Overview

overview

10

Static

static

9909827364...34.vbs

windows7_x64

8

9909827364...34.vbs

windows10_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    990982736492bfa0b2a39b0fd05959fa92ca3a282e36977a2523b3fe641a4c34.vbs

  • Size

    5KB

  • MD5

    75819e8456648b85753f92cbd71ae002

  • SHA1

    ad1d61355c974b2eaea1530b367028e4fd8a63c3

  • SHA256

    990982736492bfa0b2a39b0fd05959fa92ca3a282e36977a2523b3fe641a4c34

  • SHA512

    dd841eebb865c91d6f62d7c1fff664463a5e5ee0ecdc70af5dfd1e9cd88d9a5e59d42a6a89e5452a077a2ff76c7ab324c66858f5d84913934535543ca82e25c6

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\990982736492bfa0b2a39b0fd05959fa92ca3a282e36977a2523b3fe641a4c34.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\srzmxqmfmve.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:4320
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\88126744210719\czmyjsxzpxrxjjkty49079320788382.exe
    MD5

    f472ed497a09020dda0570d7a5589806

    SHA1

    6689cb9b7bed31011ca5d40cb0948c2c8b5543aa

    SHA256

    add23f164c88b1326f4c261cd63d55f8bccbb51fff366d411e23ad7c820958c1

    SHA512

    1253dbc29a1c1d793a201a696acb0c7fbbeea1b88f3e7baeae9a8dc0ea41151237bb28f10d7d1f8576988603604ca46dfa5fbfc2c4961ad1c5e157e151b6c120

    Download Submit

  • C:\Users\Admin\AppData\Roaming\srzmxqmfmve.vbs
    MD5

    f2ce44d4ddd7beea481f6a8fb85dfcfe

    SHA1

    36ffbdb364498a3a082a4a74ea84dd63b78abf97

    SHA256

    23b10e8a8ff5587300773305639986bbc665f365e46342c2e58611822c9d5344

    SHA512

    e789c5f5226cfbd5c45652b7a4fbefba4cda1746863fb9f80b39d92d735f07fd0ad40ff8346b59b0278597ff5b41d4372a45cc8628ad7c9e5f710ac5f17c924f

    Download Submit