Overview

overview

10

Static

static

Update.zip

windows10-1703-x64

10

Update.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    660s
  • max time network
    618s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-es
  • resource tags

    arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    19-01-2023 00:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update.zip

  • Size

    35.7MB

  • MD5

    1c950d3f6ebe961fc40584d71ff2a20e

  • SHA1

    829b36c08b416cde3be333dc2f91eab5ec96fe54

  • SHA256

    3a252ea82333db3b0190b6d1b842b0ef9a6dd4483c4bfb12e5432978e9253ab5

  • SHA512

    2b9c4991bff45a8623e005b8dd7bc700ceaaafbeadb713fdbc279d618ade8d916422724935e4a2f492fd05a4adbbee6afcf614c45cb73827e4405b84495a2256

  • SSDEEP

    786432:f6oCqpfbh7XlE4M1nHFer3hOs3hkhgiSF5Io4VeNp9+t6+Os0Whuhr2Wv9xpXygf:iopNlLGvnIr3hOs3a2iSDNr+4+OYWv9l

Score
10/10
lampionbankerevasionpersistencetrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Update.zip
    1⤵
      PID:2584
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4816
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Update\" -spe -an -ai#7zMap21775:70:7zEvent27819
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2360
      • C:\Users\Admin\Desktop\Update\windows.exe
        "C:\Users\Admin\Desktop\Update\windows.exe"
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3480

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\Update\vending
        Filesize

        89.4MB

        MD5

        3c6ef07082ae5cd1cdbb4c272f1da202

        SHA1

        4bbc70f293110dae93746e8a1fe7c5a47d1f33ec

        SHA256

        2bd1e88bcdd6377d1fa2a8f12b1ffec9c1a73e4aeea4a9eea31c359880a17b4c

        SHA512

        432d6c249b4b000c5cdf9600f8ca3f7771e55d41152abbc398b70a5b8cc5bd3d867a7febbd7b4d07186a519b04a7f552aa25712c099b16ebdb4575a751c73ee9

        Download Submit
      • C:\Users\Admin\Desktop\Update\windows.exe
        Filesize

        5.5MB

        MD5

        caa7805c7dc283359293bae074cb85ec

        SHA1

        f21c4880fbf40b8f03ed8954263106d814ac014d

        SHA256

        e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23

        SHA512

        206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1

        Download Submit
      • C:\Users\Admin\Desktop\Update\windows.exe
        Filesize

        5.5MB

        MD5

        caa7805c7dc283359293bae074cb85ec

        SHA1

        f21c4880fbf40b8f03ed8954263106d814ac014d

        SHA256

        e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23

        SHA512

        206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1

        Download Submit
      • memory/3480-155-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-136-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-125-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-126-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-127-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-128-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-129-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-130-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-131-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-132-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-133-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-134-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-135-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-156-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-137-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-138-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-139-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-140-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-141-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-142-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-143-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-144-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-146-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-145-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-147-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-148-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-149-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-150-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-151-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-152-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-157-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-123-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-160-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-124-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-153-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-158-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-159-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-154-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-161-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-162-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-163-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-164-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-165-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-166-0x00000000001B0000-0x0000000001310000-memory.dmp
        Filesize

        17.4MB

        Download
      • memory/3480-167-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-168-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-169-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-170-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-171-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-122-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-173-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-174-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-175-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-176-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-177-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-178-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-121-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-180-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-181-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-182-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-183-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-184-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-185-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-186-0x0000000077C80000-0x0000000077E0E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3480-196-0x00000000097F0000-0x000000000F166000-memory.dmp
        Filesize

        89.5MB

        Download
      • memory/3480-240-0x00000000097F0000-0x000000000F166000-memory.dmp
        Filesize

        89.5MB

        Download