Overview

overview

10

Static

static

f085588cf0...87.msi

windows7_x64

10

f085588cf0...87.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987.msi

  • Size

    951KB

  • MD5

    e2c5416931f1c9369fb55e7adcf6364b

  • SHA1

    57c960dc13b433a3fe3225b884fcbccc01c00c36

  • SHA256

    f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987

  • SHA512

    96e666f61ad0e1e1c9146b31ea94622004e9dcdd082372e5ae7dada1c3aa28538d506c870502be8b381170a2d60ea470e196141de0affab232d8a106fa4ca51e

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1624
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 312447BBDBB6D0C0851CE9D9A9A52227
      2⤵
      • Loads dropped DLL
      PID:1472
    • C:\Windows\Installer\MSI655E.tmp
      "C:\Windows\Installer\MSI655E.tmp" "C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1264
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:564
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005A4" "0000000000000510"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1996
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\zjgrquagjip.vbs
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0 /f
          4⤵
            PID:2032
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1984
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1836

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Firefox_2020-3547\Firefox_2020-3547\658615508460043140_16.vbs
          MD5

          6726ce7753803c58bb7136216dd3378f

          SHA1

          eb6faf34ce5a9c9a6bc5eba32cb51b88cdda3f2d

          SHA256

          0a0bce3a1809e225be4a123e894e01a3f8eb805ebbea1bcd0172c2b104600f04

          SHA512

          320b9c6ffedac662290482f6c73e8b8b2242bf8a359da91baa06d37c165596668157a8e89199f81c132f9434b8ad202c4ce6735f654d5e8d353104786abae9a7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\50728321969508\jrscbxlamkbcoqeoa73404836535453.exe
          MD5

          31b3fa3be13c3eca988b6647cf274003

          SHA1

          713779818be4a9956a02f8e16231750a9e0c3eb8

          SHA256

          881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

          SHA512

          ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\zjgrquagjip.vbs
          MD5

          4fcbedd04fc2c59cabcf9e15b02c41e1

          SHA1

          750d0c0a93e5cb5543f5c133b655f9e69cd0b9e4

          SHA256

          6a25c5a919f4adec5ea7cd4da243bbeb81f88fb49ac43737572b0205acfc6d1c

          SHA512

          110b1093debfaf34ab62df267a22bfa846c8b8f19b5037fb731099644549b7be5ec0edfd1a76b90663cef602738d3f634f57a09dfa01ef7a9289754c5f29c2f9

          Download Submit

        • C:\Windows\Installer\MSI5A12.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit

        • C:\Windows\Installer\MSI5E95.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit

        • C:\Windows\Installer\MSI5F22.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit

        • C:\Windows\Installer\MSI655E.tmp
          MD5

          867b627b008d149f15e8df90d2648d41

          SHA1

          543fc2763f98378c5777f0dc1f11f54ee3a71733

          SHA256

          51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233

          SHA512

          9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44

          Download Submit

        • \Windows\Installer\MSI5A12.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit

        • \Windows\Installer\MSI5E95.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit

        • \Windows\Installer\MSI5F22.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit

        • memory/1264-65-0x0000000000160000-0x0000000000162000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1472-56-0x0000000076071000-0x0000000076073000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1624-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1836-74-0x00000000026E0000-0x00000000026E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1984-72-0x0000000002840000-0x0000000002841000-memory.dmp

          Filesize

          4KB

          Download