Overview

overview

10

Static

static

cd9d625e9f...a8.msi

windows7_x64

10

cd9d625e9f...a8.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8.msi

  • Size

    951KB

  • MD5

    9951c45e09990f06bc3e3758062c9ade

  • SHA1

    27ef845a9562b989c38dd6d2eda42d31d7c2a354

  • SHA256

    cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8

  • SHA512

    b97185d2eeec22a2a66cd56f3ca6ee1a4e97c9e1d1ddea24c71ca4d9f7ef4f337c7a1197d08814c4a70870266230891f0798e8c924623291409edfb51b81539d

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:976
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 57D0A756C1DE634B037618F5200E8524
      2⤵
      • Loads dropped DLL
      PID:1512
    • C:\Windows\Installer\MSI4B97.tmp
      "C:\Windows\Installer\MSI4B97.tmp" "C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:684
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:672
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "0000000000000580" "00000000000003DC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1056
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\qvmggwyggby.vbs
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0 /f
          4⤵
            PID:848
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:904
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:456

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs
          MD5

          eaa110d16a2f936ad5eb065eeeeb4d63

          SHA1

          f709ea58e0f65df965d77fc8707ad0cecd57e720

          SHA256

          0e5838c7b80a24bc9ee2149c91bc60c0eb543477ca963b373c1597f0db435350

          SHA512

          9c724006a70f5fdbee7ba3d0e93c169f0b65854dfa87fd545ff403b79cb80208f971b31c7ed65943cd1ce64f7785cd74abe97f6fee62ef887f736893a0245584

          Download Submit
        • C:\Users\Admin\AppData\Roaming\46447224557399\bdyrrziajdlgkacox61425619006156.exe
          MD5

          31b3fa3be13c3eca988b6647cf274003

          SHA1

          713779818be4a9956a02f8e16231750a9e0c3eb8

          SHA256

          881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

          SHA512

          ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

          Download Submit
        • C:\Users\Admin\AppData\Roaming\qvmggwyggby.vbs
          MD5

          abc592008227d0c44ffcec8b6cf918e2

          SHA1

          556c58396e593f221a72dd6ae2dbfc0e87d3a03b

          SHA256

          c5a307d8f0cdc9f51a5c6b38a1b6084801751763423e900ef1c8706e234338af

          SHA512

          34089cc3782972de848492307d9fe1be1caff8635f0f9a3cecafc9d4f766d4079474bf7698d70f843e9b4875cfa4f2315b53d9614bf38c6e1d90b79f4ba77ebc

          Download Submit
        • C:\Windows\Installer\MSI3B4C.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit
        • C:\Windows\Installer\MSI3F91.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit
        • C:\Windows\Installer\MSI401E.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit
        • C:\Windows\Installer\MSI4B97.tmp
          MD5

          867b627b008d149f15e8df90d2648d41

          SHA1

          543fc2763f98378c5777f0dc1f11f54ee3a71733

          SHA256

          51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233

          SHA512

          9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44

          Download Submit
        • \Windows\Installer\MSI3B4C.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit
        • \Windows\Installer\MSI3F91.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit
        • \Windows\Installer\MSI401E.tmp
          MD5

          c39daeba173815516c180ca4361f7895

          SHA1

          db3ae54329834baa954569a35be5b947c86dc25e

          SHA256

          a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

          SHA512

          e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

          Download Submit
        • memory/456-74-0x00000000026E0000-0x00000000026E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/684-65-0x0000000000120000-0x0000000000122000-memory.dmp
          Filesize

          8KB

          Download
        • memory/904-72-0x0000000002840000-0x0000000002841000-memory.dmp
          Filesize

          4KB

          Download
        • memory/976-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1512-56-0x0000000075761000-0x0000000075763000-memory.dmp
          Filesize

          8KB

          Download