lampion | 8ac60cd9bc9a44e558e840a6bebdd27c73a9ce167a66cf6c8d462e46848fe8a3

General

Target

8ac60cd9bc9a44e558e840a6bebdd27c73a9ce167a66cf6c8d462e46848fe8a3.vbs
Size

17KB
MD5

516fa3c46fc576055885f69a6950f23c
SHA1

80f563d69d136e1d861c584c19ba039f00771845
SHA256

8ac60cd9bc9a44e558e840a6bebdd27c73a9ce167a66cf6c8d462e46848fe8a3
SHA512

33de0f4d7aace7e08b3e2f3911a510a73466ff5f370f0598a60e1daa936cec968d83acf0da502d8d266f5746c7529a80a139d3eec895188099d25acbd8a7a793

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

23 3800 WScript.exe
25 3800 WScript.exe
27 3800 WScript.exe
29 3800 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wxulcwhdtwr.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
23	3800	WScript.exe
25	3800	WScript.exe
27	3800	WScript.exe
29	3800	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wxulcwhdtwr.lnk	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	2840	wscript.exe
Token: SeShutdownPrivilege	2840	wscript.exe
Token: SeShutdownPrivilege	2840	wscript.exe
Token: SeShutdownPrivilege	2840	wscript.exe
Token: SeShutdownPrivilege	2840	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

436 LogonUI.exe

pid	process
436	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 3800 wrote to memory of 2840	3800	WScript.exe	wscript.exe
PID 3800 wrote to memory of 2840	3800	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ac60cd9bc9a44e558e840a6bebdd27c73a9ce167a66cf6c8d462e46848fe8a3.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\wxulcwhdtwr.vbs
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\91927464425563\hggxnzrxwyesbeoop33374914050101.exe

MD5
f42a5229411f8e691a722b2ed4f33c9b

SHA1
1fc8331a703065afce4840db719a7e1faee9e86f

SHA256
aa1114725ac949d3491ccb34a81fa057cd67705a04fb775b27ca4a283832cc1e

SHA512
92a89befe9d5dd6d8e87de6a5d8e2f1115d970892ddacae3706855e76422d7540997a4d084d079866c3392a61c9d3af4081b534f59f71c830404bb3995b4743b

Download Submit
C:\Users\Admin\AppData\Roaming\wxulcwhdtwr.vbs

MD5
e5cc85220d30b4ac07004af005cfb876

SHA1
a33cf128ff1d9af405ef1a29464b29c6ebe0903c

SHA256
58ce826f673f57190dcbf9822135de7c1f4c996acb51a0dedba1f1e42bb1e872

SHA512
f15a1fd8fd767b98023b423b7e79973f858b93ce85e9d91a763dd35536f51efcbfd1ef0202ccda36b4168f9bf35bd5a34cd024e62643487ef453cba10d438607

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads