Analysis
-
max time kernel
840s -
max time network
842s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 04:25
Static task
static1
Behavioral task
behavioral1
Sample
RampageHack.rar
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
RampageHack.rar
Resource
win10v2004-20241007-en
General
-
Target
RampageHack.rar
-
Size
2.7MB
-
MD5
cf2e517b522da852934bccf832238feb
-
SHA1
fa96d23e91d5e22aaa5cc7ce3e189aa0a8f8ce93
-
SHA256
f5ea57bf6d4e54efe077c73755c877ae274592caafb2f4e8cb9f1e4c8feddca3
-
SHA512
364c2ce6b66f9773b997f630ee943b37b6f83fe88880f4f9b6e80a37489589da37a6045667eb857090f3374a2d9e6ac4ec6bc87b6b5250e952dc2bcee7bc96ee
-
SSDEEP
49152:qWA1BEBDVOoG5xa6xtzu3g/rDXC4hUAwPEFHIw+VCTBixpc0t1hvVyE007lWyy0n:NA1BEBhOKCNu3g3hUAYMHtEIZkn9yM/7
Malware Config
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
438
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 43 IoCs
Processes:
resource yara_rule behavioral1/memory/2808-38-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-48-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-47-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-53-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-52-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-50-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-49-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-45-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-44-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-43-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-42-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-40-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-35-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-33-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-31-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-29-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-68-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-70-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-75-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-67-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-71-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-76-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-73-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-72-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-90-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-95-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-105-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-86-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-85-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-83-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-81-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-80-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-110-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-111-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-108-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-106-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-103-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-101-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-100-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-96-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-91-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-78-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/2808-77-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Rampage.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation Rampage.exe -
Executes dropped EXE 4 IoCs
Processes:
Rampage.exeRampage.exeRampage.exeRampage.exepid Process 2504 Rampage.exe 2820 Rampage.exe 2704 Rampage.exe 2808 Rampage.exe -
Loads dropped DLL 4 IoCs
Processes:
7zFM.exeRampage.exeRampage.exepid Process 1576 7zFM.exe 2504 Rampage.exe 1576 7zFM.exe 2704 Rampage.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
Rampage.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Rampage.exedescription pid Process procid_target PID 2704 set thread context of 2808 2704 Rampage.exe 34 -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid Process 1736 PING.EXE 824 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
7zFM.exeRampage.exepid Process 1576 7zFM.exe 1576 7zFM.exe 2808 Rampage.exe 1576 7zFM.exe 1576 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 1576 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
7zFM.exeRampage.exedescription pid Process Token: SeRestorePrivilege 1576 7zFM.exe Token: 35 1576 7zFM.exe Token: SeSecurityPrivilege 1576 7zFM.exe Token: SeSecurityPrivilege 1576 7zFM.exe Token: SeDebugPrivilege 2808 Rampage.exe Token: SeImpersonatePrivilege 2808 Rampage.exe Token: SeSecurityPrivilege 1576 7zFM.exe Token: SeSecurityPrivilege 1576 7zFM.exe Token: SeSecurityPrivilege 1576 7zFM.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
7zFM.exepid Process 1576 7zFM.exe 1576 7zFM.exe 1576 7zFM.exe 1576 7zFM.exe 1576 7zFM.exe 1576 7zFM.exe 1576 7zFM.exe 1576 7zFM.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
7zFM.exeRampage.exeRampage.exeRampage.execmd.exedescription pid Process procid_target PID 1576 wrote to memory of 2504 1576 7zFM.exe 31 PID 1576 wrote to memory of 2504 1576 7zFM.exe 31 PID 1576 wrote to memory of 2504 1576 7zFM.exe 31 PID 2504 wrote to memory of 2820 2504 Rampage.exe 32 PID 2504 wrote to memory of 2820 2504 Rampage.exe 32 PID 2504 wrote to memory of 2820 2504 Rampage.exe 32 PID 1576 wrote to memory of 2704 1576 7zFM.exe 33 PID 1576 wrote to memory of 2704 1576 7zFM.exe 33 PID 1576 wrote to memory of 2704 1576 7zFM.exe 33 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2704 wrote to memory of 2808 2704 Rampage.exe 34 PID 2808 wrote to memory of 824 2808 Rampage.exe 36 PID 2808 wrote to memory of 824 2808 Rampage.exe 36 PID 2808 wrote to memory of 824 2808 Rampage.exe 36 PID 824 wrote to memory of 1736 824 cmd.exe 38 PID 824 wrote to memory of 1736 824 cmd.exe 38 PID 824 wrote to memory of 1736 824 cmd.exe 38 -
outlook_office_path 1 IoCs
Processes:
Rampage.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe -
outlook_win_path 1 IoCs
Processes:
Rampage.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Rampage.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe"C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exeC:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe3⤵
- Executes dropped EXE
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exeC:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71B
MD5851673a6010e311377cf68c4d60a04b5
SHA15343c5b004cc0b76f88e02a0d838c352223915c5
SHA256b3c2d0d14e43f0a418d2b33d36cc5c56f64fea672d44644e01b8cfbf2cc0d361
SHA512b4e56d35050ee782ed60ad64e967a0955d9fe7d414b94d4e68025914e6cdd38a6c6fb09acc04e5bcdb5c792e1cb108ce5d3c8b5ae762303e5eba55c5bc0e8389
-
Filesize
51KB
MD59b5b6b6c14fdefbb3d67ab8425666cea
SHA178f22661cbc913791a7f914b44c0017759d5abe9
SHA2566cee95edfb044e5de674b49c816ec074cf1fd99b58e50b90101ba0ade80d7af4
SHA512139722cad799786b38158302368b1444968ca62db1be165900667cb8dd65d1768e65918ad726208316314a18671b7687f8efc56957b5b98c8b6d05bcbca06a39
-
Filesize
78KB
MD51aec177b22e45f99fc812d5bfedd2f07
SHA12103b6c5ae4f024739485baba385385f15d6b79b
SHA2566b45386a52901170d24db77537044197450bf3412590b694de589596c5f68839
SHA5125b207f7d31698f1250722e61dcafab511bfba8868579acf9fdbaa110b78eae1129bcc0bd40e02125354a9812e99b1d8f1c288dae343cc27ed05aea6dabf2415a
-
Filesize
67KB
MD5b77c9bd407bd96f78df9de69a4c73d72
SHA179e2c3189b94f84e048a1649a622b3bd7775d2fb
SHA2565716cec8bd05d09a80cb4bc9924b114f7ffd8e1c93478462c6c928bca387f079
SHA512ccf9e0f935637095bc91bf78f07a2ced51f73460993d6cb9935eb3cb544ccec8247e4a11ef622b7e8f32e89289764757712a37d06958a97a7fd7ddf4705d72e3
-
Filesize
4.1MB
MD5394797ab6934f4db2364f672feed7669
SHA1f19b966c84f2547040650811be1f29ee8ac2c412
SHA256ca130b3fce182c547d93de04d673c6456f16e1eb73ce941dc7dd2c3c7d62ae5b
SHA51281030ea518cb7e0102b1a59c9e5e93af304ca1f6eea2e5fdcb120abbde4295b319eafed937941c7301df4848132c902dc8709af84f1725361c47400981ea110c