Overview

overview

10

Static

static

Factura-Ja...25.pdf

windows7_x64

1

Factura-Ja...25.pdf

windows10-2004_x64

1

Factura-Ja...25.vbs

windows7_x64

10

Factura-Ja...25.vbs

windows10-2004_x64

8

Analysis

  • max time kernel
    89s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura-Janeiro-2145892315-2019-10_25/Factura-Janeiro-2145892315-2019-10_25.vbs

  • Size

    24KB

  • MD5

    bbb4e37dc7a24682f9df59f585d3d39c

  • SHA1

    2a7083c11a32e63d6bab56f735a8b44b3759fafa

  • SHA256

    67508f5f5648be4ef1dcba284592fc1215efdfa90221c01fbda1069a46c956cc

  • SHA512

    6647ea9b16328409c198144be14615983ed89ef9d9243d84a2826fc85b4e4eb72048831d8315e3ccdbc40738d5ecd5249cc718b5bcfbe07fd7847357ca506b33

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 8 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Factura-Janeiro-2145892315-2019-10_25\Factura-Janeiro-2145892315-2019-10_25.vbs"
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\yblhddpasjg.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:968
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1660

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\67449376046657\ijxtofzuvlswcheof76596776843070.exe
        Filesize

        327B

        MD5

        811fa134d80d9209416ddb1be081e16d

        SHA1

        3013141d8670ad69bbf21e19260bb4627c2db3d2

        SHA256

        4de2ec83d65150be010aa4224ed4216b01e9c855e65b8133856a8ed53f96b252

        SHA512

        eae8378b92a62b01e2a754a0f6788904b41468162e97ebe08978b56e7142c751bee2c6a4e6b460bc4a9e2de253c777727cf66d8d58a4b85bd47a4c9c9aaf4ca9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\yblhddpasjg.vbs
        Filesize

        653B

        MD5

        ca1e25710f221165d31d2a28904cd993

        SHA1

        2f98798c37bffbec13d244cf3b35490c17374af2

        SHA256

        d5ef4ccd80e820a1025f6a62702b65f71fd33ddea286913bacee29995c3a1e3a

        SHA512

        ee14337fc98e4aa5435d057954ca8cf6386ace0c57e1c62392470a29657cd29a681073e3a87c95c3806bb958ea7c75565aecfdda5ff64fc2d01217736f66a234

        Download Submit

      • memory/1600-55-0x0000000000000000-mapping.dmp

        Download

      • memory/1620-54-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

        Filesize

        8KB

        Download