Overview

overview

10

Static

static

33f6daf3ee...58.vbs

windows7_x64

10

33f6daf3ee...58.vbs

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs

  • Size

    24KB

  • MD5

    2e98d98e8a55a16ad16cdc1130e5d729

  • SHA1

    84bce822d684af2425115292ae930dea77e8a5b0

  • SHA256

    33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58

  • SHA512

    e6662e8120b5d148a3f6a68c6c5045c17fa40400b90461e9c4ec2e2870e3ee1e6e4caf356af6e6758c165b335a4672e3324929658fb0853ca70c375183a9cc3d

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\hrjeswygxzr.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:812
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\89575428903102\szvpdyjaabeqnbaxp29518300890921.exe
    MD5

    9b1f99f5653f46ed5bbb3c91a1dd14b2

    SHA1

    80d650696f5cffac8b01486e6662f6119af82871

    SHA256

    7219bb635a8adcfa5842dacafa9f8b6307d9fbd67402cb5cc8ba9694f5f8f4b9

    SHA512

    de922b9127f561045603aa5f3739575674babfc13807d30fcb931a8cc01f976bd356348ba8c1ee04e025421b7c99adb8bd26ed59f93af32dc130569b54b3fe7f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\hrjeswygxzr.vbs
    MD5

    1b28acf5988464298da2358ddf533839

    SHA1

    f9def5b23c29921c5c1cd8b430acf7aa5ef13c84

    SHA256

    1740e7637c9ac7c7fb81fa5e47b87bba7ad65bd49d422d658a34ac32ee55244b

    SHA512

    1c3de15faa4e9de8c822dfc04a67cf1885f5f4c4ad860f5d3d442446da8847891a22ed6fab89c5ef09655885ec7a86328197e68a958114f5276aca7b6a337077

    Download Submit