp 2976 zmxrwm.exe 2976 zmxrwm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2324 wrote to memory of 2680 2324 rundll32.exe 30 PID 2680 wrote to memory of 2756 2680 rundll32.exe 31 PID 2680 wrote to memory of 2756 2680 rundll32.exe 31 PID 2680 wrote to memory of 2756 2680 rundll32.exe 31 PID 2680 wrote to memory of 2756 2680 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\DOS\lpk.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\DOS\lpk.dll,#12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\hrl2E22.tmpC:\Users\Admin\AppData\Local\Temp\hrl2E22.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
-
C:\Windows\SysWOW64\zmxrwm.exeC:\Windows\SysWOW64\zmxrwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5754259ff98ffb8bbc408ed9dc5db85d8
SHA12386fdad8e0f773e1051a07308fcc57a174db484
SHA256d5d9ee1d998059f41c3480c999cd15b9e52f163b464b0c059ccbc8e862edd535
SHA5125e3cedbb1839364c245c5e16d5dd50db6b9597fa11cf670c8320dfb217b7166e39c7e81f979045a05877aa30d7c46d7370176e8614ff847334f6c2e0097d454e
-
Filesize
46KB
MD5da13f824f78517b9d5306532b7d56492
SHA18b50d78846a38a79b16ca6163ab005ecb6247677
SHA2563f9ed957a687c9b779b1f397fd8a486cc1f9d837df76a6e4b377f9b7eb2d092b
SHA5125a9b1c54ef5a59ba8c9d7a5a51e1e0eeac8bccce718a4159d10cb5e0049d9f0573b6075399e0e6bf207d9d872900e15dffefbf8ce410aa73f169a66f74fc00c2