lampion | cfb3a1ff4101d761ef1f2c1e63fbb6e82587c520caa1c7915d86c912a6f4b424

Analysis

max time kernel
7s
max time network
11s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 10:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23/Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs
Size

24KB
MD5

c66f748e72e6070e0e7a99f1e9b3e29c
SHA1

5f1342f7d84032945cb2cfc0935e2c0a1229d3e8
SHA256

6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857
SHA512

153ccaf14b33c62be399db5e05463914b7361ed077f80c821d348639f11c6fa228aa31dda6e7ed9064c63f23715bb28190f92dc838de3a969cf5f9a03b3ab10e
SSDEEP

384:zBuvP5UVtahoAPQVpuNzgGXlU+4Lvoty5x4RSKKY6YcceWDX3SMdcjasjfG5ulvg:QZ4PONrlUvp5+/KYrcc7XXcjaZVV

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

4 2812 WScript.exe
7 2812 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fprvufzvihv.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 2444 shutdown.exe
Token: SeRemoteShutdownPrivilege 2444 shutdown.exe

flow	pid	process
4	2812	WScript.exe
7	2812	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fprvufzvihv.lnk	wscript.exe

description	pid	process
Token: SeShutdownPrivilege	2444	shutdown.exe
Token: SeRemoteShutdownPrivilege	2444	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exewscript.execmd.exe

description	pid	process	target process
PID 2812 wrote to memory of 2516	2812	WScript.exe	wscript.exe
PID 2812 wrote to memory of 2516	2812	WScript.exe	wscript.exe
PID 2812 wrote to memory of 2516	2812	WScript.exe	wscript.exe
PID 2516 wrote to memory of 1344	2516	wscript.exe	cmd.exe
PID 2516 wrote to memory of 1344	2516	wscript.exe	cmd.exe
PID 2516 wrote to memory of 1344	2516	wscript.exe	cmd.exe
PID 1344 wrote to memory of 2444	1344	cmd.exe	shutdown.exe
PID 1344 wrote to memory of 2444	1344	cmd.exe	shutdown.exe
PID 1344 wrote to memory of 2444	1344	cmd.exe	shutdown.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\fprvufzvihv.vbs
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0 /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\47290150582789\pydhfikpljhwyjebf14738393664359.exe

Filesize
133B

MD5
31b3fa3be13c3eca988b6647cf274003

SHA1
713779818be4a9956a02f8e16231750a9e0c3eb8

SHA256
881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

SHA512
ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

Download Submit
C:\Users\Admin\AppData\Roaming\fprvufzvihv.vbs

Filesize
499B

MD5
4ec254fda8a663336e0b073646bf438f

SHA1
741ac510fea1c874e4f1a560308649a1d16c04f8

SHA256
17fe77c0102cebe81392347c4b85f913f9963dc6fbeafe77256f200457cdc5bb

SHA512
66e72c44ac1514fd1ae4258f29472079de05eb3efea7cc63e034e89320c6629d491c67eadbaf7190e9fbf7bdd427b819d6876f0aab8ce95c10030cae059598f5

Download Submit