Overview

overview

10

Static

static

1

Factura-Ja...25.pdf

windows7-x64

1

Factura-Ja...25.pdf

windows10-2004-x64

1

Factura-Ja...25.vbs

windows7-x64

Factura-Ja...25.vbs

windows10-2004-x64

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 06:03

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Factura-Janeiro-2145892315-2019-10_25/Factura-Janeiro-2145892315-2019-10_25.vbs

  • Size

    24KB

  • MD5

    bbb4e37dc7a24682f9df59f585d3d39c

  • SHA1

    2a7083c11a32e63d6bab56f735a8b44b3759fafa

  • SHA256

    67508f5f5648be4ef1dcba284592fc1215efdfa90221c01fbda1069a46c956cc

  • SHA512

    6647ea9b16328409c198144be14615983ed89ef9d9243d84a2826fc85b4e4eb72048831d8315e3ccdbc40738d5ecd5249cc718b5bcfbe07fd7847357ca506b33

  • SSDEEP

    768:K3fvCAhLiqxEns40jnqwQRF0T3nf3ZHmao:MpC07qwQ3sXf3hmF

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 6 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Factura-Janeiro-2145892315-2019-10_25\Factura-Janeiro-2145892315-2019-10_25.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\gdgwjlrspqk.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:3956
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39bc855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\17079258859156\qlsiuncmsswllicss27386815905570.exe
    Filesize

    339B

    MD5

    f9ae8732bf095985f46265120380e4f5

    SHA1

    adc86b57583be42dc06cad15ff5341973c3f3104

    SHA256

    ded846234930e477523e3608b5a979b667eaebc3452eb1c2b2e47f27570d2343

    SHA512

    c88e5bf4da7d669dbd4903ac9ebc7cd3925a7746f49cbd546fda78dd42b06eb0fac36dfd4e0d4291a80ce551fc43b1a34a11584b3982ef767207db4c25c04948

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gdgwjlrspqk.vbs
    Filesize

    653B

    MD5

    d90fa910018aebfb8ce02ae50a628239

    SHA1

    a10bbff548f68f26dd08770782191b65b5504891

    SHA256

    c630e191732aac3d76c1ab0d12da59837d3e3ee217be75b2f0acb751d5c4c338

    SHA512

    796e83699c7678f62e0077dca037cddd81d84c0da8f9fd6e70a829b64768ac9ca21cc533a949e0c574db4b138ff6b1c474e2bde44f6a74f333bad735c6abca2d

    Download Submit