lampion | 3a252ea82333db3b0190b6d1b842b0ef9a6dd4483c4bfb12e5432978e9253ab5

General

Target

windows.exe
Size

5.5MB
MD5

caa7805c7dc283359293bae074cb85ec
SHA1

f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256

e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512

206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
SSDEEP

98304:E6mIaXo6zdDzxzWfqyD+OHSpUijWAsIC0A6NNU4chmX+dLFR:E6mY69zN8HSWijWAsIFA6NNvYmXuLL

Score

10^/10

lampion banker evasion persistence trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

windows.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ windows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	windows.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windows.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcolcduc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe"	windows.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

windows.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA windows.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

windows.exe

pid process

888 windows.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	windows.exe

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

windows.exe

pid	process
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe
888	windows.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

windows.exe

pid process

888 windows.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

windows.exe

pid process

888 windows.exe
888 windows.exe

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/888-55-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-56-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-58-0x00000000774C0000-0x0000000077640000-memory.dmp

Filesize
1.5MB

Download
memory/888-57-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-59-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-60-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-61-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-62-0x0000000000810000-0x0000000001970000-memory.dmp

Filesize
17.4MB

Download
memory/888-63-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download
memory/888-64-0x0000000004400000-0x0000000004590000-memory.dmp

Filesize
1.6MB

Download
memory/888-66-0x000000000F9D0000-0x000000000FB93000-memory.dmp

Filesize
1.8MB

Download
memory/888-67-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/888-68-0x00000000007C0000-0x00000000007FC000-memory.dmp

Filesize
240KB

Download
memory/888-69-0x0000000003920000-0x00000000039B7000-memory.dmp

Filesize
604KB

Download
memory/888-70-0x0000000003550000-0x00000000035C9000-memory.dmp

Filesize
484KB

Download
memory/888-72-0x0000000003610000-0x000000000361B000-memory.dmp

Filesize
44KB

Download
memory/888-71-0x0000000003660000-0x0000000003677000-memory.dmp

Filesize
92KB

Download
memory/888-74-0x000000000FE40000-0x000000000FF70000-memory.dmp

Filesize
1.2MB

Download
memory/888-76-0x000000000A050000-0x000000000F9C6000-memory.dmp

Filesize
89.5MB

Download
memory/888-77-0x000000000FD70000-0x000000000FDA1000-memory.dmp

Filesize
196KB

Download
memory/888-78-0x00000000105F0000-0x00000000109FB000-memory.dmp

Filesize
4.0MB

Download
memory/888-79-0x000000000FF70000-0x0000000010013000-memory.dmp

Filesize
652KB

Download
memory/888-81-0x000000000FCE0000-0x000000000FD0B000-memory.dmp

Filesize
172KB

Download
memory/888-82-0x000000000A050000-0x000000000F9C6000-memory.dmp

Filesize
89.5MB

Download
memory/888-84-0x00000000103D0000-0x00000000103DB000-memory.dmp

Filesize
44KB

Download
memory/888-85-0x00000000103E0000-0x00000000103EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads