lampion | 6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857

General

Target

6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857.vbs
Size

24KB
MD5

c66f748e72e6070e0e7a99f1e9b3e29c
SHA1

5f1342f7d84032945cb2cfc0935e2c0a1229d3e8
SHA256

6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857
SHA512

153ccaf14b33c62be399db5e05463914b7361ed077f80c821d348639f11c6fa228aa31dda6e7ed9064c63f23715bb28190f92dc838de3a969cf5f9a03b3ab10e

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 1664 WScript.exe
6 1664 WScript.exe
8 1664 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zhthhesutzw.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1424 shutdown.exe
Token: SeRemoteShutdownPrivilege 1424 shutdown.exe

flow	pid	process
5	1664	WScript.exe
6	1664	WScript.exe
8	1664	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zhthhesutzw.lnk	wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1424	shutdown.exe
Token: SeRemoteShutdownPrivilege	1424	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exewscript.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 684	1664	WScript.exe	wscript.exe
PID 1664 wrote to memory of 684	1664	WScript.exe	wscript.exe
PID 1664 wrote to memory of 684	1664	WScript.exe	wscript.exe
PID 684 wrote to memory of 1892	684	wscript.exe	cmd.exe
PID 684 wrote to memory of 1892	684	wscript.exe	cmd.exe
PID 684 wrote to memory of 1892	684	wscript.exe	cmd.exe
PID 1892 wrote to memory of 1424	1892	cmd.exe	shutdown.exe
PID 1892 wrote to memory of 1424	1892	cmd.exe	shutdown.exe
PID 1892 wrote to memory of 1424	1892	cmd.exe	shutdown.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\zhthhesutzw.vbs
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0 /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\39866963326930\jpgsthdowbimwdlkn20306539416312.exe

Filesize
133B

MD5
31b3fa3be13c3eca988b6647cf274003

SHA1
713779818be4a9956a02f8e16231750a9e0c3eb8

SHA256
881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

SHA512
ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

Download Submit
C:\Users\Admin\AppData\Roaming\zhthhesutzw.vbs

Filesize
499B

MD5
c53adaceab9f41e2fc282263a481be2b

SHA1
c72c4cda843fd862573741d139e18abfe70758ac

SHA256
3d336e7606901a21970ee663cf151b04f47a1da346073be5531e30f4b9fc6af8

SHA512
fc8144041a856593b9bc6a452abef68cf8f3fca2e2753bef33d8be017b616763cbe97bd74ceadfc01bc0d3412bba9bf658007cf566c79d2237d91d49e5b0150a

Download Submit
memory/684-55-0x0000000000000000-mapping.dmp

Download
memory/1424-60-0x0000000000000000-mapping.dmp

Download
memory/1664-54-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/1892-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing