Overview
overview
7Static
static
3iLemon/lpk.dll
windows7-x64
7iLemon/lpk.dll
windows10-2004-x64
7iLemon/set...1].exe
windows7-x64
7iLemon/set...1].exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
31.3.1.1002...ar.exe
windows7-x64
61.3.1.1002...ar.exe
windows10-2004-x64
71.3.1.1002...ce.exe
windows7-x64
11.3.1.1002...ce.exe
windows10-2004-x64
11.3.1.1002...er.exe
windows7-x64
11.3.1.1002...er.exe
windows10-2004-x64
11.3.1.1002...64.exe
windows7-x64
11.3.1.1002...64.exe
windows10-2004-x64
11.3.1.1002...op.exe
windows7-x64
61.3.1.1002...op.exe
windows10-2004-x64
71.3.1.1002...te.exe
windows7-x64
11.3.1.1002...te.exe
windows10-2004-x64
1ShellExtHelper.dll
windows7-x64
7ShellExtHelper.dll
windows10-2004-x64
7ShellExtHelper64.dll
windows7-x64
7ShellExtHelper64.dll
windows10-2004-x64
7iLemon.exe
windows7-x64
6iLemon.exe
windows10-2004-x64
6Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
iLemon/lpk.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
iLemon/lpk.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
iLemon/setup_1.3.1.1002_qd[1].exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
iLemon/setup_1.3.1.1002_qd[1].exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
1.3.1.1002/LemonCalendar.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
1.3.1.1002/LemonCalendar.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
1.3.1.1002/LemonService.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
1.3.1.1002/LemonService.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
1.3.1.1002/RunningHelper.exe
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
1.3.1.1002/RunningHelper.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
1.3.1.1002/RunningHelper64.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
1.3.1.1002/RunningHelper64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
1.3.1.1002/SmartDesktop.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
1.3.1.1002/SmartDesktop.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
1.3.1.1002/SmartNote.exe
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
1.3.1.1002/SmartNote.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
ShellExtHelper.dll
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
ShellExtHelper.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
ShellExtHelper64.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
ShellExtHelper64.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
iLemon.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
iLemon.exe
Resource
win10v2004-20240611-en
General
-
Target
iLemon.exe
-
Size
305KB
-
MD5
cb4fc7cd332339c73421ce5a1163352a
-
SHA1
70b9f301e373f470ab2d58c977772f66f5351359
-
SHA256
aa6eb4ba58ab9b26cd862342de710f2467a189601e3110fc9a74ff1b0c9c9d88
-
SHA512
9ee07af325211368cd87686d46f88b824d2ba3ea7ca8d6298a10ba2a975815007d9d4c4920ac9a50ed720af30bb4f3d3c8c221d99562144ffd0aca27883ff659
-
SSDEEP
3072:Jymvab01AuZJV+3FirTRYd7N0du0tOi45A7Jxbdzx8uj2cYkKHQvC0zI1ZN7nkxh:JyXES4TRdu0tLr2tk/vC0oX7UoFHSV
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SmartDesktop.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" SmartDesktop.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
SmartDesktop.exeRunningHelper.exedescription ioc process File opened for modification \??\PhysicalDrive0 SmartDesktop.exe File opened for modification \??\PhysicalDrive0 RunningHelper.exe -
Drops file in Windows directory 1 IoCs
Processes:
SmartDesktop.exedescription ioc process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe SmartDesktop.exe -
Processes:
RunningHelper.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main RunningHelper.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
iLemon.exeSmartDesktop.exepid process 1796 iLemon.exe 2308 SmartDesktop.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
SmartDesktop.exeRunningHelper64.exepid process 2308 SmartDesktop.exe 2308 SmartDesktop.exe 2308 SmartDesktop.exe 2308 SmartDesktop.exe 532 RunningHelper64.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
SmartDesktop.exepid process 2308 SmartDesktop.exe 2308 SmartDesktop.exe 2308 SmartDesktop.exe 2308 SmartDesktop.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
RunningHelper64.exeRunningHelper.exepid process 532 RunningHelper64.exe 2132 RunningHelper.exe 2132 RunningHelper.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SmartDesktop.exedescription pid process target process PID 2308 wrote to memory of 1148 2308 SmartDesktop.exe Explorer.EXE PID 2308 wrote to memory of 532 2308 SmartDesktop.exe RunningHelper64.exe PID 2308 wrote to memory of 532 2308 SmartDesktop.exe RunningHelper64.exe PID 2308 wrote to memory of 532 2308 SmartDesktop.exe RunningHelper64.exe PID 2308 wrote to memory of 532 2308 SmartDesktop.exe RunningHelper64.exe PID 2308 wrote to memory of 2132 2308 SmartDesktop.exe RunningHelper.exe PID 2308 wrote to memory of 2132 2308 SmartDesktop.exe RunningHelper.exe PID 2308 wrote to memory of 2132 2308 SmartDesktop.exe RunningHelper.exe PID 2308 wrote to memory of 2132 2308 SmartDesktop.exe RunningHelper.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\iLemon.exe"C:\Users\Admin\AppData\Local\Temp\iLemon.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe" /parent=explorer.exe2⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr3⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnkFilesize
1017B
MD5d3cdc3461b94d2566e5da0bcbb47aa50
SHA1e37713d7750f01877fc674873e5887c2d1ab473c
SHA2560a120d96dfeb3eb64dc17ab65f0b0ed749b73590de435390fbe7fd33b695cc57
SHA512224e5273c6db8e62985edf5326e7745aa01f16335b8922cb12a78a1dbae630ad4c1d299a27d4050d61855beb42d1513c4b7445b0dd323a2a85082b3fb9229831
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
309B
MD5f60f63c75d94827cf56e1e58d0e672ce
SHA191c1216a85beb2f3cf7dd282c5b8ef9abec6bd90
SHA256202adbe61dffc87919269eaf1dfc9f3bfcd24f8dbea87b38e084dd4c7223cc0a
SHA51288cfb2169b7221e20f7c2d990217abf932dfcc4d95d5ab101b6fd37e1a99da41e7c93365b10caa8bff0bbecae01e9a149526b62aa35ce0fa6e6233ba5319bcae
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
256B
MD561a928f23370956cc76488ec5b9e5c62
SHA11a6800d9050fb0667b44f4ce674fd600dee7d332
SHA256c21ae97af2b5bedd6f524366c85566aa731c74a193a7bd4e00eaf63d0af73acb
SHA512c3bda95577efb54657ab5281a959bfcd65f4865763462db85582289bdc38bc50c8cbb7e26d875e7435c80b05b8e970ab3a43eb3c92c4d78f75b805a60031da97
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
158B
MD56c8180b9686de5e0a9164a1abdf03119
SHA192514cfe0285b0746156bd4745e8ab1f50057440
SHA25619926a716b098112cbb881f19995bcf2a563752fc6e2ad0c2c29b2dc63b5a381
SHA5123cdc4d03d46f87cb029c08adee2450fb6b32393877c640001517252334ccde6712e5febcc03c118529f22eab53ef03896de3d4da19a1a721629a9b76ddcd0c07
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.iniFilesize
276B
MD5d5b500eb314a9c8d20c8f760e45a2dab
SHA16d31afa36d1947652f3340c7f1424c19215ca553
SHA256f678ca2043f8d77c617a3329c8b368545495c9f2a9c3146e8822d551f3a3af7d
SHA5123ef78a2d2f951c916936631ef3332e099396d6be1bef77eab5168d0de82ae1ce9edb3a7cc5ddf929b8c07af02c4ed804ea6511edc6249195a51523261c6c9c88
-
C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bkFilesize
15KB
MD5ecb1b1a61f5ae79fbb098404db957a9a
SHA1918dde3e6b5943593653b3ebab41c797a26a9648
SHA256d4fd13c73b657aa5ffe2863a227599e6405f1b4458c5bad0367079f70a13955e
SHA512afeabedeb3d51037ed14ccc29b557a9af5daff5b98ffa6fb48873d45fd2e608aa10da566bdbb24607b3573c18b69be01ce9592603f9fa233b9a1671baac9fb2a
-
memory/1148-2-0x0000000000250000-0x0000000000350000-memory.dmpFilesize
1024KB
-
memory/1796-0-0x0000000000120000-0x0000000000122000-memory.dmpFilesize
8KB
-
memory/2308-1-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2308-88-0x00000000040B0000-0x00000000040B1000-memory.dmpFilesize
4KB
-
memory/2308-118-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB