lampion | 29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a

General

Target

29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs
Size

16KB
MD5

8796bfe9c4735fe01a04125c25e67ed8
SHA1

3c3b3f0ae2617ce7e240e9ae35c023d91addbd0c
SHA256

29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a
SHA512

80c103adb21dee293201edb0d7d7047c05b34b8fae666a147f660b3041a606d2ef9a1f8cbf162b41b595d42d7b13ec32ef3478c81bf8d1934db07dde85b66211

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 780 WScript.exe
7 780 WScript.exe
9 780 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueexzkbobmm.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	780	WScript.exe
7	780	WScript.exe
9	780	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueexzkbobmm.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	972	wscript.exe
Token: SeShutdownPrivilege	972	wscript.exe
Token: SeShutdownPrivilege	972	wscript.exe
Token: SeShutdownPrivilege	972	wscript.exe
Token: SeShutdownPrivilege	972	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 780 wrote to memory of 972	780	WScript.exe	wscript.exe
PID 780 wrote to memory of 972	780	WScript.exe	wscript.exe
PID 780 wrote to memory of 972	780	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\ueexzkbobmm.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\57831257760524\emqjlnmieoykrzytb82380941271781.exe
MD5
b571729b40f9a5c331e2b4caab4bce0c

SHA1
4ef7f04826145a0673955231343a430150bf0010

SHA256
d17d0b10aea65d745b5208b889ddbe83d752ec03e7e6bd1dc56a885ebe47035c

SHA512
9ef5a7518587496a3f84352d319bd620632de95de9346b213c699ec27c3627dc7e425912d468af3c1b74446897e23ab4262c36690bae1ac93d137323d96a316d

Download Submit
C:\Users\Admin\AppData\Roaming\ueexzkbobmm.vbs
MD5
398288220bfcc65746b56d3b96f83f8a

SHA1
8036ddc4d1569314612ab5e9e490da438f2b02ab

SHA256
c2c56eb2aeaa9779f87ba32eb27394a0f3b6f10b941685a9722ca3581b1c8ede

SHA512
277d7b3bba9f84126a5a2b0d61263ee894c3d2c1ff74376e1297e23bad8401d798ca3c972551064fd40597b3f973432ba0df832c1b3b299c9f8bdf415aa286d3

Download Submit
memory/780-55-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

Filesize
8KB

Download
memory/1708-63-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1880-61-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing