lampion | 11b1e980138607d93f56490c747e135aa1d92320bcc43cd352330ccbe00e47a8

General

Target

DocumentoSetembro-CS-U-65289742019-09_13/DocumentoSetembro-CS-U-65289742019-09_13.vbs
Size

15KB
MD5

3c36b6fdd3bafc16376dd2bc68fec317
SHA1

92729855a8cb8399e02190b17e807c0536e764f3
SHA256

4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599
SHA512

65897f7de6e2e7df85f3410d145907f42da49927ec961311901bb950a23c4a610282953f964d4cc8a910db573321a64d3a343de59b66db89f8508cacc5918639

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow pid process

45 1188 WScript.exe
47 1188 WScript.exe
49 1188 WScript.exe
51 1188 WScript.exe
53 1188 WScript.exe
55 1188 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odgnggvomzm.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
45	1188	WScript.exe
47	1188	WScript.exe
49	1188	WScript.exe
51	1188	WScript.exe
53	1188	WScript.exe
55	1188	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odgnggvomzm.lnk	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "82"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1972	wscript.exe
Token: SeShutdownPrivilege	1972	wscript.exe
Token: SeShutdownPrivilege	1972	wscript.exe
Token: SeShutdownPrivilege	1972	wscript.exe
Token: SeShutdownPrivilege	1972	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5116 LogonUI.exe

pid	process
5116	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1188 wrote to memory of 1972	1188	WScript.exe	wscript.exe
PID 1188 wrote to memory of 1972	1188	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DocumentoSetembro-CS-U-65289742019-09_13\DocumentoSetembro-CS-U-65289742019-09_13.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\odgnggvomzm.vbs
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:1972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\33729313790797\yltzrjfipbzvctlyj24930547595023.exe

Filesize
310B

MD5
a0e2a1b1d47ba0f936c633fcb0e9a08e

SHA1
e9205ece427d777a13e64f42b19d1f262ef93ee3

SHA256
6cf8efc2f67d40293ce3ca4c0b83305814f4ac1b31a95838780382c22de46e6a

SHA512
b464be9a16a49c48f2b297ba333d50b6b441b62b13918e58c02ebcae52597a05b9de2e8e2f6e4cf8d3f066d856522c99ffb50e69b28471bb8c07adae5e3f8afe

Download Submit
C:\Users\Admin\AppData\Roaming\odgnggvomzm.vbs

Filesize
653B

MD5
9a30b96cc6bb32112bcf34340933053a

SHA1
c481f8f31a5f6ef70f05fc71b2c9936ece438647

SHA256
a095eb3dac4fa060b834690c210cafdc7a7753316ba975877f2f4147853f4438

SHA512
2b8d9067be717c89f6d7608b112701fb2fac39248741a4418c2cc00ffa14eaae95a1521a61e82fd32140a5fca558a022e37114442db32fa28558bb0f23dcba87

Download Submit
memory/1972-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads