Overview

overview

10

Static

static

07f5932be3...a1.vbs

windows7_x64

10

07f5932be3...a1.vbs

windows10_x64

10

Analysis

  • max time kernel
    89s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07f5932be35a720a74fc10e7ee6011fa2a8ee4c6df7cf9a6f06bfdc7bd5ec4a1.vbs

  • Size

    22KB

  • MD5

    6d5196d8d9cd129b0f257f07ede9e6ab

  • SHA1

    14095c55c59db1f8bc00de1781a6641bf2657d65

  • SHA256

    07f5932be35a720a74fc10e7ee6011fa2a8ee4c6df7cf9a6f06bfdc7bd5ec4a1

  • SHA512

    4dc375ebb0a26d1b92ecad9611098e425b9a02c0bf95bf4271ae88e1a931091ca6ed8f088a728affa2d59935e1243c5ed9263bb059d0fa6609e507e6d1b2f004

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f5932be35a720a74fc10e7ee6011fa2a8ee4c6df7cf9a6f06bfdc7bd5ec4a1.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\eoejehjxisk.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:3312
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\54228428781032\pwqvpjurluxpdlafm23253759264945.exe
    MD5

    0be94c88623ca8860b74a78f2b0dfe65

    SHA1

    3fffc44f4c268056a8857948dd9951da854230b2

    SHA256

    ae727e3adf412e64c2b5d33ef2f5db7e1061832d4e48d394292c0b520c789f31

    SHA512

    ffe06c53243fd2c667e97c66c05f0c5102d6a6e41fad93deb46c66ebe90a0b7658b0b73f829230bb96d4c16c9105a09820acd9f0b17b94d711af44bd20790b50

    Download Submit

  • C:\Users\Admin\AppData\Roaming\eoejehjxisk.vbs
    MD5

    0f2af3899589011d686589b9fb21d7ad

    SHA1

    c0867a001666b04596969276ef1add5134b539a6

    SHA256

    1ba7e291e47525be44c5acba05eaecb6c91bcc27f0d59f6c885fbf72bddff37e

    SHA512

    3248fe57380beab295d3c79814886ffb21fe294a4e9cd65f113234b69b199903703c3d5e4c7cbc73febbc29eba17f98c20700f7eb80e6460d586eda9347eb27a

    Download Submit