Overview

overview

10

Static

static

1

Comprovati...23.vbs

windows7-x64

Comprovati...23.vbs

windows10-2004-x64

Comprovati...DF.pdf

windows7-x64

1

Comprovati...DF.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    4s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 10:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23/Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs

  • Size

    24KB

  • MD5

    c66f748e72e6070e0e7a99f1e9b3e29c

  • SHA1

    5f1342f7d84032945cb2cfc0935e2c0a1229d3e8

  • SHA256

    6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857

  • SHA512

    153ccaf14b33c62be399db5e05463914b7361ed077f80c821d348639f11c6fa228aa31dda6e7ed9064c63f23715bb28190f92dc838de3a969cf5f9a03b3ab10e

  • SSDEEP

    384:zBuvP5UVtahoAPQVpuNzgGXlU+4Lvoty5x4RSKKY6YcceWDX3SMdcjasjfG5ulvg:QZ4PONrlUvp5+/KYrcc7XXcjaZVV

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\bmyjdqpitmd.vbs
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0 /f
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4832
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3943855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\19095936715602\luluotacwophnbzxn53011464953422.exe
    Filesize

    133B

    MD5

    31b3fa3be13c3eca988b6647cf274003

    SHA1

    713779818be4a9956a02f8e16231750a9e0c3eb8

    SHA256

    881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

    SHA512

    ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\bmyjdqpitmd.vbs
    Filesize

    499B

    MD5

    bf575da97a5e02e1f068e545ed8c7514

    SHA1

    de59773c985002b5f96fd0a2920243897669da8f

    SHA256

    aff0f1a9c7babc9129c490c583ed3d243303de83754c8fa01bacc0ee94965e67

    SHA512

    28afbd50cfc847d9dc0263187480db7562439f9ab3275d560cd4afaa1b35225e39c5d3107a446309cd4d54e60920d86cecaeca6352dad76d7b02dd7e1d603842

    Download Submit