Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
18-01-2023 23:16
General
-
Target
AnyDeskAPP.msi
-
Size
1.4MB
-
MD5
4e4a4a4eb6a77d72af83b2bbd0698593
-
SHA1
dbaeba54fcae50acc36565d0f61ad73df6df7d45
-
SHA256
58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a
-
SHA512
69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb
-
SSDEEP
24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9
Malware Config
Signatures
-
Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Modifies registry class 27 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AnyDeskAPP.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E66FAD2627416073E122FBE03455AE922⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss79E6.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi79D3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr79D4.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr79D5.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\candura\indolência\Winpercepção.exe"C:\candura\indolência\Winpercepção.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD514bf85de793cea23b81c15fb4078caac
SHA1288eb197e359344a18d65724ff854bbe482be6fb
SHA256a6a1d1ce7bbc768eeda3b115f96805c7a7b79b2a1d456810842bad24fcf6d1f1
SHA512cb7bfb330f21e1d4ef49d92c86c77c12a58ad8fe37e57a745539f0902ef2bb063f6e4236146584c4dbd2c5d48510c7500577e7d0b41724ccad1f017cb2da70c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5de5b252662ee0b24b87114239c4ec526
SHA11fb2bb70904e159e05f593b9280f4f06033674d4
SHA256fba5701d079f23985244d31db3545a7da7dee4fd528be2761bc0494bcc565d0a
SHA51266259ea5cfa1071d5836bbc0a6d15890ca4cd05f8339fb2d10667757f3598374114040f50f166054ecfb03eff4e564c24a53be426eb4ef82b0793e54da701845
-
C:\Users\Admin\AppData\Local\Temp\pss79E6.ps1Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
C:\Users\Admin\AppData\Local\Temp\scr79D4.ps1Filesize
17KB
MD57c5b73168b207a9c580eb62dd1588fef
SHA1cdd8f39b7a12aa0b3c62a3c0c19572976d0444dc
SHA2566d6b711685d829f27fcfe579853e43d993bf6e935085161d0dbee6abb43f60d5
SHA5127ea9836bc57698341d18154e1b76ea6d1ee67b68504c2076b7125374c63298a9bf3580b4d2c2936ab19d0831940bb927171b6ad5a46fb87caf7f43b2b82696f9
-
C:\Windows\Installer\MSI7407.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI7407.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI761B.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI761B.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI76B8.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI76B8.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI7708.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI7708.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI79B9.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\Windows\Installer\MSI79B9.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\candura\indolência\Winpercepção.exeFilesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
C:\candura\indolência\Winpercepção.exeFilesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
C:\candura\indolência\vendingFilesize
89.4MB
MD53c6ef07082ae5cd1cdbb4c272f1da202
SHA14bbc70f293110dae93746e8a1fe7c5a47d1f33ec
SHA2562bd1e88bcdd6377d1fa2a8f12b1ffec9c1a73e4aeea4a9eea31c359880a17b4c
SHA512432d6c249b4b000c5cdf9600f8ca3f7771e55d41152abbc398b70a5b8cc5bd3d867a7febbd7b4d07186a519b04a7f552aa25712c099b16ebdb4575a751c73ee9
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD59615ca73b7cfad8b513cba365b77bdfe
SHA16903179807d0d68899c9151f5d9e5a334d338bc2
SHA256ccef9db2683a828f6da5deaa84382943c6b14a57ee9d70b6cbccd1136a76e283
SHA512eb4ae8322dd60a7bc50446eb7571ceade2091c8b879d536c9f1b8c0fb5296c6ec23b8102af8bfec1c3b4d557c8e25576af88eb78058db5f0abc1181ae2bf5ed4
-
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4012f9b3-8049-410b-a6e0-f29e87031c69}_OnDiskSnapshotPropFilesize
5KB
MD5044481be30212d4327d28275b814924d
SHA1a12804d52e5f308c12bc0e5f5ce4ffa6b08793f5
SHA256a59761aa50204e348dae4b321cf936e738fd283bd9b2f58dcffe11a185c23df7
SHA512180c20596571f6bbd3e06019031774152c6febaa5e7f3d89b7b304622973cf7948177746d95ea3ad03a84651efd44f269a688870c92f45d1cee148060e832ff4
-
memory/2012-133-0x0000000000000000-mapping.dmp
-
memory/4136-165-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4136-174-0x0000000009DF0000-0x000000000F766000-memory.dmpFilesize
89.5MB
-
memory/4136-173-0x0000000009DF0000-0x000000000F766000-memory.dmpFilesize
89.5MB
-
memory/4136-172-0x0000000077330000-0x00000000774D3000-memory.dmpFilesize
1.6MB
-
memory/4136-169-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4136-168-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4136-166-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4136-160-0x0000000000000000-mapping.dmp
-
memory/4136-167-0x0000000077330000-0x00000000774D3000-memory.dmpFilesize
1.6MB
-
memory/4136-162-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4136-163-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4136-164-0x0000000000880000-0x00000000019E0000-memory.dmpFilesize
17.4MB
-
memory/4432-132-0x0000000000000000-mapping.dmp
-
memory/4660-149-0x0000000006170000-0x00000000061D6000-memory.dmpFilesize
408KB
-
memory/4660-148-0x0000000006010000-0x0000000006076000-memory.dmpFilesize
408KB
-
memory/4660-153-0x0000000006D20000-0x0000000006D3A000-memory.dmpFilesize
104KB
-
memory/4660-150-0x00000000067D0000-0x00000000067EE000-memory.dmpFilesize
120KB
-
memory/4660-152-0x0000000008130000-0x00000000087AA000-memory.dmpFilesize
6.5MB
-
memory/4660-147-0x0000000005810000-0x0000000005832000-memory.dmpFilesize
136KB
-
memory/4660-146-0x00000000059E0000-0x0000000006008000-memory.dmpFilesize
6.2MB
-
memory/4660-156-0x00000000087B0000-0x0000000008D54000-memory.dmpFilesize
5.6MB
-
memory/4660-155-0x0000000007780000-0x00000000077A2000-memory.dmpFilesize
136KB
-
memory/4660-154-0x0000000007AB0000-0x0000000007B46000-memory.dmpFilesize
600KB
-
memory/4660-145-0x0000000005220000-0x0000000005256000-memory.dmpFilesize
216KB
-
memory/4660-144-0x0000000000000000-mapping.dmp