lampion | 73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d

General

Target

73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs
Size

28KB
MD5

814fb0a1cc7a7cf376f3a302449fd2bd
SHA1

4b481d5b6a046f583ae5330e71b1f1f427c798ae
SHA256

73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d
SHA512

d1e3f73e4ad416691edffbb181cbf382e077d3a22fd8ada80aa1f1a2592e94c013b39b062c76c25b67ab7acaa8c5a9c49bdde3ff3ed379642b8a612b0c856992

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 1220 WScript.exe
7 1220 WScript.exe
9 1220 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfjnpllynee.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1220	WScript.exe
7	1220	WScript.exe
9	1220	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfjnpllynee.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1944	wscript.exe
Token: SeShutdownPrivilege	1944	wscript.exe
Token: SeShutdownPrivilege	1944	wscript.exe
Token: SeShutdownPrivilege	1944	wscript.exe
Token: SeShutdownPrivilege	1944	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1220 wrote to memory of 1944	1220	WScript.exe	wscript.exe
PID 1220 wrote to memory of 1944	1220	WScript.exe	wscript.exe
PID 1220 wrote to memory of 1944	1220	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\hfjnpllynee.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\87894108712673\snvyaovsqfrzwsuey81125615954398.exe
MD5
35fe7fe4f6b5e51002bf724b586adb42

SHA1
4f693c4c3660b42729e4c5c595164a5174cba10b

SHA256
45a6fd212f8f83419abf7810d56f2a5e1285b106879fb230a9d9d233e8629839

SHA512
f20ad9e677ca98a6f63e402101a52d80a033b39093c37471c3d3a81be42375da673f472406e994835309ce27ee04ecea944a0bc3e8daf4cd29f2e2c66dcdf907

Download Submit
C:\Users\Admin\AppData\Roaming\hfjnpllynee.vbs
MD5
afba27a3628d57f1b19ae5fcde93bed5

SHA1
10dbdfb65a5a94ce039530a29bbd9ab27bd39567

SHA256
e416df27567b11e8c87c082e52d3214050b94dd728a42c6f59485ed55f610d7d

SHA512
f59af5e866585a2de51b36b97dd5c6ad4ff77fe36ec8b8496d6bb74c7e2e46251cb4acaa595bc09285e7f514293266a806d50fe4f315f1c1e0439752544c9973

Download Submit
memory/960-61-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1068-59-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1220-54-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing