lampion | 0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c

General

Target

0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs
Size

38KB
MD5

2135d5e3d9eedbdb324af6331d6c6bea
SHA1

0c4c364c85126b6e808e9edaef21d8d1e22e3c41
SHA256

0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c
SHA512

3430151be33ac2e312c3427613bca72e6853498a9ced76ad1ff30fbaa04fb8b071fbe9a75a5906957cba5047373452ee7f61a783a1803b723f94b813e7735ebf

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

5 1680 WScript.exe
7 1680 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztwibeazvtr.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1680	WScript.exe
7	1680	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztwibeazvtr.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1052	wscript.exe
Token: SeShutdownPrivilege	1052	wscript.exe
Token: SeShutdownPrivilege	1052	wscript.exe
Token: SeShutdownPrivilege	1052	wscript.exe
Token: SeShutdownPrivilege	1052	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1680 wrote to memory of 1052	1680	WScript.exe	wscript.exe
PID 1680 wrote to memory of 1052	1680	WScript.exe	wscript.exe
PID 1680 wrote to memory of 1052	1680	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\ztwibeazvtr.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\91069432199001\jciumgltyvdxbhubu87285924792289.exe
MD5
10628587d7abeb26a69582600e7ebb55

SHA1
6275a74a5d743f2339429f28bb038cf6413f8163

SHA256
5bbe23bdfac10a749556e44dd3f9e88ff3c954e6dce279f00a81ebfbdc2c8fb1

SHA512
295a06718862bf8248a59d2bf699e0d7ab98c82e929842e927ca0b0a5bd378178978eaf845582f7b41c91cdd4bfbaf1d827f745fb17d7e02e2c448a63941f3be

Download Submit
C:\Users\Admin\AppData\Roaming\ztwibeazvtr.vbs
MD5
39135c07b23784c350b222bfa9214caa

SHA1
67bcf4c7fd933c81f141db9cea11c505ad40214e

SHA256
13bfc0b207b10ee2b82c59396b94fa2977e6e4040454f855596eef449583688d

SHA512
1539b52a888b58fa5fdf909543b37875ba6bed67885c4bbe00b7d9f4a990621d1a9bb1b9463828f866374191e292d2bd125b90d31bd93a2106dc5377621d5b2c

Download Submit
memory/896-60-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1216-62-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1680-55-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing