lampion | 0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c

General

Target

0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs
Size

38KB
MD5

2135d5e3d9eedbdb324af6331d6c6bea
SHA1

0c4c364c85126b6e808e9edaef21d8d1e22e3c41
SHA256

0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c
SHA512

3430151be33ac2e312c3427613bca72e6853498a9ced76ad1ff30fbaa04fb8b071fbe9a75a5906957cba5047373452ee7f61a783a1803b723f94b813e7735ebf

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

18 504 WScript.exe
20 504 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltxhyjxyecp.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
18	504	WScript.exe
20	504	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltxhyjxyecp.lnk	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1664	wscript.exe
Token: SeShutdownPrivilege	1664	wscript.exe
Token: SeShutdownPrivilege	1664	wscript.exe
Token: SeShutdownPrivilege	1664	wscript.exe
Token: SeShutdownPrivilege	1664	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

392 LogonUI.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description pid process target process

PID 504 wrote to memory of 1664 504 WScript.exe wscript.exe
PID 504 wrote to memory of 1664 504 WScript.exe wscript.exe

pid	process
392	LogonUI.exe

description	pid	process	target process
PID 504 wrote to memory of 1664	504	WScript.exe	wscript.exe
PID 504 wrote to memory of 1664	504	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\ltxhyjxyecp.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\94607304513454\lebthquiokikhkxfl19075384020804.exe
MD5
e37bbd3f2b9d61006ff7e43ec0826025

SHA1
1dabbec6504454c48e2a43b796a526f6e4625576

SHA256
c9205b71be3ad59dc5455c913eb9d943a2bca2815d03b46c56d73efd0316b120

SHA512
d68eedd1719d4c9585b311c8e2f595099e2d40fc4a1cd3d19890105234fb1e858bb9f712edc681811371619fe36315ae2cc7c04d8ea3d8de238433350929c9bd

Download Submit
C:\Users\Admin\AppData\Roaming\ltxhyjxyecp.vbs
MD5
b517929f202bb31318844e6f9a1b3887

SHA1
b183ce4ede39587ac8150431dc218d28e1507081

SHA256
f947ef801247c1d0d289f36c871fde1a8c54238b6246701d3957fc1d1c37117f

SHA512
8e523701b63070feab43b3136f701745fe149de292efa8e555aa5d34df72f2e9c12b6565faf63646f851118474584e8d370d67ab3726bddd369c11cc2762f523

Download Submit

Analysis

Sharing