lampion | 9a2f575d77cc03afe1230666ed23c1da58dd1644abf02e2487c6cd0db8b2a26d

General

Target

9a2f575d77cc03afe1230666ed23c1da58dd1644abf02e2487c6cd0db8b2a26d.vbs
Size

16KB
MD5

2a22f9e6eee207c35229063f75121696
SHA1

bdc5d7edcebaaa8508a005943c77cf3fc436542c
SHA256

9a2f575d77cc03afe1230666ed23c1da58dd1644abf02e2487c6cd0db8b2a26d
SHA512

edad6360a533ffbc4dc91d323109808f45f01070a245555a1a91c62ef142e180c09f61cc92a11a9583cdd6c5a5fd66642d832b14eab20fac77aa0b237a6cce68

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 1916 WScript.exe
7 1916 WScript.exe
9 1916 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cjjeryqfbnb.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1916	WScript.exe
7	1916	WScript.exe
9	1916	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cjjeryqfbnb.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	860	wscript.exe
Token: SeShutdownPrivilege	860	wscript.exe
Token: SeShutdownPrivilege	860	wscript.exe
Token: SeShutdownPrivilege	860	wscript.exe
Token: SeShutdownPrivilege	860	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1916 wrote to memory of 860	1916	WScript.exe	wscript.exe
PID 1916 wrote to memory of 860	1916	WScript.exe	wscript.exe
PID 1916 wrote to memory of 860	1916	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a2f575d77cc03afe1230666ed23c1da58dd1644abf02e2487c6cd0db8b2a26d.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\cjjeryqfbnb.vbs
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\64438710153102\mrvpcbbzeponwabsd70897207140922.exe

MD5
3097264ff585e23e87cb3ee014a3c6f6

SHA1
a8b4cd8071a699d933ca23251cf0e1f8537d9b33

SHA256
d9813e788332d81edf7d519f1ca6fe231147e4e597a5e543ac6015196c1a7a53

SHA512
c1e6e39323436d0c2a717851307325d96af6dae3bbccbdeff8afca9f5e9cf1a3c32b0162ab0f24c082e8c73bbd15f2a85c6f54b462e9520ad4c739f9f891e835

Download Submit
C:\Users\Admin\AppData\Roaming\cjjeryqfbnb.vbs

MD5
c4714edd6cdc66e6085a08190c871d2e

SHA1
e2d03cf49aabf24eadbdb0faae97fd49f83a9419

SHA256
63427c1eef40a65e285e0a4a9889a400197515f9237fd2b8ae4423cb56a7d6ed

SHA512
104908a28ed685e887419ea13cb20def61eaaa6cd451baa4c0963375162f8574c38ecbaec944f6994c097de3a7d8455a3d9e2a7dd57f3099293c9338bacc8022

Download Submit
memory/916-59-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1240-61-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1916-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing