lampion | f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c

General

Target

f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs
Size

12KB
MD5

fb20b1b1d48d96bacde2fd6caaeb42e7
SHA1

49d5aab4e2611b8ba10e11b7de5e9eeb3d56e35a
SHA256

f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c
SHA512

dfbc923b992f059546c35e8adeb97594de0fd97640dbd21f291bb727371239d2c9a9028c740ebb3a8467de99e3399524b2bd5b09bc1d5872f4b9db80134d4e40

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 1508 WScript.exe
7 1508 WScript.exe
9 1508 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uovjbwufudw.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1508	WScript.exe
7	1508	WScript.exe
9	1508	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uovjbwufudw.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1384	wscript.exe
Token: SeShutdownPrivilege	1384	wscript.exe
Token: SeShutdownPrivilege	1384	wscript.exe
Token: SeShutdownPrivilege	1384	wscript.exe
Token: SeShutdownPrivilege	1384	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1508 wrote to memory of 1384	1508	WScript.exe	wscript.exe
PID 1508 wrote to memory of 1384	1508	WScript.exe	wscript.exe
PID 1508 wrote to memory of 1384	1508	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\uovjbwufudw.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\55633305490016\ewivmzezxfihbamki44441717028617.exe
MD5
e33bd14d7aeec17c77b2bbcd12f4b815

SHA1
f18b5b59f424bab80bcda6ffb4661084408fe885

SHA256
49eee13f8cdaf094dce3515baa7c0cfb4d3b12048d773114ed73e0ab6ea065b5

SHA512
7291b86ae230d0dbe202781fa28568f282120bae561d1e8f08174a02fb7b776ab9fc4f62f741df6a01d2b2dad08edb3edf556fae0b8e3a4bfa3ed4b03c56d979

Download Submit
C:\Users\Admin\AppData\Roaming\uovjbwufudw.vbs
MD5
02b52d2139d9c641d01680f809f95f7f

SHA1
bb4ed150f03c1f6fb611f21d5c30c0f7b2e9df85

SHA256
2f530bdafa6b30f0e2e658bb60b8b8574db474aa9c475ac2095a8b771957236b

SHA512
e25d1813e832afff613d2fc63567bbb19e245069d1e6752d9b81e2b741dd3cfebf7486b6132e5a2b7d734c5a19a30bcd080d0f3ee1e4d0081bcf7fb05dce3458

Download Submit
memory/956-61-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1508-54-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

Filesize
8KB

Download
memory/1728-59-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing