Overview

overview

10

Static

static

1

LucidSwapper.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-05-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LucidSwapper.zip

  • Size

    16.4MB

  • MD5

    5e3f7d7cd2a9e777c7715b4113be0e9c

  • SHA1

    e8b8b6da84866bf8f52d250370d69cd8b7e374e8

  • SHA256

    4bf36954d0e3a086f4ea0a2f54ead1afc474a7e145296dd3e13c9a23db3e7bac

  • SHA512

    17b65231264848d249e86d647ca5f5fdb2b4a707b8108f81b1770daae9e0655c03ed44479bc2ad4b625eddc0ef2e62da5a0f7030c8a1c380600f343fb8a2b910

  • SSDEEP

    393216:MBJ79H3N9bPsbw7FBzILfllYfFQVxse3VoOx:MBN9d97tRBzskfFEsGB

Score
10/10
redlinezgratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LucidSwapper.zip
    1⤵
      PID:3844
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4344
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LucidSwapper\" -spe -an -ai#7zMap16551:82:7zEvent31593
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3880
      • C:\Users\Admin\Desktop\LucidSwapper\LucidSwapper.exe
        "C:\Users\Admin\Desktop\LucidSwapper\LucidSwapper.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
            PID:2812
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4584
        • C:\Users\Admin\Desktop\LucidSwapper\LucidSwapper.exe
          "C:\Users\Admin\Desktop\LucidSwapper\LucidSwapper.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3404
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
              PID:416
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
                PID:4828
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5052

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
              Filesize

              2KB

              MD5

              661cf82d7ff5c760912b43f583c59aa5

              SHA1

              924bacd9bb4e0f5f985b4f98bcd4a83a46775497

              SHA256

              e85f98a486bee3b77e4c15d304d2209d3944ec6e3ac2faadf68ba176edfa64ae

              SHA512

              44db890cc597390afd2b529af490e0835d14ef703eba6488720524666b76aedc02c7d17977f6c115474b6639ffcce409ebb205deb182b08a48fe5986109b616d

              Download Submit

            • C:\Users\Admin\Desktop\LucidSwapper\LucidSwapper.exe
              Filesize

              456KB

              MD5

              a4afe7e45200965e73b26af1c270d307

              SHA1

              8ed83bab7bcbc05e6fcd28ab0b2b0a99edf2a21b

              SHA256

              61d940d5e60486b5da71dab297b1c67419d690490ec85e4c4ac1a09971ff6c7b

              SHA512

              a8867d90dc724d27afe1283f9d5d6f4ae12ff61b5d302c26d30d864ea862bb52f319ef6404c51c3c15376cbfb618ed03c75bf30227e84b9c148e934dc6649acb

              Download Submit

            • memory/2900-109-0x00000000005C2000-0x00000000005C3000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4584-115-0x0000000006920000-0x0000000006932000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4584-117-0x0000000006B10000-0x0000000006B5C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4584-112-0x0000000005860000-0x000000000586A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4584-113-0x0000000006ED0000-0x00000000074E8000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/4584-114-0x0000000006A00000-0x0000000006B0A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4584-110-0x0000000005EB0000-0x0000000006456000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4584-116-0x0000000006980000-0x00000000069BC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/4584-111-0x0000000005900000-0x0000000005992000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4584-118-0x0000000006C80000-0x0000000006CE6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4584-119-0x00000000075F0000-0x0000000007666000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4584-120-0x0000000006E60000-0x0000000006E7E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4584-121-0x0000000008790000-0x0000000008952000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/4584-122-0x0000000008E90000-0x00000000093BC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4584-108-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download