lampion | 4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599

General

Target

4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599.vbs
Size

15KB
MD5

3c36b6fdd3bafc16376dd2bc68fec317
SHA1

92729855a8cb8399e02190b17e807c0536e764f3
SHA256

4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599
SHA512

65897f7de6e2e7df85f3410d145907f42da49927ec961311901bb950a23c4a610282953f964d4cc8a910db573321a64d3a343de59b66db89f8508cacc5918639

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 1860 WScript.exe
7 1860 WScript.exe
9 1860 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fmjtbplqckj.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1860	WScript.exe
7	1860	WScript.exe
9	1860	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fmjtbplqckj.lnk	wscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1508	wscript.exe
Token: SeShutdownPrivilege	1508	wscript.exe
Token: SeShutdownPrivilege	1508	wscript.exe
Token: SeShutdownPrivilege	1508	wscript.exe
Token: SeShutdownPrivilege	1508	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1860 wrote to memory of 1508	1860	WScript.exe	wscript.exe
PID 1860 wrote to memory of 1508	1860	WScript.exe	wscript.exe
PID 1860 wrote to memory of 1508	1860	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\fmjtbplqckj.vbs
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:1508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\25611241281031\puwemrwkfmwsumwsz65792821764945.exe

MD5
cdf8bf4df953c1231894ed91814756d9

SHA1
583de72638350c10e49bee2a064de0d3e2de3ae5

SHA256
41da5187ad3eaadc7fdcc8a5412565873807a5dca7ee3c967cc034b9aa77c6e4

SHA512
96003e14bd2c37200952a0a122f9e73a3448b2c588dfe3979a7747eca377922acd7317a62060ea288156aef33ecbdeb155992caba9377947f672a880aa61768b

Download Submit
C:\Users\Admin\AppData\Roaming\fmjtbplqckj.vbs

MD5
dd267fffc4ee111465c40801191b24ff

SHA1
aaacb99b8395c94a1d78c1c13b41b0520b223e14

SHA256
f929e28322c709c2d23b47268ccec805d9e8bdb2dd8bb4b5617ca424b230549b

SHA512
9b2fdbcd3d65dbd903a5d18806dd4d251fa1a8b0dd259d3bb77d7b6c03c1796a9315a4375789946ffdbd875c7311bbba506e1e6a884019a37f2471340e158671

Download Submit
memory/972-59-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1684-61-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1860-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing