lampion | edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1

General

Target

edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs
Size

16KB
MD5

ae5fd104186c3551b922492de895edf1
SHA1

8022a8078be2a8f96cc5d12e3fe5575a70c88c72
SHA256

edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1
SHA512

ffb411fb4bf7fdaaea50e2c1fb5f65fd7702b09b6640ae4266f4412101b3910efc156f349af48b060501db45d20ca96f609d9612eab5e55e2b4578f3fe548e5b

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 944 WScript.exe
7 944 WScript.exe
9 944 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ductrxerrwp.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	944	WScript.exe
7	944	WScript.exe
9	944	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ductrxerrwp.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	912	wscript.exe
Token: SeShutdownPrivilege	912	wscript.exe
Token: SeShutdownPrivilege	912	wscript.exe
Token: SeShutdownPrivilege	912	wscript.exe
Token: SeShutdownPrivilege	912	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 944 wrote to memory of 912	944	WScript.exe	wscript.exe
PID 944 wrote to memory of 912	944	WScript.exe	wscript.exe
PID 944 wrote to memory of 912	944	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\ductrxerrwp.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\12764927804469\ocoeczoltybebuqmh90699926257133.exe
MD5
37a8a4d42990e77156a8e4977589d146

SHA1
c5e3126599fb95f2b356f932845227ef2731a0f0

SHA256
f07aaf0620120be715bae06fa5e387a82558c2fc3870ac7532c8deb01988fcda

SHA512
bd366bcb5b483d68cd59a5df0cea6ec04df2f073241307bed9714a2a1f1d73349f166becad4ad4b19d92bc9e174836de25a4cddfc0a2e0f280c22f36a3e3ff6d

Download Submit
C:\Users\Admin\AppData\Roaming\ductrxerrwp.vbs
MD5
64e9b27668cee58fb62f75c2bb4497d7

SHA1
83e72c8444b4430ed70be681e6a027544ec4ad0f

SHA256
620ae013cc1d3dd5ff68246a880ca20298fa139ba53c8d627531cd412087ffca

SHA512
877b123ed259cde650b8b072cad8d5c23032b237d1141efc8e3ee6fdb03780ae5643f4635928b566caec8b17e699a47cd4c66766863a9d2fd5ee13ede42d3bed

Download Submit
memory/268-63-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/944-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1716-61-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing