Overview
overview
7Static
static
3iLemon/lpk.dll
windows7-x64
7iLemon/lpk.dll
windows10-2004-x64
7iLemon/set...1].exe
windows7-x64
7iLemon/set...1].exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
31.3.1.1002...ar.exe
windows7-x64
61.3.1.1002...ar.exe
windows10-2004-x64
71.3.1.1002...ce.exe
windows7-x64
11.3.1.1002...ce.exe
windows10-2004-x64
11.3.1.1002...er.exe
windows7-x64
11.3.1.1002...er.exe
windows10-2004-x64
11.3.1.1002...64.exe
windows7-x64
11.3.1.1002...64.exe
windows10-2004-x64
11.3.1.1002...op.exe
windows7-x64
61.3.1.1002...op.exe
windows10-2004-x64
71.3.1.1002...te.exe
windows7-x64
11.3.1.1002...te.exe
windows10-2004-x64
1ShellExtHelper.dll
windows7-x64
7ShellExtHelper.dll
windows10-2004-x64
7ShellExtHelper64.dll
windows7-x64
7ShellExtHelper64.dll
windows10-2004-x64
7iLemon.exe
windows7-x64
6iLemon.exe
windows10-2004-x64
6Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
iLemon/lpk.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
iLemon/lpk.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
iLemon/setup_1.3.1.1002_qd[1].exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
iLemon/setup_1.3.1.1002_qd[1].exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
1.3.1.1002/LemonCalendar.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
1.3.1.1002/LemonCalendar.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
1.3.1.1002/LemonService.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
1.3.1.1002/LemonService.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
1.3.1.1002/RunningHelper.exe
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
1.3.1.1002/RunningHelper.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
1.3.1.1002/RunningHelper64.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
1.3.1.1002/RunningHelper64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
1.3.1.1002/SmartDesktop.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
1.3.1.1002/SmartDesktop.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
1.3.1.1002/SmartNote.exe
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
1.3.1.1002/SmartNote.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
ShellExtHelper.dll
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
ShellExtHelper.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
ShellExtHelper64.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
ShellExtHelper64.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
iLemon.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
iLemon.exe
Resource
win10v2004-20240611-en
General
-
Target
ShellExtHelper64.dll
-
Size
962KB
-
MD5
a32c987eec0f9a19777381e86917faf5
-
SHA1
79e76d299fa62fdfa12c2ed5491b3d59d0650df7
-
SHA256
d664e87b7277da8cc721703899d1d13f61f1c330c82fad9141afe172ee5fc420
-
SHA512
3049fef09fb0a687bc61ae95eb2a833a0c080154cd8090f508f323ec9589012f37c789fc62ac303da2d7bb0f969c9b98eb1edcaac8a8fc8a0700fde5087bceef
-
SSDEEP
12288:Lh8XJTkkVGkIk+B1qibM7zMy1owYcwbPLbTF:oTF34jqyM74moj3
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" regsvr32.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" regsvr32.exe -
Modifies registry class 35 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\ = "ShellExtHelperLib ÀàÐÍ¿â" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\ = "ShellContextMenu Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win64 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper64.dll1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1