Analysis Overview
SHA256
f5ea57bf6d4e54efe077c73755c877ae274592caafb2f4e8cb9f1e4c8feddca3
Threat Level: Known bad
The file RampageHack.zip was found to be: Known bad.
Malicious Activity Summary
Meduza
Meduza family
Meduza Stealer payload
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Checks installed software on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Suspicious use of FindShellTrayWindow
outlook_win_path
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 04:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 04:25
Reported
2024-11-19 04:43
Platform
win7-20241023-en
Max time kernel
840s
Max time network
842s
Command Line
Signatures
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2704 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe |
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"
C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
"C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe"
C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
| MD5 | 394797ab6934f4db2364f672feed7669 |
| SHA1 | f19b966c84f2547040650811be1f29ee8ac2c412 |
| SHA256 | ca130b3fce182c547d93de04d673c6456f16e1eb73ce941dc7dd2c3c7d62ae5b |
| SHA512 | 81030ea518cb7e0102b1a59c9e5e93af304ca1f6eea2e5fdcb120abbde4295b319eafed937941c7301df4848132c902dc8709af84f1725361c47400981ea110c |
memory/2808-38-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-48-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-47-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-53-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-52-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-50-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-49-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-45-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-44-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-43-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-42-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-40-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-35-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-33-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-37-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp
memory/2808-31-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-29-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-27-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-25-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-23-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-68-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-70-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-75-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-67-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-71-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-76-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-73-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-72-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-90-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-95-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-105-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-86-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-85-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-83-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-81-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-80-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-110-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-111-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-108-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-106-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-103-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-101-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-100-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-96-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-91-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-78-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2808-77-0x0000000140000000-0x00000001401FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Privacy Policy\UBT_en.rtf
| MD5 | 1aec177b22e45f99fc812d5bfedd2f07 |
| SHA1 | 2103b6c5ae4f024739485baba385385f15d6b79b |
| SHA256 | 6b45386a52901170d24db77537044197450bf3412590b694de589596c5f68839 |
| SHA512 | 5b207f7d31698f1250722e61dcafab511bfba8868579acf9fdbaa110b78eae1129bcc0bd40e02125354a9812e99b1d8f1c288dae343cc27ed05aea6dabf2415a |
C:\Users\Admin\AppData\Local\Temp\Privacy Policy\UBT_pt.rtf
| MD5 | b77c9bd407bd96f78df9de69a4c73d72 |
| SHA1 | 79e2c3189b94f84e048a1649a622b3bd7775d2fb |
| SHA256 | 5716cec8bd05d09a80cb4bc9924b114f7ffd8e1c93478462c6c928bca387f079 |
| SHA512 | ccf9e0f935637095bc91bf78f07a2ced51f73460993d6cb9935eb3cb544ccec8247e4a11ef622b7e8f32e89289764757712a37d06958a97a7fd7ddf4705d72e3 |
C:\Users\Admin\AppData\Local\Temp\Instruction.txt
| MD5 | 851673a6010e311377cf68c4d60a04b5 |
| SHA1 | 5343c5b004cc0b76f88e02a0d838c352223915c5 |
| SHA256 | b3c2d0d14e43f0a418d2b33d36cc5c56f64fea672d44644e01b8cfbf2cc0d361 |
| SHA512 | b4e56d35050ee782ed60ad64e967a0955d9fe7d414b94d4e68025914e6cdd38a6c6fb09acc04e5bcdb5c792e1cb108ce5d3c8b5ae762303e5eba55c5bc0e8389 |
C:\Users\Admin\AppData\Local\Temp\Privacy Policy\UBT_ar.rtf
| MD5 | 9b5b6b6c14fdefbb3d67ab8425666cea |
| SHA1 | 78f22661cbc913791a7f914b44c0017759d5abe9 |
| SHA256 | 6cee95edfb044e5de674b49c816ec074cf1fd99b58e50b90101ba0ade80d7af4 |
| SHA512 | 139722cad799786b38158302368b1444968ca62db1be165900667cb8dd65d1768e65918ad726208316314a18671b7687f8efc56957b5b98c8b6d05bcbca06a39 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 04:25
Reported
2024-11-19 04:27
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
113s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |