Overview
overview
7Static
static
3iLemon/lpk.dll
windows7-x64
7iLemon/lpk.dll
windows10-2004-x64
7iLemon/set...1].exe
windows7-x64
7iLemon/set...1].exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
31.3.1.1002...ar.exe
windows7-x64
61.3.1.1002...ar.exe
windows10-2004-x64
71.3.1.1002...ce.exe
windows7-x64
11.3.1.1002...ce.exe
windows10-2004-x64
11.3.1.1002...er.exe
windows7-x64
11.3.1.1002...er.exe
windows10-2004-x64
11.3.1.1002...64.exe
windows7-x64
11.3.1.1002...64.exe
windows10-2004-x64
11.3.1.1002...op.exe
windows7-x64
61.3.1.1002...op.exe
windows10-2004-x64
71.3.1.1002...te.exe
windows7-x64
11.3.1.1002...te.exe
windows10-2004-x64
1ShellExtHelper.dll
windows7-x64
7ShellExtHelper.dll
windows10-2004-x64
7ShellExtHelper64.dll
windows7-x64
7ShellExtHelper64.dll
windows10-2004-x64
7iLemon.exe
windows7-x64
6iLemon.exe
windows10-2004-x64
6Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
iLemon/lpk.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
iLemon/lpk.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
iLemon/setup_1.3.1.1002_qd[1].exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
iLemon/setup_1.3.1.1002_qd[1].exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
1.3.1.1002/LemonCalendar.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
1.3.1.1002/LemonCalendar.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
1.3.1.1002/LemonService.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
1.3.1.1002/LemonService.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
1.3.1.1002/RunningHelper.exe
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
1.3.1.1002/RunningHelper.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
1.3.1.1002/RunningHelper64.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
1.3.1.1002/RunningHelper64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
1.3.1.1002/SmartDesktop.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
1.3.1.1002/SmartDesktop.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
1.3.1.1002/SmartNote.exe
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
1.3.1.1002/SmartNote.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
ShellExtHelper.dll
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
ShellExtHelper.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
ShellExtHelper64.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
ShellExtHelper64.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
iLemon.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
iLemon.exe
Resource
win10v2004-20240611-en
General
-
Target
1.3.1.1002/SmartDesktop.exe
-
Size
2.4MB
-
MD5
7cada09f584b144683e6608ce2a6b6ed
-
SHA1
1f5de69c90d1344482dd4fd2f8e32da480eed783
-
SHA256
fe01e629e25da5b03294dc0dfa6c3ba1a11321268715d7fa4d108eb31db06aa9
-
SHA512
7e7e91bca2b08831c9dcecc4048282cd823ab2211345ed037f36c4d4400986d583cb8d61a85e14a423548ca000a5df1b666be1ac40b83a87120474362e70a2f4
-
SSDEEP
49152:vSWBLrXko7z2Qc7fcWOg+FYty/8trbI+qqQHTrFYvSHjHHl3:vS6LzkWz2QYV+FYAkXz8cujH5
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SmartDesktop.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" SmartDesktop.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
SmartDesktop.exeRunningHelper.exedescription ioc process File opened for modification \??\PhysicalDrive0 SmartDesktop.exe File opened for modification \??\PhysicalDrive0 RunningHelper.exe -
Drops file in Windows directory 1 IoCs
Processes:
SmartDesktop.exedescription ioc process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe SmartDesktop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
RunningHelper.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main RunningHelper.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SmartDesktop.exepid process 2820 SmartDesktop.exe 2820 SmartDesktop.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
SmartDesktop.exeRunningHelper64.exepid process 2820 SmartDesktop.exe 2820 SmartDesktop.exe 2820 SmartDesktop.exe 2820 SmartDesktop.exe 1212 RunningHelper64.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
SmartDesktop.exepid process 2820 SmartDesktop.exe 2820 SmartDesktop.exe 2820 SmartDesktop.exe 2820 SmartDesktop.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
RunningHelper64.exeRunningHelper.exepid process 1212 RunningHelper64.exe 1904 RunningHelper.exe 1904 RunningHelper.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SmartDesktop.exedescription pid process target process PID 2820 wrote to memory of 1348 2820 SmartDesktop.exe Explorer.EXE PID 2820 wrote to memory of 1212 2820 SmartDesktop.exe RunningHelper64.exe PID 2820 wrote to memory of 1212 2820 SmartDesktop.exe RunningHelper64.exe PID 2820 wrote to memory of 1212 2820 SmartDesktop.exe RunningHelper64.exe PID 2820 wrote to memory of 1212 2820 SmartDesktop.exe RunningHelper64.exe PID 2820 wrote to memory of 1904 2820 SmartDesktop.exe RunningHelper.exe PID 2820 wrote to memory of 1904 2820 SmartDesktop.exe RunningHelper.exe PID 2820 wrote to memory of 1904 2820 SmartDesktop.exe RunningHelper.exe PID 2820 wrote to memory of 1904 2820 SmartDesktop.exe RunningHelper.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"2⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr3⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnkFilesize
1017B
MD5d215d8861369a16cb916a950388acb13
SHA1702bf49b2da82e138c77d913791ef12370a75cba
SHA256110158832a414227235e5f5d364fc740c67c7f5c17d272f39ae7b6b99b2f3c6f
SHA512661b188f2b744bcd0a5eea83503029bfc572cf43221fc51894820781c968e445d491de4176fcc21c69a7952361381f29c37a7818ba05f47fe098b4d3e014468c
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
309B
MD561c8b5393e6e76630667aea236a5800a
SHA1c9394bb61ed19af78dfd1acff474699b21602149
SHA256a912fba1f989c303c8872a7faa9ccb073b8aabe69b98622e54a5f9ddf526a80b
SHA512f5c8887df4c11fd010414fdf4fbcfa727189cdb9ceb4c9b07953b71d9f18608e98d1fe2ee7bd7a6e0054b086c56b3279d3026abbbd7d1f668dd580748316e987
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
256B
MD5f8968cd1e5478ab835802b6f4618abbe
SHA121d4846101d752333dddeb88401da1775277e9eb
SHA25610feadd89e2fc2012d5cf7380bfedec5687419e8ff0fc6e3c603b3d7be911c19
SHA51266e24a0d4a8090c730f009a7f029a2693cc2dd7a31996a0325ae3b0bf5a30c2a26d8b399cd524f6d0926873b48224716e7b915d47537b27206edcf3941c18e13
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
158B
MD529d98d7092071d2a635fd03684e0bde4
SHA151a238a256126cf45ee03874c9c7128229353598
SHA25676824bed4e7d3f50132fb792e050cc486b18f38bd042be9720c40e5e1238a7bd
SHA512aeea62bad741c561c5d8f3879bcc1e0c347384866c88fdad50e62d66b1af3168cdfc697523a32c3f86b4e76e591e64f323f40539b3e67310f7bd2b0e13d9f8e4
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
276B
MD5f4a13b4ec54170d48f2e020248212c6d
SHA1e5477c39ea0154557d9d0425267ccb7c3c90284c
SHA256cc07e70db3fdf4103bb666a8e3a08d0832cb8fb25b6d1aa057a1c173772544df
SHA5129efa9d8abbc168dbbb300b96fe2df3a67444053b716efe78deaa7ca991460fbcbcc5fdec3f23bb27bbfea5c35dae6d50b1a0381dd6f59b57646945a886054c37
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bkFilesize
13KB
MD56464b38e115f004d9cd62470e023bbe4
SHA11cd35e48ae864b14512782be3d12b8616a6705f0
SHA256a5c99fcc28c8b79833b463aa026d4cf6b8d714c7e68271615153934b32b32d65
SHA51230997c772c6d1fe8306a9d7708ef9dd05e59bf0d41206cfdaddf64de0c0c815ccc3e2adb6487cebee11d6adabe229261fb96ed0af0034f876df4f31c0afe346f
-
memory/1348-1-0x0000000000250000-0x0000000000350000-memory.dmpFilesize
1024KB
-
memory/2820-0-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2820-77-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/2820-87-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB