lampion | 29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a

General

Target

29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs
Size

16KB
MD5

8796bfe9c4735fe01a04125c25e67ed8
SHA1

3c3b3f0ae2617ce7e240e9ae35c023d91addbd0c
SHA256

29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a
SHA512

80c103adb21dee293201edb0d7d7047c05b34b8fae666a147f660b3041a606d2ef9a1f8cbf162b41b595d42d7b13ec32ef3478c81bf8d1934db07dde85b66211

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

23 1804 WScript.exe
25 1804 WScript.exe
27 1804 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\morgdjwekvc.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
23	1804	WScript.exe
25	1804	WScript.exe
27	1804	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\morgdjwekvc.lnk	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	2864	wscript.exe
Token: SeShutdownPrivilege	2864	wscript.exe
Token: SeShutdownPrivilege	2864	wscript.exe
Token: SeShutdownPrivilege	2864	wscript.exe
Token: SeShutdownPrivilege	2864	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2832 LogonUI.exe

pid	process
2832	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1804 wrote to memory of 2864	1804	WScript.exe	wscript.exe
PID 1804 wrote to memory of 2864	1804	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\morgdjwekvc.vbs
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\31029835641383\ibvblajmiakjzqlzb88220998644828.exe

MD5
9df0112c6af4deaf98e7e1c5b0478f48

SHA1
a18c9921d551ce9535c0c880add2f2c5a8164599

SHA256
94a37bbfd0c5d2bd2b745024b0f7dc8ac40a395b814adb9c2f5d096d398a91e2

SHA512
454a800f7f54da569e783e32929a46e1bec7838dc25fdf4ad48d37e1124cdab8f54034ea186d2c63a86c0c4a4bed60932993e6d86a6e8ad8aef133e1a46b7f22

Download Submit
C:\Users\Admin\AppData\Roaming\morgdjwekvc.vbs

MD5
eff5c720154b96fa242b5bfc439f91e1

SHA1
6d1db9a20f42c15f2ea59b6017d925d85a81e801

SHA256
5dc70ad946e543fff77d0c88a0a5ebf1956c0f93dce02fb5bdc383e9bc58eb54

SHA512
42217375aceb8f295cc0fa53acd6b1707535a9acb6854d576d70711d6df3ff76d3a6a93049513b3cd772873dc7b494cea6acdae65188788fc160414433914488

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads