Overview

overview

10

Static

static

1

Skin Chang...te.zip

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    450s
  • max time network
    456s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-01-2025 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Skin Changer Fortnite.zip

  • Size

    525KB

  • MD5

    cf5888475a629ac4f0d0b97947fb830c

  • SHA1

    9a01de7ebdb1e40b2ce84422abc19e0235cadcdf

  • SHA256

    cb48bed0c0456ccb3ca8241b3ba54df53652d847fd0682646399394d1bec690d

  • SHA512

    dd1ae3bc0585da0ff17d6273f15ce894d55bbd1d20ac10e4c8bc5051630a5e2123ed6ff5bbbf7f9a76b234ffa42279b13222d584c8b4eb29077d7343388f4c1e

  • SSDEEP

    12288:P9s55qV7coT8x3z3XopWFkO1nAIB9VMlnn6i+G45KOW:Vs55G7D8NK0ZCnt+X5KOW

Score
10/10
redlinediscoveryinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Skin Changer Fortnite.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\7zO4F2F8DB7\Skin Changer.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4F2F8DB7\Skin Changer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4504
    • C:\Users\Admin\AppData\Local\Temp\7zO4F27AB08\Skin Changer.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4F27AB08\Skin Changer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO4F25DF8A\.text"
      2⤵
        PID:4456
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4F25E619\.text
        2⤵
          PID:4076
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2068
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1892
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2632
        • C:\Windows\system32\SearchIndexer.exe
          C:\Windows\system32\SearchIndexer.exe /Embedding
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:192
          • C:\Windows\system32\SearchProtocolHost.exe
            "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
            2⤵
            • Modifies data under HKEY_USERS
            PID:4988
          • C:\Windows\system32\SearchFilterHost.exe
            "C:\Windows\system32\SearchFilterHost.exe" 0 824 828 836 8192 832 808
            2⤵
            • Modifies data under HKEY_USERS
            PID:3468

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zO4F2205B9\.data
          Filesize

          99KB

          MD5

          f811f814611b93e5b34b2395f5cd0092

          SHA1

          4360dc0ab1765ae6d61a763c4510a91c277ab038

          SHA256

          bed4049ae9610da111e561e238c74d8d9b3f444e8355eecc9eee509b8e2fd2d2

          SHA512

          a5e9e1d95495e357719a5471f7db78dd0adc176b107b28c21b7017fa31380b2854fde455d4f3de01bda5b413cd8582d3a97f893f059a1da78fd0869b8bd73dc4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zO4F25E619\.text
          Filesize

          674KB

          MD5

          ee2915649e03a2a17eac60a836593703

          SHA1

          0505204609a4445ee1fc1f4c1776e627a795d465

          SHA256

          518fb8c18d9f6664d90439b7b18fae9507a57dcf7ec4047420e5f9f43d1ef7d9

          SHA512

          84627894511c479c827d87eec7109bb57744b20b255508140212f98d781057fc9039039626ac5d0dfee9f247bb4259d09b599d539e8646cd4be770473f01e9d5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zO4F2F8DB7\Skin Changer.exe
          Filesize

          1.3MB

          MD5

          2c3d0186ca33f041f84fc8389a9d72be

          SHA1

          3ee9ea29299f4e2f3168f3ae6527690bd3ccf1a6

          SHA256

          2ba2bcc0d1f1d523100de09b8a142d2b4b57e9238271725ab077a4f323468dd6

          SHA512

          e763a7152f874a3e6d77927668dcf870a0c3ae774d1b5f251474ff8df6f756c93eb5ac808f30ecde7f33947a98a3889d3e131c41be525b56b1487ade5f10d09e

          Download Submit

        • memory/192-95-0x0000016566FF0000-0x0000016566FF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/192-79-0x0000016562C30000-0x0000016562C40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/192-63-0x0000016562A00000-0x0000016562A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1636-38-0x0000000000B10000-0x0000000000B9C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/3468-112-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-120-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-106-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-108-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-111-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-113-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-115-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-116-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-117-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-118-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-121-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-119-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-114-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-100-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-99-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-101-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-104-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-103-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-102-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-105-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-107-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-110-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-109-0x0000021815F60000-0x0000021815F70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4504-20-0x0000000005890000-0x000000000589A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4504-16-0x000000007526E000-0x000000007526F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-22-0x00000000093F0000-0x00000000094FA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4504-17-0x0000000005F00000-0x00000000064A6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4504-18-0x0000000005950000-0x00000000059E2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4504-19-0x0000000075260000-0x0000000075A11000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4504-12-0x0000000000F70000-0x0000000000FFC000-memory.dmp

          Filesize

          560KB

          Download

        • memory/4504-43-0x0000000075260000-0x0000000075A11000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4504-42-0x000000007526E000-0x000000007526F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-21-0x00000000098B0000-0x0000000009EC8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4504-25-0x0000000009500000-0x000000000954C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4504-24-0x0000000009390000-0x00000000093CC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4504-23-0x0000000009330000-0x0000000009342000-memory.dmp

          Filesize

          72KB

          Download