Malware Analysis Report

2024-11-30 20:15

Sample ID 241119-e2b1eaznfy
Target RampageHack.zip
SHA256 f5ea57bf6d4e54efe077c73755c877ae274592caafb2f4e8cb9f1e4c8feddca3
Tags
meduza collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5ea57bf6d4e54efe077c73755c877ae274592caafb2f4e8cb9f1e4c8feddca3

Threat Level: Known bad

The file RampageHack.zip was found to be: Known bad.

Malicious Activity Summary

meduza collection discovery spyware stealer

Meduza

Meduza family

Meduza Stealer payload

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Suspicious use of FindShellTrayWindow

outlook_win_path

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 04:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 04:25

Reported

2024-11-19 04:43

Platform

win7-20241023-en

Max time kernel

840s

Max time network

842s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"

Signatures

Meduza

stealer meduza

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Meduza family

meduza

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2704 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe

Browser Information Discovery

discovery

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 2504 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
PID 1576 wrote to memory of 2504 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
PID 1576 wrote to memory of 2504 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
PID 2504 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
PID 2504 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
PID 2504 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe
PID 1576 wrote to memory of 2704 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 1576 wrote to memory of 2704 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 1576 wrote to memory of 2704 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2704 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe
PID 2808 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Windows\System32\cmd.exe
PID 2808 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Windows\System32\cmd.exe
PID 2808 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe C:\Windows\System32\cmd.exe
PID 824 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 824 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 824 wrote to memory of 1736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"

C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe

"C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe"

C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe

C:\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe

C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe

"C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"

C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe

C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO8264F317\Rampage.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Network

Country Destination Domain Proto
DE 109.107.181.162:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\7zO82619007\Rampage.exe

MD5 394797ab6934f4db2364f672feed7669
SHA1 f19b966c84f2547040650811be1f29ee8ac2c412
SHA256 ca130b3fce182c547d93de04d673c6456f16e1eb73ce941dc7dd2c3c7d62ae5b
SHA512 81030ea518cb7e0102b1a59c9e5e93af304ca1f6eea2e5fdcb120abbde4295b319eafed937941c7301df4848132c902dc8709af84f1725361c47400981ea110c

memory/2808-38-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-48-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-47-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-53-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-52-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-50-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-49-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-45-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-44-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-43-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-42-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-40-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-35-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-33-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-37-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

memory/2808-31-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-29-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-27-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-25-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-23-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-68-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-70-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-75-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-67-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-71-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-76-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-73-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-72-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-90-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-95-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-105-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-86-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-85-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-83-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-81-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-80-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-110-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-111-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-108-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-106-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-103-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-101-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-100-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-96-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-91-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-78-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2808-77-0x0000000140000000-0x00000001401FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Privacy Policy\UBT_en.rtf

MD5 1aec177b22e45f99fc812d5bfedd2f07
SHA1 2103b6c5ae4f024739485baba385385f15d6b79b
SHA256 6b45386a52901170d24db77537044197450bf3412590b694de589596c5f68839
SHA512 5b207f7d31698f1250722e61dcafab511bfba8868579acf9fdbaa110b78eae1129bcc0bd40e02125354a9812e99b1d8f1c288dae343cc27ed05aea6dabf2415a

C:\Users\Admin\AppData\Local\Temp\Privacy Policy\UBT_pt.rtf

MD5 b77c9bd407bd96f78df9de69a4c73d72
SHA1 79e2c3189b94f84e048a1649a622b3bd7775d2fb
SHA256 5716cec8bd05d09a80cb4bc9924b114f7ffd8e1c93478462c6c928bca387f079
SHA512 ccf9e0f935637095bc91bf78f07a2ced51f73460993d6cb9935eb3cb544ccec8247e4a11ef622b7e8f32e89289764757712a37d06958a97a7fd7ddf4705d72e3

C:\Users\Admin\AppData\Local\Temp\Instruction.txt

MD5 851673a6010e311377cf68c4d60a04b5
SHA1 5343c5b004cc0b76f88e02a0d838c352223915c5
SHA256 b3c2d0d14e43f0a418d2b33d36cc5c56f64fea672d44644e01b8cfbf2cc0d361
SHA512 b4e56d35050ee782ed60ad64e967a0955d9fe7d414b94d4e68025914e6cdd38a6c6fb09acc04e5bcdb5c792e1cb108ce5d3c8b5ae762303e5eba55c5bc0e8389

C:\Users\Admin\AppData\Local\Temp\Privacy Policy\UBT_ar.rtf

MD5 9b5b6b6c14fdefbb3d67ab8425666cea
SHA1 78f22661cbc913791a7f914b44c0017759d5abe9
SHA256 6cee95edfb044e5de674b49c816ec074cf1fd99b58e50b90101ba0ade80d7af4
SHA512 139722cad799786b38158302368b1444968ca62db1be165900667cb8dd65d1768e65918ad726208316314a18671b7687f8efc56957b5b98c8b6d05bcbca06a39

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 04:25

Reported

2024-11-19 04:27

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

113s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RampageHack.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp

Files

N/A