lampion | d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1

General

Target

d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1.vbs
Size

10KB
MD5

d7a54b62097678df7ad6a0d2871dc342
SHA1

0a0ff21cc2c81d4a7de738d944445e48ed9ef314
SHA256

d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1
SHA512

813a82139954ec7669829b8d0cf270657ce64a2d8294a1b35e3d9a6212af3af7905f9e386ad3dff03ba9fddf595c25388620cf01ea29e9ae22798aa7e01b2637

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 7 IoCs

Processes:

WScript.exe

flow pid process

25 1140 WScript.exe
27 1140 WScript.exe
29 1140 WScript.exe
31 1140 WScript.exe
41 1140 WScript.exe
43 1140 WScript.exe
48 1140 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsddvmfcqyd.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
25	1140	WScript.exe
27	1140	WScript.exe
29	1140	WScript.exe
31	1140	WScript.exe
41	1140	WScript.exe
43	1140	WScript.exe
48	1140	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsddvmfcqyd.lnk	wscript.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wscript.exe

description	pid	process
Token: SeShutdownPrivilege	4976	wscript.exe
Token: SeShutdownPrivilege	4976	wscript.exe
Token: SeShutdownPrivilege	4976	wscript.exe
Token: SeShutdownPrivilege	4976	wscript.exe
Token: SeShutdownPrivilege	4976	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4864 LogonUI.exe

pid	process
4864	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1140 wrote to memory of 4976	1140	WScript.exe	wscript.exe
PID 1140 wrote to memory of 4976	1140	WScript.exe	wscript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\System32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Roaming\wsddvmfcqyd.vbs
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a09855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\20553685128688\gaqogppwtapdnllqc48916173815726.exe
Filesize
321B

MD5
49a863cf917e135403bba7e2c7c37792

SHA1
e077fa08e233bead25b18687d15096a91097277a

SHA256
a61f2d652a9c23ece25a50482f250b54a2902cfc382f218ed28e8d243ba56b14

SHA512
2d46628e0161a409bcb91c36e3596dfe188c080647b133f87bf769cbc1198b0f2d277b42d818b634165ccfa027a8802e35103b94b9bb8ba719dcccbf9f52ee71

Download Submit
C:\Users\Admin\AppData\Roaming\wsddvmfcqyd.vbs
Filesize
653B

MD5
f6efdef43917d150051c7e8d3daf0d68

SHA1
06e954617645877f4f66c56743414e74ccfbebdd

SHA256
a977f563d131b0db6bb80779b9bfd30ac5de79152e1190d0b2ee5762c12752c2

SHA512
48d94a7c99668085c5e80304a4c131dc4ffc618546dfe26e33d3c285c63b89160692579fe3ccd4195264384bac6a0632dbc9e0cb94191144520006dbad7a7f17

Download Submit
memory/4976-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads