Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 06:58

General

  • Target

    iLemon.exe

  • Size

    305KB

  • MD5

    cb4fc7cd332339c73421ce5a1163352a

  • SHA1

    70b9f301e373f470ab2d58c977772f66f5351359

  • SHA256

    aa6eb4ba58ab9b26cd862342de710f2467a189601e3110fc9a74ff1b0c9c9d88

  • SHA512

    9ee07af325211368cd87686d46f88b824d2ba3ea7ca8d6298a10ba2a975815007d9d4c4920ac9a50ed720af30bb4f3d3c8c221d99562144ffd0aca27883ff659

  • SSDEEP

    3072:Jymvab01AuZJV+3FirTRYd7N0du0tOi45A7Jxbdzx8uj2cYkKHQvC0zI1ZN7nkxh:JyXES4TRdu0tLr2tk/vC0oX7UoFHSV

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iLemon.exe
    "C:\Users\Admin\AppData\Local\Temp\iLemon.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3008
  • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe
    "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe" /parent=explorer.exe
    1⤵
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
      "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install
      2⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4536
    • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      PID:2236
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:1212
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
        PID:3268

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk
        Filesize

        1KB

        MD5

        b5db223b5e2278d99349cda4fd2716a9

        SHA1

        91dbf0576bdb5ae80ffed55b99c5e3d03172e4c8

        SHA256

        66f304b8648bc66ccec9d398f152c64dfa8d58b066528293706940424ed8a892

        SHA512

        f3c15262231cd95e704364aeb9daf72ef931ca49bf0b04875845e20e78eb8522e6bdcc904969b4a10ccf822179a1bfc03e43be35a82e919a339e74b43b5e05ff

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        256B

        MD5

        61a928f23370956cc76488ec5b9e5c62

        SHA1

        1a6800d9050fb0667b44f4ce674fd600dee7d332

        SHA256

        c21ae97af2b5bedd6f524366c85566aa731c74a193a7bd4e00eaf63d0af73acb

        SHA512

        c3bda95577efb54657ab5281a959bfcd65f4865763462db85582289bdc38bc50c8cbb7e26d875e7435c80b05b8e970ab3a43eb3c92c4d78f75b805a60031da97

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        276B

        MD5

        d5b500eb314a9c8d20c8f760e45a2dab

        SHA1

        6d31afa36d1947652f3340c7f1424c19215ca553

        SHA256

        f678ca2043f8d77c617a3329c8b368545495c9f2a9c3146e8822d551f3a3af7d

        SHA512

        3ef78a2d2f951c916936631ef3332e099396d6be1bef77eab5168d0de82ae1ce9edb3a7cc5ddf929b8c07af02c4ed804ea6511edc6249195a51523261c6c9c88

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        309B

        MD5

        f60f63c75d94827cf56e1e58d0e672ce

        SHA1

        91c1216a85beb2f3cf7dd282c5b8ef9abec6bd90

        SHA256

        202adbe61dffc87919269eaf1dfc9f3bfcd24f8dbea87b38e084dd4c7223cc0a

        SHA512

        88cfb2169b7221e20f7c2d990217abf932dfcc4d95d5ab101b6fd37e1a99da41e7c93365b10caa8bff0bbecae01e9a149526b62aa35ce0fa6e6233ba5319bcae

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        70B

        MD5

        32131487bbe45d43f1ac008ef87e3a75

        SHA1

        2d381b18cebdaa55b59444c7a2df5afad048a2b2

        SHA256

        f24aad5fa94f861cdc02296d20134111578a218b8c5d1c5a8a2e20c1e9ae77f8

        SHA512

        a069076db8ab179d7e1b3a5ce5552971dc3949a77f3c238f5b05bfb69ac4f85f950b0a67fa08ae8f68e83202484bfb058e0856c17dfdce512ca8ac790c041095

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        70B

        MD5

        d4cb6152a39e52256a676dfe5fb9a2b4

        SHA1

        2202dbdf0c6d4beba22ad2bc5b39ecb1630e5f0d

        SHA256

        36e189ab0a5fb4cedef2f0bbff3e93b52d39d5bfcec6dc2c3324f2fabc1b0236

        SHA512

        b60b9d291d9a705c19be87c5d1d715689ba95a95a938a932272e7342639c7bede1193d07a9fd9f559d42020f7a80b48f05a6659d482524c14cd33d360c3a397b

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        96B

        MD5

        f17ad7bed7dc75bb1bf2554d93eb3805

        SHA1

        9a9716df7efc4b3fbaf361e53b75126deaa7a613

        SHA256

        a16922501281c17e02671aaef2c156e5b3da6df2eff110fec974a3973d2156da

        SHA512

        e0e8ad4ae5db0031dd1751ed19cf29f66637bc04e452daf5c7609727c684371cc1c2916d86cf833c50552924c6e475858b87a74ea14c727801a40a38b7ab43ca

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        158B

        MD5

        6c8180b9686de5e0a9164a1abdf03119

        SHA1

        92514cfe0285b0746156bd4745e8ab1f50057440

        SHA256

        19926a716b098112cbb881f19995bcf2a563752fc6e2ad0c2c29b2dc63b5a381

        SHA512

        3cdc4d03d46f87cb029c08adee2450fb6b32393877c640001517252334ccde6712e5febcc03c118529f22eab53ef03896de3d4da19a1a721629a9b76ddcd0c07

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd
        Filesize

        15KB

        MD5

        c34e7a6742f3a197486c654925a3046d

        SHA1

        5d8e96b3d5928445b58d4b9391ee55e904482c37

        SHA256

        b7c20fb77f02ab366f244b50682c8086d2b1e79655ac8a3748f3ed57822ba503

        SHA512

        f5558de163df772c0c0abb1623fabd9ab9709b1f04d80fb9ba758367a51d8ed41cc7e9ddd42f3d4887fef0185eab1c81408fce7a525e35b7167fbceecc4612e5

      • memory/1588-116-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-148-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-82-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-83-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-84-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-85-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-86-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-87-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-88-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-89-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-90-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-92-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-91-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-94-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-95-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-93-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-96-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-97-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-98-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-99-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-100-0x0000000002FD0000-0x0000000002FE0000-memory.dmp
        Filesize

        64KB

      • memory/1588-101-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-102-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-103-0x0000000002FE0000-0x0000000002FF0000-memory.dmp
        Filesize

        64KB

      • memory/1588-104-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-105-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-109-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-108-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-107-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-106-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-111-0x0000000002FE0000-0x0000000002FF0000-memory.dmp
        Filesize

        64KB

      • memory/1588-110-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-112-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-113-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-114-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-80-0x0000000000B40000-0x0000000000B50000-memory.dmp
        Filesize

        64KB

      • memory/1588-117-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-123-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-119-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-81-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-122-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-124-0x0000000000B40000-0x0000000000B50000-memory.dmp
        Filesize

        64KB

      • memory/1588-120-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-118-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-125-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-115-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-126-0x0000000000B40000-0x0000000000B50000-memory.dmp
        Filesize

        64KB

      • memory/1588-127-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-128-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-129-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-131-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-138-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-141-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-140-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-139-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-137-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-136-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-135-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-134-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-133-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-132-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-130-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-142-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-143-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-146-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-147-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-145-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-144-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-121-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-150-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-149-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-151-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-152-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-79-0x0000000000B40000-0x0000000000B50000-memory.dmp
        Filesize

        64KB

      • memory/1588-153-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-154-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB

      • memory/1588-163-0x0000000000010000-0x0000000000011000-memory.dmp
        Filesize

        4KB

      • memory/1588-244-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-245-0x0000000000C70000-0x0000000000C80000-memory.dmp
        Filesize

        64KB

      • memory/1588-247-0x0000000002F80000-0x0000000002F90000-memory.dmp
        Filesize

        64KB