Overview

overview

10

Static

static

edf3b71d1f...e1.vbs

windows7_x64

10

edf3b71d1f...e1.vbs

windows10_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs

  • Size

    16KB

  • MD5

    ae5fd104186c3551b922492de895edf1

  • SHA1

    8022a8078be2a8f96cc5d12e3fe5575a70c88c72

  • SHA256

    edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1

  • SHA512

    ffb411fb4bf7fdaaea50e2c1fb5f65fd7702b09b6640ae4266f4412101b3910efc156f349af48b060501db45d20ca96f609d9612eab5e55e2b4578f3fe548e5b

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 4 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\nahiekhgxzr.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\90058827340602\xjuuqnsaabdshtwhk95357168078422.exe
    MD5

    0b2e2bf8b5a3d7e49119c06b3288c0f2

    SHA1

    953a1f12d44e771f7d3b6eb3c7f78693cc975631

    SHA256

    beb8f7e47381bc19a77b9f61b2fb129d74f9ac0c098002b29731e15f9f019434

    SHA512

    f32e000a9a4465569996b45c5c0e3e0a73c25d64db73c47e283eaf346325ecd90627307ec29ac75aca4833d24f71a92738a7f41dc5c690cbbdb6dec5bfe25a63

    Download Submit
  • C:\Users\Admin\AppData\Roaming\nahiekhgxzr.vbs
    MD5

    27cee89a350a88c8f7de5d0454c88838

    SHA1

    646e1d9eaa79ce19fb60a7e09425b62450f83e30

    SHA256

    f1fcb26b807e41aca24120e064a2e00fd49e1ae91e71d8067c45c0c7ea235470

    SHA512

    efe7f0caa37a0077dae7806c53ab61c87db90ea545ac45c9fde5f855f1a5e4510945dc8f1f88ed538571e1ba696bd6ac0a638d77170ee51be3a83bb771329480

    Download Submit