lampion | ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765

General

Target

ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765.vbs
Size

27KB
MD5

6d4c57b3600d896553e1a4aa0419dfec
SHA1

ae960f8bcb5401e756a4074ca9fdfe6d4b303b23
SHA256

ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765
SHA512

183f4178aa5ff56a7a27f4e6ef70c1a3e9b1fd098a624511053833f0cd310d6dbfc4235f764be204994409a871dce92fbb8559c18750f505f3fcd7cd650d91fa

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 1588 WScript.exe
7 1588 WScript.exe
9 1588 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzczczsnnxo.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1588	WScript.exe
7	1588	WScript.exe
9	1588	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzczczsnnxo.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1560	wscript.exe
Token: SeShutdownPrivilege	1560	wscript.exe
Token: SeShutdownPrivilege	1560	wscript.exe
Token: SeShutdownPrivilege	1560	wscript.exe
Token: SeShutdownPrivilege	1560	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1588 wrote to memory of 1560	1588	WScript.exe	wscript.exe
PID 1588 wrote to memory of 1560	1588	WScript.exe	wscript.exe
PID 1588 wrote to memory of 1560	1588	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\mzczczsnnxo.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\65360188424586\wholncdhqzaczwqmf26246297717093.exe
MD5
2f1d0920834f364df684b19b5b11bc0b

SHA1
b389ec2c0688a2e16d4f08fb96a7f3b216de693d

SHA256
9db95c28faa1d1fc37cf569059e745b008ef6a50aaeb7fc66ec22e75f5b2718c

SHA512
2bd1b85f15a604abbfae1d8b67ef57e75a9b4833515bbc74a2bb2fd535918d2b602c3014845f4b8147c0fa43396e9bcdcc1e97e05c3cc17205cf222d18fe18e5

Download Submit
C:\Users\Admin\AppData\Roaming\mzczczsnnxo.vbs
MD5
2ff4424eacaec05692a8cf937bb01c1d

SHA1
0beabe198f17ee33a4c357578c0d512d2c9f0565

SHA256
d13afd1689a369795d1cd2e8775f9c32164a3d35bf709f0f4c9a0faf26a45627

SHA512
d60b4c7cf25333c9b32c3eb4427c50a140d8a44eedcd6c7393f1c800fa501d11884ca3ec8cfc3afd9fd8c7be9ea9c5ef590cb136b7de99ae2a4074a26f56bad5

Download Submit
memory/1536-60-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1548-62-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1588-55-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing