Overview

overview

10

Static

static

Transferen...11.vbs

windows7_x64

10

Transferen...11.vbs

windows10-2004_x64

10

Transferen...DF.pdf

windows7_x64

1

Transferen...DF.pdf

windows10-2004_x64

1

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transferencia-Bancaria-Comprovativo-24pb-05052020-PDF-1911/Transferencia-Bancaria-Comprovativo-24pb-05052020-PDF-1911.vbs

  • Size

    22KB

  • MD5

    bce58287fd543a394ebc4c866b52a74d

  • SHA1

    09ed62c7d881f0c7f8a2a54758dfe6c2ed513388

  • SHA256

    aa3d9e85c05f55a26f5e536d0330f35e4fb26d415d10933b4725de1d99eb1463

  • SHA512

    71c0e074439ad4089fed20b6a9d8e0a6989db6937a9bf889fe43b16eb637374eccf83607393e7751dba1a216fbd74feba97d8b3cf247261c40c368279484e159

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transferencia-Bancaria-Comprovativo-24pb-05052020-PDF-1911\Transferencia-Bancaria-Comprovativo-24pb-05052020-PDF-1911.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\gnybciqxdwc.vbs
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0 /f
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:772
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1956
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:864

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\78711049020290\qwknnlargypznqinu37264760851859.exe
        Filesize

        133B

        MD5

        31b3fa3be13c3eca988b6647cf274003

        SHA1

        713779818be4a9956a02f8e16231750a9e0c3eb8

        SHA256

        881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

        SHA512

        ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\gnybciqxdwc.vbs
        Filesize

        691B

        MD5

        895ddb21929f9852a455d6a17cf7efc9

        SHA1

        218b10d5779d81234ee3eebbddddda536e0d84d7

        SHA256

        d02d64869582d2c6366085ca4c9a484fd0567d7eb0a51c286f165b4bffffd383

        SHA512

        35c55b683309d2ef546108b49bef20645e9d7491b426cf44f75c9c70724a2f97e0ab2b23e2cc1bda37d0afe187ec9e69341bc3dd1c55789fa487c77b6ec6cf33

        Download Submit

      • memory/772-60-0x0000000000000000-mapping.dmp

        Download

      • memory/796-55-0x0000000000000000-mapping.dmp

        Download

      • memory/1384-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1964-54-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

        Filesize

        8KB

        Download