lampion | 779ce84a4fb07c6b682eca35f836651025d7b9cfbe069423efb7902c583a3073

Resubmissions

06-03-2023 14:33

230306-rw9qpscg76 10

06-03-2023 14:32

230306-rwm7pscg72 1

06-03-2023 14:24

230306-rq2g5scg48 10

Analysis

max time kernel
151s
max time network
81s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
06-03-2023 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

9.8MB
MD5

f8ceee79a7b323a7683a46f1c7636ad3
SHA1

8fe53a9600d1eb1e6789989d214480fa21711f31
SHA256

cbe35fed4367bc69d7ad61ab2e25c455501633f4adc8a8b864724d02f82804c2
SHA512

495d701de6372de2995ad6ae1e482d63d4197dcf8ab7f3b918ef73a42560bb88ce4dee0e36a99358f8b375baa9a6693f12eb3b12fdc84182c0a4f5049f247f20
SSDEEP

98304:AnNBW0h2GJfzIyepDL+LuMYBV+NBWzUNrQqMqS82ABqYBYCq6/4N5FZ7w8av8pD8:iW0SLw8BDoVn

Score

10^/10

lampion banker persistence trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eauivtuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe"	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

windows.exe

pid	process
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe
2840	windows.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

windows.exe

pid process

2840 windows.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

windows.exe

pid process

2840 windows.exe
2840 windows.exe

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-118-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2840-119-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2840-120-0x0000000008DD0000-0x000000000E747000-memory.dmp

Filesize
89.5MB

Download
memory/2840-121-0x000000000E8B0000-0x000000000E8B1000-memory.dmp

Filesize
4KB

Download
memory/2840-123-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2840-124-0x000000000E8B0000-0x000000000E8B1000-memory.dmp

Filesize
4KB

Download