Malware Analysis Report

2024-09-23 11:20

Sample ID 240615-hrmkya1gmg
Target ad3c705d30aaf8b8dd7b15d3c38bfc3d_JaffaCakes118
SHA256 9760ee12d14854ff4b062282bc6c00c499e5452f12d97722cbf55e233e18b4c3
Tags
persistence bootkit
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9760ee12d14854ff4b062282bc6c00c499e5452f12d97722cbf55e233e18b4c3

Threat Level: Shows suspicious behavior

The file ad3c705d30aaf8b8dd7b15d3c38bfc3d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence bootkit

Checks computer location settings

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 06:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe"

Network

Files

memory/3912-0-0x0000013C52E70000-0x0000013C52F23000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 3620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3728 wrote to memory of 3620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3728 wrote to memory of 3620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4884 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4884 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper64.dll

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\ = "ShellExtHelperLib ÀàÐÍ¿â" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\ = "ShellContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper64.dll

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 228

Network

N/A

Files

memory/2076-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2076-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2076-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2740-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2740-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe"

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install_Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2044-0-0x000001649B0D0000-0x000001649B183000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper.dll

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\ = "ShellContextMenu Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\ = "ShellExtHelperLib ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3700 wrote to memory of 208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3700 wrote to memory of 208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper.dll

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe

"C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
N/A 127.0.0.1:80 tcp

Files

\Users\Admin\AppData\Local\Temp\nsy2020.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

\Users\Admin\AppData\Local\Temp\nsy2020.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

\Users\Admin\AppData\Local\Temp\nsy2020.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/3048-20-0x00000000004D1000-0x00000000004D2000-memory.dmp

memory/3048-19-0x00000000004D0000-0x00000000004D3000-memory.dmp

memory/3048-22-0x00000000004D1000-0x00000000004D2000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonService.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonService.exe"

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 224

Network

N/A

Files

memory/2096-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2096-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4168,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4936-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4936-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 224

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 smartdesktop.sinaapp.com udp

Files

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 d4cb6152a39e52256a676dfe5fb9a2b4
SHA1 2202dbdf0c6d4beba22ad2bc5b39ecb1630e5f0d
SHA256 36e189ab0a5fb4cedef2f0bbff3e93b52d39d5bfcec6dc2c3324f2fabc1b0236
SHA512 b60b9d291d9a705c19be87c5d1d715689ba95a95a938a932272e7342639c7bede1193d07a9fd9f559d42020f7a80b48f05a6659d482524c14cd33d360c3a397b

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 174265a58374b8543d443cbba004e513
SHA1 10052cb2c83a2548b69cb84f6a5439b473fed81e
SHA256 2bf1e2bb677ac9ae1236c3f633f7b959601fa9edcadc184202339fd3910fafab
SHA512 6113ae509de975ba69d27db772acaff836df2702fe8eeb4e9755c847b2dab6752fef5c2fd6ec0e93bef69c041ae167cf91a19b20f8be5d9a81e4427719e665d6

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 e0356f1d3a3da4f00baa4c6e68c9c8b6
SHA1 79397120a80116b6ab156e0669f001bb16d67b43
SHA256 6f0aa5985413c8de6f0284aa8b5bca30a8a5dc12a98caba5d11e20075f000fb5
SHA512 238ea77e36e6a1e5ba0510b3f7837148d768cda33fd8af1431725ab2e1dab3a973fd943a2b87b97ef28e2e3c9e18d2085ebbf7fa1f788424c79cb21554541f94

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 7891eb8bdd9283bd91ec14164bfda694
SHA1 2a0bed9fe4c14f686403cb3c926e62be42d9b528
SHA256 2aa641ce12287d49431fca31e06cd64cc3c596db1104f999a1186952e6ae29a3
SHA512 a9aaba8d0de04597472bc286f5df90528e87e462fe066da8208eb7e335bdf5cbcbb04d1b60f538e0a62cd7d0689f46e4ea85b21b98ce2d6a396ed3c64bbb91a3

memory/1440-76-0x0000000004840000-0x0000000004850000-memory.dmp

memory/1440-77-0x0000000004840000-0x0000000004850000-memory.dmp

memory/1440-78-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-79-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-80-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-81-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-82-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-83-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-84-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-85-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-86-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-87-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-89-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-88-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-91-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-92-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-90-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-93-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-94-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-95-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-96-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-97-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-98-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-100-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-103-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-101-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-99-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-102-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-105-0x0000000006460000-0x0000000006470000-memory.dmp

memory/1440-104-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-106-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-107-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-108-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-110-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-111-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-117-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-116-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-115-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-114-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-113-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-112-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-109-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-118-0x0000000004840000-0x0000000004850000-memory.dmp

memory/1440-119-0x0000000004840000-0x0000000004850000-memory.dmp

memory/1440-120-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-123-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-121-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-122-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-124-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-126-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-125-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-128-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-127-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-130-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-129-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-134-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-133-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-132-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-131-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-135-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-136-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-140-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-139-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-138-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-137-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-141-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-142-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-143-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-144-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-147-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-146-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1440-145-0x0000000004CF0000-0x0000000004D00000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 d69c5f20196477008ba293e2979dcabd
SHA1 ac8617d57d8b8c4972608da1b6539ab2bddcc02e
SHA256 a8279f4d967b5ba590637a02ff15b36b2ff370268162715ca4cf121e8eb683cb
SHA512 246090ba5808ffd9795c840f76f72647f0974ece30ecdf6629e8c6625871641e593c07358d35fa9cbdbd7e417eac4e01f0f2c57dde0e3e1d5876bced15a2f1f5

memory/1440-156-0x0000000000010000-0x0000000000011000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 137ee0849608a2c07b373b10695b3721
SHA1 9fe26b308066cce6380023e9d0f0eb898d97af62
SHA256 dee9691327dc0f287cb77aa83f96280e4a31d7ef90f565897467abc3023b163a
SHA512 da69a7f69f35431a305ebcda2ca7a1d95e459435d96b76bb4b25f0b2403da78f4ac8a3f948be503eb79a89808761f89b2015a16de1fa57eb5eb42fc53e9b53d1

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bk

MD5 47a40f4fdf8ab4daa2fb450aab3ff92a
SHA1 804de7e3eefaa02c8deeb67e526995e557767ecb
SHA256 afe50e2a6e3f625fd62c5489320c430d501335864468a0623511fd0f5934a1a2
SHA512 bd5a44eb9407411624c2ba2c1cb24c6ce245f8e3a8864d2db80fc70d8cbe312f3d1753b448d52b2d7ac93bc87793a692914ac6f2df8f44f328db0051e7c8d815

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 6f4dac83de8dcd929d687888aa099b68
SHA1 1264e430b3f4832a8ce082cac7ec4650648e57b4
SHA256 7e783161abfe5fcb30a430c0cecf64d3c00874954ba0e0979b4c7e46c880dc12
SHA512 0a3c407c589b582a61c47b81743c58fc1f89966e1ec95aacae61c7464374916e3b3c7f925c7914fa4844a90b6897084e57652aecc0e1b5460afa1ef466475617

C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk

MD5 5454d6793d2f975f9dc1574f1b0864c2
SHA1 a907ec1dc48985e5b3f684ab6361d9647cea694c
SHA256 c79f00cc36e1bae146ce9b2c6c5ff7ec5cc42b861797b2ab0d5d9331f14dd1ed
SHA512 928d6f163a2563c4a403164371ceca40994bd81b363921f4b8adfd5a8ba1b5456f83c2a448d4f2e9cc21de74fe48b1bcde1cf49fef8f550bf9b0e76680fafeb4

memory/1440-239-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-240-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/1440-241-0x0000000006460000-0x0000000006470000-memory.dmp

memory/1440-242-0x0000000006300000-0x0000000006310000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iLemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iLemon.exe

"C:\Users\Admin\AppData\Local\Temp\iLemon.exe"

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe" /parent=explorer.exe

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

memory/1796-0-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2308-1-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1148-2-0x0000000000250000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 6c8180b9686de5e0a9164a1abdf03119
SHA1 92514cfe0285b0746156bd4745e8ab1f50057440
SHA256 19926a716b098112cbb881f19995bcf2a563752fc6e2ad0c2c29b2dc63b5a381
SHA512 3cdc4d03d46f87cb029c08adee2450fb6b32393877c640001517252334ccde6712e5febcc03c118529f22eab53ef03896de3d4da19a1a721629a9b76ddcd0c07

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 61a928f23370956cc76488ec5b9e5c62
SHA1 1a6800d9050fb0667b44f4ce674fd600dee7d332
SHA256 c21ae97af2b5bedd6f524366c85566aa731c74a193a7bd4e00eaf63d0af73acb
SHA512 c3bda95577efb54657ab5281a959bfcd65f4865763462db85582289bdc38bc50c8cbb7e26d875e7435c80b05b8e970ab3a43eb3c92c4d78f75b805a60031da97

memory/2308-88-0x00000000040B0000-0x00000000040B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 d5b500eb314a9c8d20c8f760e45a2dab
SHA1 6d31afa36d1947652f3340c7f1424c19215ca553
SHA256 f678ca2043f8d77c617a3329c8b368545495c9f2a9c3146e8822d551f3a3af7d
SHA512 3ef78a2d2f951c916936631ef3332e099396d6be1bef77eab5168d0de82ae1ce9edb3a7cc5ddf929b8c07af02c4ed804ea6511edc6249195a51523261c6c9c88

memory/2308-118-0x0000000000310000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 f60f63c75d94827cf56e1e58d0e672ce
SHA1 91c1216a85beb2f3cf7dd282c5b8ef9abec6bd90
SHA256 202adbe61dffc87919269eaf1dfc9f3bfcd24f8dbea87b38e084dd4c7223cc0a
SHA512 88cfb2169b7221e20f7c2d990217abf932dfcc4d95d5ab101b6fd37e1a99da41e7c93365b10caa8bff0bbecae01e9a149526b62aa35ce0fa6e6233ba5319bcae

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bk

MD5 ecb1b1a61f5ae79fbb098404db957a9a
SHA1 918dde3e6b5943593653b3ebab41c797a26a9648
SHA256 d4fd13c73b657aa5ffe2863a227599e6405f1b4458c5bad0367079f70a13955e
SHA512 afeabedeb3d51037ed14ccc29b557a9af5daff5b98ffa6fb48873d45fd2e608aa10da566bdbb24607b3573c18b69be01ce9592603f9fa233b9a1671baac9fb2a

C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk

MD5 d3cdc3461b94d2566e5da0bcbb47aa50
SHA1 e37713d7750f01877fc674873e5887c2d1ab473c
SHA256 0a120d96dfeb3eb64dc17ab65f0b0ed749b73590de435390fbe7fd33b695cc57
SHA512 224e5273c6db8e62985edf5326e7745aa01f16335b8922cb12a78a1dbae630ad4c1d299a27d4050d61855beb42d1513c4b7445b0dd323a2a85082b3fb9229831

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win7-20240611-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonCalendar.exe"

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install_Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
N/A 127.0.0.1:80 tcp

Files

memory/2436-0-0x0000000002C90000-0x0000000002C91000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 1316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4252 wrote to memory of 1316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4252 wrote to memory of 1316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1316 -ip 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1644-0-0x00000000026B0000-0x000000000279A000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Windows\Explorer.EXE
PID 2820 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
PID 2820 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
PID 2820 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
PID 2820 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
PID 2820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe
PID 2820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe
PID 2820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe
PID 2820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

memory/2820-0-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1348-1-0x0000000000250000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 29d98d7092071d2a635fd03684e0bde4
SHA1 51a238a256126cf45ee03874c9c7128229353598
SHA256 76824bed4e7d3f50132fb792e050cc486b18f38bd042be9720c40e5e1238a7bd
SHA512 aeea62bad741c561c5d8f3879bcc1e0c347384866c88fdad50e62d66b1af3168cdfc697523a32c3f86b4e76e591e64f323f40539b3e67310f7bd2b0e13d9f8e4

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 f8968cd1e5478ab835802b6f4618abbe
SHA1 21d4846101d752333dddeb88401da1775277e9eb
SHA256 10feadd89e2fc2012d5cf7380bfedec5687419e8ff0fc6e3c603b3d7be911c19
SHA512 66e24a0d4a8090c730f009a7f029a2693cc2dd7a31996a0325ae3b0bf5a30c2a26d8b399cd524f6d0926873b48224716e7b915d47537b27206edcf3941c18e13

memory/2820-77-0x00000000044F0000-0x00000000044F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 f4a13b4ec54170d48f2e020248212c6d
SHA1 e5477c39ea0154557d9d0425267ccb7c3c90284c
SHA256 cc07e70db3fdf4103bb666a8e3a08d0832cb8fb25b6d1aa057a1c173772544df
SHA512 9efa9d8abbc168dbbb300b96fe2df3a67444053b716efe78deaa7ca991460fbcbcc5fdec3f23bb27bbfea5c35dae6d50b1a0381dd6f59b57646945a886054c37

memory/2820-87-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bk

MD5 6464b38e115f004d9cd62470e023bbe4
SHA1 1cd35e48ae864b14512782be3d12b8616a6705f0
SHA256 a5c99fcc28c8b79833b463aa026d4cf6b8d714c7e68271615153934b32b32d65
SHA512 30997c772c6d1fe8306a9d7708ef9dd05e59bf0d41206cfdaddf64de0c0c815ccc3e2adb6487cebee11d6adabe229261fb96ed0af0034f876df4f31c0afe346f

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 61c8b5393e6e76630667aea236a5800a
SHA1 c9394bb61ed19af78dfd1acff474699b21602149
SHA256 a912fba1f989c303c8872a7faa9ccb073b8aabe69b98622e54a5f9ddf526a80b
SHA512 f5c8887df4c11fd010414fdf4fbcfa727189cdb9ceb4c9b07953b71d9f18608e98d1fe2ee7bd7a6e0054b086c56b3279d3026abbbd7d1f668dd580748316e987

C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk

MD5 d215d8861369a16cb916a950388acb13
SHA1 702bf49b2da82e138c77d913791ef12370a75cba
SHA256 110158832a414227235e5f5d364fc740c67c7f5c17d272f39ae7b6b99b2f3c6f
SHA512 661b188f2b744bcd0a5eea83503029bfc572cf43221fc51894820781c968e445d491de4176fcc21c69a7952361381f29c37a7818ba05f47fe098b4d3e014468c

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartNote.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartNote.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartNote.exe"

Network

N/A

Files

memory/2280-0-0x00000000000A0000-0x00000000000A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\NoteData.snd.bk

MD5 f942929fd96a7cf3eb24b1cb60a5dca8
SHA1 62267adac539a1a6e49dde121c30571681b4d0f8
SHA256 5e2e14797db6ec8aeb47483c0183d7d1c421895e7a67eaaf9de5595cf401d9ea
SHA512 8189640a82a20fb6fe5908857b50d7137f29a259f049720644c4298c59ff22d86843076528f76f7fa7e6c1e8eaeeb5f145520c39845952221a3a36437ef0b992

memory/2280-6-0x00000000000A0000-0x00000000000A1000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartNote.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartNote.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartNote.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\NoteData.snd.bk

MD5 7e98029613c0f6b0b5361d37e4eab311
SHA1 f85b6e6a57ccfb952c1d8aeb10b0dae0034c8a4a
SHA256 bbf17355d3043c6d7b30f22820ca5a99afbe23c8aad1b558a4d5a3c1d327cc6a
SHA512 d3648d1efc3631d9ebe245a0399949103d5eac5829c0761089694f8598d0d8d539bfa20e942bdd48e90da4bc054d76fe7157ac3f9972c1d111a6feac4cbd4fa8

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper.dll

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\ = "ShellExtHelperLib ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\ = "ShellContextMenu Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2424 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iLemon\lpk.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp N/A
N/A N/A C:\Windows\SysWOW64\yiosmw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\yiosmw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\yiosmw.exe C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp N/A
File opened for modification C:\Windows\SysWOW64\yiosmw.exe C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp N/A
File created C:\Windows\SysWOW64\hra33.dll C:\Windows\SysWOW64\yiosmw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp N/A
N/A N/A C:\Windows\SysWOW64\yiosmw.exe N/A
N/A N/A C:\Windows\SysWOW64\yiosmw.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iLemon\lpk.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iLemon\lpk.dll,#1

C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp

C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp

C:\Windows\SysWOW64\yiosmw.exe

C:\Windows\SysWOW64\yiosmw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\hrl126A.tmp

MD5 9207aff9be07ce6a7c809fc935ac8f63
SHA1 3cac8e650e83f17eefe4098cdd8236c645e19368
SHA256 a9dbc1a151bba11b32da044da91f019e9d8220065845e7ed402ad8181e58ce5c
SHA512 570f0b92f30246dfeef48466f0ba23f546234aec8e579d4f6c34f483268ab849f7c7e9f2cb364243392b8fae298303a06bfddcf043fb11c1b1efb9f78d81e7ef

memory/3832-7-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\SysWOW64\hra33.dll

MD5 7147ff24579a477a1a34696926e573f1
SHA1 9127ea8d813ecd5788b3f97777931ec79b7760e9
SHA256 fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267
SHA512 077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe

"C:\Users\Admin\AppData\Local\Temp\iLemon\setup_1.3.1.1002_qd[1].exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst2817.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

C:\Users\Admin\AppData\Local\Temp\nst2817.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

C:\Users\Admin\AppData\Local\Temp\nst2817.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2112-24-0x0000000004821000-0x0000000004822000-memory.dmp

memory/2112-23-0x0000000004820000-0x0000000004823000-memory.dmp

memory/2112-26-0x0000000004821000-0x0000000004822000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\iLemon.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\柠檬桌面 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iLemon.exe\" /from=autorun" C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\iLemon.exe

"C:\Users\Admin\AppData\Local\Temp\iLemon.exe"

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe" /parent=explorer.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 smartdesktop.sinaapp.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 d4cb6152a39e52256a676dfe5fb9a2b4
SHA1 2202dbdf0c6d4beba22ad2bc5b39ecb1630e5f0d
SHA256 36e189ab0a5fb4cedef2f0bbff3e93b52d39d5bfcec6dc2c3324f2fabc1b0236
SHA512 b60b9d291d9a705c19be87c5d1d715689ba95a95a938a932272e7342639c7bede1193d07a9fd9f559d42020f7a80b48f05a6659d482524c14cd33d360c3a397b

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 32131487bbe45d43f1ac008ef87e3a75
SHA1 2d381b18cebdaa55b59444c7a2df5afad048a2b2
SHA256 f24aad5fa94f861cdc02296d20134111578a218b8c5d1c5a8a2e20c1e9ae77f8
SHA512 a069076db8ab179d7e1b3a5ce5552971dc3949a77f3c238f5b05bfb69ac4f85f950b0a67fa08ae8f68e83202484bfb058e0856c17dfdce512ca8ac790c041095

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 f17ad7bed7dc75bb1bf2554d93eb3805
SHA1 9a9716df7efc4b3fbaf361e53b75126deaa7a613
SHA256 a16922501281c17e02671aaef2c156e5b3da6df2eff110fec974a3973d2156da
SHA512 e0e8ad4ae5db0031dd1751ed19cf29f66637bc04e452daf5c7609727c684371cc1c2916d86cf833c50552924c6e475858b87a74ea14c727801a40a38b7ab43ca

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 6c8180b9686de5e0a9164a1abdf03119
SHA1 92514cfe0285b0746156bd4745e8ab1f50057440
SHA256 19926a716b098112cbb881f19995bcf2a563752fc6e2ad0c2c29b2dc63b5a381
SHA512 3cdc4d03d46f87cb029c08adee2450fb6b32393877c640001517252334ccde6712e5febcc03c118529f22eab53ef03896de3d4da19a1a721629a9b76ddcd0c07

memory/1588-79-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/1588-80-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/1588-81-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-82-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-83-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-84-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-85-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-86-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-87-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-88-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-89-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-90-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-92-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-91-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-94-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-95-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-93-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-96-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-97-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-98-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-99-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-100-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/1588-101-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-102-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-103-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/1588-104-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-105-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-109-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-108-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-107-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-106-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-111-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/1588-110-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-112-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-113-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-114-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-116-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-117-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-123-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-122-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-121-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-125-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-124-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/1588-120-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-118-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-119-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-115-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-126-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/1588-127-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-128-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-129-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-131-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-138-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-141-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-140-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-139-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-137-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-136-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-135-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-134-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-133-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-132-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-130-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-142-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-143-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-146-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-147-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-145-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-144-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-148-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-150-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-149-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-151-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-152-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-153-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/1588-154-0x0000000002F80000-0x0000000002F90000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 61a928f23370956cc76488ec5b9e5c62
SHA1 1a6800d9050fb0667b44f4ce674fd600dee7d332
SHA256 c21ae97af2b5bedd6f524366c85566aa731c74a193a7bd4e00eaf63d0af73acb
SHA512 c3bda95577efb54657ab5281a959bfcd65f4865763462db85582289bdc38bc50c8cbb7e26d875e7435c80b05b8e970ab3a43eb3c92c4d78f75b805a60031da97

memory/1588-163-0x0000000000010000-0x0000000000011000-memory.dmp

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 d5b500eb314a9c8d20c8f760e45a2dab
SHA1 6d31afa36d1947652f3340c7f1424c19215ca553
SHA256 f678ca2043f8d77c617a3329c8b368545495c9f2a9c3146e8822d551f3a3af7d
SHA512 3ef78a2d2f951c916936631ef3332e099396d6be1bef77eab5168d0de82ae1ce9edb3a7cc5ddf929b8c07af02c4ed804ea6511edc6249195a51523261c6c9c88

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini

MD5 f60f63c75d94827cf56e1e58d0e672ce
SHA1 91c1216a85beb2f3cf7dd282c5b8ef9abec6bd90
SHA256 202adbe61dffc87919269eaf1dfc9f3bfcd24f8dbea87b38e084dd4c7223cc0a
SHA512 88cfb2169b7221e20f7c2d990217abf932dfcc4d95d5ab101b6fd37e1a99da41e7c93365b10caa8bff0bbecae01e9a149526b62aa35ce0fa6e6233ba5319bcae

C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd

MD5 c34e7a6742f3a197486c654925a3046d
SHA1 5d8e96b3d5928445b58d4b9391ee55e904482c37
SHA256 b7c20fb77f02ab366f244b50682c8086d2b1e79655ac8a3748f3ed57822ba503
SHA512 f5558de163df772c0c0abb1623fabd9ab9709b1f04d80fb9ba758367a51d8ed41cc7e9ddd42f3d4887fef0185eab1c81408fce7a525e35b7167fbceecc4612e5

C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk

MD5 b5db223b5e2278d99349cda4fd2716a9
SHA1 91dbf0576bdb5ae80ffed55b99c5e3d03172e4c8
SHA256 66f304b8648bc66ccec9d398f152c64dfa8d58b066528293706940424ed8a892
SHA512 f3c15262231cd95e704364aeb9daf72ef931ca49bf0b04875845e20e78eb8522e6bdcc904969b4a10ccf822179a1bfc03e43be35a82e919a339e74b43b5e05ff

memory/1588-244-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-245-0x0000000000C70000-0x0000000000C80000-memory.dmp

memory/1588-247-0x0000000002F80000-0x0000000002F90000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonService.exe

"C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\LemonService.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper64.dll

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\ = "ShellExtHelperLib ÀàÐÍ¿â" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\ = "ShellContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ = "IShellContextMenu" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShellExtHelper64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\TypeLib\ = "{0A5D4600-D936-439A-9B40-62123120B30D}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt\ = "{40D49468-FC87-408B-AB4D-741EACF62536}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93D661F9-0B6B-4F89-94AE-CBB411A5A279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40D49468-FC87-408B-AB4D-741EACF62536}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A5D4600-D936-439A-9B40-62123120B30D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\SmartDesktopExt C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ShellExtHelper64.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:01

Platform

win7-20240611-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iLemon\lpk.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp N/A
N/A N/A C:\Windows\SysWOW64\zqhjao.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\zqhjao.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zqhjao.exe C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp N/A
File opened for modification C:\Windows\SysWOW64\zqhjao.exe C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp N/A
File created C:\Windows\SysWOW64\hra33.dll C:\Windows\SysWOW64\zqhjao.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp N/A
N/A N/A C:\Windows\SysWOW64\zqhjao.exe N/A
N/A N/A C:\Windows\SysWOW64\zqhjao.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iLemon\lpk.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iLemon\lpk.dll,#1

C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp

C:\Users\Admin\AppData\Local\Temp\hrl73F8.tmp

C:\Windows\SysWOW64\zqhjao.exe

C:\Windows\SysWOW64\zqhjao.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fl89.3322.org udp

Files

\Users\Admin\AppData\Local\Temp\hrl73F8.tmp

MD5 9207aff9be07ce6a7c809fc935ac8f63
SHA1 3cac8e650e83f17eefe4098cdd8236c645e19368
SHA256 a9dbc1a151bba11b32da044da91f019e9d8220065845e7ed402ad8181e58ce5c
SHA512 570f0b92f30246dfeef48466f0ba23f546234aec8e579d4f6c34f483268ab849f7c7e9f2cb364243392b8fae298303a06bfddcf043fb11c1b1efb9f78d81e7ef

memory/2088-11-0x0000000000400000-0x000000000040D000-memory.dmp

\Windows\SysWOW64\hra33.dll

MD5 7147ff24579a477a1a34696926e573f1
SHA1 9127ea8d813ecd5788b3f97777931ec79b7760e9
SHA256 fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267
SHA512 077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 06:58

Reported

2024-06-15 07:00

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 244

Network

N/A

Files

N/A