Overview

overview

10

Static

static

33f6daf3ee...58.vbs

windows7_x64

10

33f6daf3ee...58.vbs

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs

  • Size

    24KB

  • MD5

    2e98d98e8a55a16ad16cdc1130e5d729

  • SHA1

    84bce822d684af2425115292ae930dea77e8a5b0

  • SHA256

    33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58

  • SHA512

    e6662e8120b5d148a3f6a68c6c5045c17fa40400b90461e9c4ec2e2870e3ee1e6e4caf356af6e6758c165b335a4672e3324929658fb0853ca70c375183a9cc3d

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\npzbqcbfgmo.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:992
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1892
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1708

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\53251057565211\xxlnbfmzjoavpwnrj55032674670218.exe
        MD5

        888a916ac4bfe9d21264a4fb5c90d1b8

        SHA1

        f7553c87162c2d5921887d73101ad855aeb7cc1f

        SHA256

        b3c8e8bc565146ad62d55d85d3f2018430c794f82867471c3f0fad0b4c3e7cae

        SHA512

        13a97d398cbd1d6692d501725c41977455900eeaf21261995940e00339528a42851a07c042f2c9e1c5198ee5138e1b5e6023d5fb6207c52340b1490462d5bb6b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\npzbqcbfgmo.vbs
        MD5

        5a669f2b328b72b70f2c4f2b23d430cc

        SHA1

        0d02ccd7d6fd99a3f4779c09e31253209d429d6f

        SHA256

        167f675c06dc46ba8d4682f7588e4cc7fb83be9ef873e976c0dfd759715a58a2

        SHA512

        f9334ecd3b7c5b0ef877b756d4988185ea3a81683d17caf228dd3ed7344d7be188f07a3c0ee7b9180425329b7e8b8414a7b7354ef4611766005110967d63083e

        Download Submit
      • memory/792-54-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1708-61-0x0000000002820000-0x0000000002821000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1892-59-0x0000000002840000-0x0000000002841000-memory.dmp
        Filesize

        4KB

        Download