Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
22/02/2023, 02:39
General
-
Target
b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
-
Size
75KB
-
MD5
0706764b3963df092079d3bdef787a1f
-
SHA1
73c2460d59f3d0637523ca6d35425aae14358ba1
-
SHA256
b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
-
SHA512
3af7ff3b2aa689eb4c410562b5ead74ff77417da941521928391c6fac3dcc6a75f6d866f52b12f67a41564cfa81afcda51857c0f208f9e90e8629e0f0b5d5cb4
-
SSDEEP
1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGp:OfJGLs6BwNxnfTKsG
Malware Config
Extracted
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
quantum
Extracted
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
quantum
http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb1602bd79273359845164eefdf45b6ef32
Signatures
-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops desktop.ini file(s) 26 IoCs
-
Modifies Internet Explorer settings 1 TTPs 27 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\006CCABF.bat" "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5b0158fc8acae42ae6889aa1d44b3ab7c
SHA17cbc1e0c7016c90c748590a8b9e18918b211d350
SHA256f9359b66a52ae12fa0dcb7cd5c2ba744f8fedeba9908af87f44392d928894f79
SHA5128d1c06d71e0a747756dcc3ed7a19f7690872756ad0442438caed0819ca0541a4e624929a4d24770019b65e0dcecc14f3a9b71dbdafe1a7acb39ed3ed47a6a583
-
Filesize
342B
MD579d22a0f584bbd0517cd6f9c11b820b5
SHA19a9498763ed52f5dbcbf7c3c314d9750cacd0fc7
SHA256f5535c00ce345d78bbce6dc83f5004f13cd032e9790ee1f7993fb3bc536463c0
SHA512d5f861788908e1cd88b16d20b7cb5b647576d486b95e8e8ef457afa2c0e881976ed22a020057efd8442a1fadf76cb19407b6f4bed20a93cc227a11568fff76e7
-
Filesize
342B
MD5302ec4cd83af55f0abf2f00ce1f6824c
SHA185a4083a07aa286732450b56b737eb80952c8e48
SHA25673479ae88f0f633b4408dd18bcf8e319723285f02fdbbc33d3c7df0b61ee6354
SHA51221e9a89c15d09e1b8426e252db49c7230b6c42315cb961a6cd7f624ce0cddb6de18796e27ad790eb9a682077ce5e589446fee6dbb644a4f6e91663a508636a1e
-
Filesize
342B
MD587d634045112e19117ccb0e7d2f90a6e
SHA161f3634e7114b12c6371b6f080d5f90e7ff30c58
SHA2567138e296119737357cd558396da3f25bbb8c64a27eb99932226419d8866496cd
SHA512c02591e02e624c677063535b2dc25e76d8bc819b990dc1addb77afd17a23bf49cb5be19c9b84e72a230dec3c054e1db81aae80012777543dcd5bf510ad7cae08
-
Filesize
342B
MD51f34401c8f51bf09266587dc79dc81d4
SHA1c6f6df8a19b281d2c6feb61442539b268e8ebb3f
SHA256d7c17c6cbba9feaf3c15f00be4c17aa8103e67e9361435b475eb0294d05f9848
SHA51202d1dcb4dbd6fc7d81b972152ee6dc05bffd1445fd4b0ae71d35f7d7d54e6d6fd318b6795058961c82a2ae2808bb9a62338d210561ab6c9679e8c04c16492a8c
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
Filesize
2KB
MD5557a3275e4a8d8782f3e3579adecf628
SHA149bc27e4fa9e96ed7a19ebe97f57984c8fcd574a
SHA2569999a3b8ac4c1c59bfcd79f92c64dad69e7a7ba3e4ddf8c8aedf0f81b819c935
SHA51297d6e689d4741220d5dde3b14b498187a52cfc4a5197a822f796e532c9916e022cfed6d5933c23ca0097387518b88bd878326b34f8a7d885586a8e2fb5063fb7
-
Filesize
2KB
MD5557a3275e4a8d8782f3e3579adecf628
SHA149bc27e4fa9e96ed7a19ebe97f57984c8fcd574a
SHA2569999a3b8ac4c1c59bfcd79f92c64dad69e7a7ba3e4ddf8c8aedf0f81b819c935
SHA51297d6e689d4741220d5dde3b14b498187a52cfc4a5197a822f796e532c9916e022cfed6d5933c23ca0097387518b88bd878326b34f8a7d885586a8e2fb5063fb7
-
Filesize
8KB
-
Filesize
64KB