lampion | 113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898

General

Target

113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898.vbs
Size

14KB
MD5

8eb68a7cde7da57b6bb46b479b371067
SHA1

2e8c15856c3f76744c1d73d9ca90db19621263b4
SHA256

113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898
SHA512

01189fd288820c94c6aaaee42c50612c2da6761cf4f734a79cc5600bace0fd9cde82bb47bfa5d672bc3b737f3996778a532d6c4dde73dbfbd9bd4424148286aa

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 944 WScript.exe
7 944 WScript.exe
9 944 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anyeousghtm.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	944	WScript.exe
7	944	WScript.exe
9	944	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anyeousghtm.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1620	wscript.exe
Token: SeShutdownPrivilege	1620	wscript.exe
Token: SeShutdownPrivilege	1620	wscript.exe
Token: SeShutdownPrivilege	1620	wscript.exe
Token: SeShutdownPrivilege	1620	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 944 wrote to memory of 1620	944	WScript.exe	wscript.exe
PID 944 wrote to memory of 1620	944	WScript.exe	wscript.exe
PID 944 wrote to memory of 1620	944	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\anyeousghtm.vbs
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\86502827584743\kvkpzxcakvyzhfcxx33636251330375.exe

MD5
fa65d75b610b5d4df54f4d3f5148b7c3

SHA1
8db4d12b313b15784f29ab35e46a8d50721f25b8

SHA256
f6da083c2a2f69b6eeeb61c1cea63d7ea271562fce6d81c18293b070aeae9e64

SHA512
30d5ad2e68191d1289d310cdd5f39f5802eed522f799a8dad6844490373bac2571285f39dd33cd2524192228840d1dd4df3b1d37abc43d2e6358b4536de83b56

Download Submit
C:\Users\Admin\AppData\Roaming\anyeousghtm.vbs

MD5
9299a83757fb55c08b2bbd4e3c26d6a8

SHA1
f41b9c14abe622d6036caeafc917b4c81e65a596

SHA256
4a09306d349b501d6cb1e60ec923a7863fc6183ae378b1149ad512627b90e26e

SHA512
c5a708a3b49432828e57568ea511b37125b76dfc2a11f2b32d39431baec880895a16991f025695f97085fb8996808317c147ff37b73475e8569520101d6bf6e4

Download Submit
memory/944-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1040-62-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1044-60-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing