Overview

overview

10

Static

static

73edad845a...3d.vbs

windows7_x64

10

73edad845a...3d.vbs

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    175s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs

  • Size

    28KB

  • MD5

    814fb0a1cc7a7cf376f3a302449fd2bd

  • SHA1

    4b481d5b6a046f583ae5330e71b1f1f427c798ae

  • SHA256

    73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d

  • SHA512

    d1e3f73e4ad416691edffbb181cbf382e077d3a22fd8ada80aa1f1a2592e94c013b39b062c76c25b67ab7acaa8c5a9c49bdde3ff3ed379642b8a612b0c856992

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\pwwreldsoao.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1096
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\14938710153102\zeicpoomrcbajnofq21397207140921.exe
    MD5

    43bbe2756663160ade86c3d09f4673ab

    SHA1

    36e17020faead9ab5144f8a53c03e385426ac49f

    SHA256

    d3038c47d193f15bf0566f394744bbdc1df67facd020ed55e15444490717412b

    SHA512

    f46e1dcfca045d77acef8ea99c486104c098fd9a935fda25cb69675d0d4a12eec19c23216bad9e7b686d4af38ebc55c043d94d7f74e5ba58a4a7369d1d8f8855

    Download Submit
  • C:\Users\Admin\AppData\Roaming\pwwreldsoao.vbs
    MD5

    80548b9189c37b3442faf5dacc33808e

    SHA1

    21f599d3e710801395847be15ee5d52c34a11599

    SHA256

    925495ff4eb421e27f714e77aa955bb8733bbaf23d2d77f64c7145d23417f0ec

    SHA512

    8df6f09c7c6a86f739274c272a1d71f8937f99bea9faf783f67f797ff6e57083f4e152efb71a121c9ca51b9db3d22c32a220a6a3c721a59e7db0580ed682b892

    Download Submit