Overview

overview

10

Static

static

1

Comprovati...23.vbs

windows7-x64

Comprovati...23.vbs

windows10-2004-x64

Comprovati...DF.pdf

windows7-x64

1

Comprovati...DF.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    7s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 10:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23/Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs

  • Size

    24KB

  • MD5

    c66f748e72e6070e0e7a99f1e9b3e29c

  • SHA1

    5f1342f7d84032945cb2cfc0935e2c0a1229d3e8

  • SHA256

    6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857

  • SHA512

    153ccaf14b33c62be399db5e05463914b7361ed077f80c821d348639f11c6fa228aa31dda6e7ed9064c63f23715bb28190f92dc838de3a969cf5f9a03b3ab10e

  • SSDEEP

    384:zBuvP5UVtahoAPQVpuNzgGXlU+4Lvoty5x4RSKKY6YcceWDX3SMdcjasjfG5ulvg:QZ4PONrlUvp5+/KYrcc7XXcjaZVV

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\fprvufzvihv.vbs
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0 /f
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2444
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2364
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1092

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\47290150582789\pydhfikpljhwyjebf14738393664359.exe
        Filesize

        133B

        MD5

        31b3fa3be13c3eca988b6647cf274003

        SHA1

        713779818be4a9956a02f8e16231750a9e0c3eb8

        SHA256

        881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

        SHA512

        ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

        Download Submit
      • C:\Users\Admin\AppData\Roaming\fprvufzvihv.vbs
        Filesize

        499B

        MD5

        4ec254fda8a663336e0b073646bf438f

        SHA1

        741ac510fea1c874e4f1a560308649a1d16c04f8

        SHA256

        17fe77c0102cebe81392347c4b85f913f9963dc6fbeafe77256f200457cdc5bb

        SHA512

        66e72c44ac1514fd1ae4258f29472079de05eb3efea7cc63e034e89320c6629d491c67eadbaf7190e9fbf7bdd427b819d6876f0aab8ce95c10030cae059598f5

        Download Submit