Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
Swift.pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Swift.pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
Swift.pdf.exe
-
Size
1.2MB
-
MD5
12bd6ccee06c7ec5762c2aecc7c3357d
-
SHA1
4821ff4545829ef14a14845880f35b273c2bf4b4
-
SHA256
85dd5d9ef955400038cae7ac32f2931c3b6966792bbfd353f14627c2261f2d9c
-
SHA512
c2e44bae87845b5321fac3de4fc602106914e820378d5926690f690edac7830922bfef91d6658eafb4747174d3e1060a22c9c33fc940b1c51494a8dfc20010cb
Malware Config
Extracted
redline
1
45.147.231.74:81
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1304-142-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift.pdf.exedescription pid process target process PID 4444 set thread context of 1304 4444 Swift.pdf.exe Swift.pdf.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
svchost.exeSwift.pdf.exedescription pid process Token: SeShutdownPrivilege 4620 svchost.exe Token: SeCreatePagefilePrivilege 4620 svchost.exe Token: SeShutdownPrivilege 4620 svchost.exe Token: SeCreatePagefilePrivilege 4620 svchost.exe Token: SeShutdownPrivilege 4620 svchost.exe Token: SeCreatePagefilePrivilege 4620 svchost.exe Token: SeDebugPrivilege 1304 Swift.pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Swift.pdf.exedescription pid process target process PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe PID 4444 wrote to memory of 1304 4444 Swift.pdf.exe Swift.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift.pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift.pdf.exe.logMD5
35551b164406448b71f94d6d00af8ea1
SHA13b31b0e119278e6c293fcb559b3b465417040476
SHA256cc9f554425fe1c0190e3167c65bff934f6b01341537d891a199bb4b2bd91f1b0
SHA51238ff172f04929f7661451205504ae0ee13a6e28bd43ad0da5682cb23815c5dca0767ddaa86829a8e2457e9f7224080f66185948b92928dce807e61ac87fc98ea
-
memory/1304-142-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1304-149-0x0000000005880000-0x000000000598A000-memory.dmpFilesize
1.0MB
-
memory/1304-148-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/1304-147-0x0000000005580000-0x00000000055BC000-memory.dmpFilesize
240KB
-
memory/1304-146-0x0000000005520000-0x0000000005532000-memory.dmpFilesize
72KB
-
memory/1304-145-0x0000000005AF0000-0x0000000006108000-memory.dmpFilesize
6.1MB
-
memory/1304-144-0x000000007477E000-0x000000007477F000-memory.dmpFilesize
4KB
-
memory/4444-135-0x0000000005A00000-0x0000000005A0A000-memory.dmpFilesize
40KB
-
memory/4444-138-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/4444-137-0x0000000005BE0000-0x0000000005BF2000-memory.dmpFilesize
72KB
-
memory/4444-136-0x0000000005C40000-0x0000000005C96000-memory.dmpFilesize
344KB
-
memory/4444-130-0x0000000000E90000-0x0000000000FBE000-memory.dmpFilesize
1.2MB
-
memory/4444-133-0x000000007477E000-0x000000007477F000-memory.dmpFilesize
4KB
-
memory/4444-134-0x0000000005A40000-0x0000000005AD2000-memory.dmpFilesize
584KB
-
memory/4444-132-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB
-
memory/4444-131-0x0000000005900000-0x000000000599C000-memory.dmpFilesize
624KB
-
memory/4620-139-0x0000017529F60000-0x0000017529F70000-memory.dmpFilesize
64KB
-
memory/4620-140-0x000001752A6E0000-0x000001752A6F0000-memory.dmpFilesize
64KB
-
memory/4620-141-0x000001752CBD0000-0x000001752CBD4000-memory.dmpFilesize
16KB