lampion | 1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af

Analysis

max time kernel
181s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
20-03-2022 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe
Size

15.8MB
MD5

f07e973e667b4dde07418f5f99357e92
SHA1

9c87c0d4dd7bb0fecc4c9498216ced51f66534b4
SHA256

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af
SHA512

dd0fb71bc812ab1950b670a5c08198901d59449da8110de03d396d9093a3772a3335c7b250a677177f60b57e850400180539a1107fcd8afcf892fcdca0909af2

Score

10^/10

lampion banker evasion persistence trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

OuJP_BsZa.exe

pid process

2136 OuJP_BsZa.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OuJP_BsZa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OuJP_BsZa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OuJP_BsZa.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe

Loads dropped DLL 5 IoCs

Processes:

OuJP_BsZa.exe

pid process

2136 OuJP_BsZa.exe
2136 OuJP_BsZa.exe
2136 OuJP_BsZa.exe
2136 OuJP_BsZa.exe
2136 OuJP_BsZa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OuJP_BsZa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	OuJP_BsZa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqtnimii = "C:\\Users\\Public\\Documents\\OuJP_BsZa.exe"	OuJP_BsZa.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

OuJP_BsZa.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OuJP_BsZa.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

OuJP_BsZa.exe

pid process

2136 OuJP_BsZa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OuJP_BsZa.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

OuJP_BsZa.exe

pid	process
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe
2136	OuJP_BsZa.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe

description	pid	process	target process
PID 4364 wrote to memory of 2136	4364	1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe	OuJP_BsZa.exe
PID 4364 wrote to memory of 2136	4364	1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe	OuJP_BsZa.exe
PID 4364 wrote to memory of 2136	4364	1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe	OuJP_BsZa.exe

C:\Users\Admin\AppData\Local\Temp\1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe
"C:\Users\Admin\AppData\Local\Temp\1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Public\Documents\OuJP_BsZa.exe
"C:\Users\Public\Documents\OuJP_BsZa.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Avira.OE.NativeCore.dll
MD5
d1d46e4018c5e3af0beaac36d809cf3c

SHA1
7928be65a0bb0af8b9085c3b2ac1fcdddeb32919

SHA256
82b408b8e66307f6baf6c96503e2cf5032027f0ef237d7a85ed98a83fb4c795f

SHA512
f4e101ee66f66abd160badb2d2d73ffaf42e8917b18ac3f1dfa8eca19c89915f5fe4a94676c6f639e72fb34ee229da20518908ee8b159bbc1f9ec1d22fb26d2d

Download Submit
C:\Users\Public\Documents\Avira.OE.NativeCore.dll
MD5
d1d46e4018c5e3af0beaac36d809cf3c

SHA1
7928be65a0bb0af8b9085c3b2ac1fcdddeb32919

SHA256
82b408b8e66307f6baf6c96503e2cf5032027f0ef237d7a85ed98a83fb4c795f

SHA512
f4e101ee66f66abd160badb2d2d73ffaf42e8917b18ac3f1dfa8eca19c89915f5fe4a94676c6f639e72fb34ee229da20518908ee8b159bbc1f9ec1d22fb26d2d

Download Submit
C:\Users\Public\Documents\Avira.OE.NativeCore.dll
MD5
d1d46e4018c5e3af0beaac36d809cf3c

SHA1
7928be65a0bb0af8b9085c3b2ac1fcdddeb32919

SHA256
82b408b8e66307f6baf6c96503e2cf5032027f0ef237d7a85ed98a83fb4c795f

SHA512
f4e101ee66f66abd160badb2d2d73ffaf42e8917b18ac3f1dfa8eca19c89915f5fe4a94676c6f639e72fb34ee229da20518908ee8b159bbc1f9ec1d22fb26d2d

Download Submit
C:\Users\Public\Documents\MSVCP120.dll
MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Public\Documents\MSVCR120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Public\Documents\OuJP_BsZa.exe
MD5
e4eed381a65c98bb630dfceeeffb9325

SHA1
c80a59b23a8e580412728f0e1d12988ecc904a45

SHA256
158a3585ba853c9f3d916ea642a49cb26845c695ac5abeea22b4be024f739e4b

SHA512
138191a8f44166287cd41638ad460c9f4cce39626235dd30a4cfe8fedf7d7fc13507f931cb8c918b830f87d84baa8b87437a4c81042f622f8c98dc2cb7575937

Download Submit
C:\Users\Public\Documents\OuJP_BsZa.exe
MD5
e4eed381a65c98bb630dfceeeffb9325

SHA1
c80a59b23a8e580412728f0e1d12988ecc904a45

SHA256
158a3585ba853c9f3d916ea642a49cb26845c695ac5abeea22b4be024f739e4b

SHA512
138191a8f44166287cd41638ad460c9f4cce39626235dd30a4cfe8fedf7d7fc13507f931cb8c918b830f87d84baa8b87437a4c81042f622f8c98dc2cb7575937

Download Submit
C:\Users\Public\Documents\msvcp120.dll
MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Public\Documents\msvcr120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Public\Documents\msvcr120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
memory/2136-144-0x0000000001071000-0x00000000019B3000-memory.dmp

Filesize
9.3MB

Download
memory/2136-146-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/2136-145-0x0000000001070000-0x0000000006D72000-memory.dmp

Filesize
93.0MB

Download
memory/2136-147-0x0000000001070000-0x0000000006D72000-memory.dmp

Filesize
93.0MB

Download
memory/2136-148-0x0000000001070000-0x0000000006D72000-memory.dmp

Filesize
93.0MB

Download
memory/2136-149-0x0000000001070000-0x0000000006D72000-memory.dmp

Filesize
93.0MB

Download
memory/2136-150-0x0000000001071000-0x00000000019B3000-memory.dmp

Filesize
9.3MB

Download
memory/2136-151-0x0000000001070000-0x0000000006D72000-memory.dmp

Filesize
93.0MB

Download
memory/2136-152-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download