quantum | 1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58

Analysis

max time kernel
36s
max time network
40s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll
Size

76KB
MD5

8a132d9eb16ab0a492c7858fa5d6b6fb
SHA1

bb3d3258e9207f9499f3f7dcf53442fc8ddabd45
SHA256

1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58
SHA512

7f74eece1ba22e553f86c151b5364207b06b46ffb58330406021c668e2ee5fa332a8dabcf227278f10dfbc7a6d2593f5d2fb32e344c33fca174874300c9eb985
SSDEEP

1536:PaX1IbkVQJih8Ls2WZYbz+n26HNmAC6UsK4Xe:0KntKmzK2736UsK4

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 5f9d05e06bea5711acba31a7b1740c806cd99c792cc74b7548ea0fb0e5dc0d32 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://iwwbtudyckekvukw7462v32ugqgnzzzaxsyw5yfxhe24ok5hbc46x6qd.onion/?cid=5f9d05e06bea5711acba31a7b1740c806cd99c792cc74b7548ea0fb0e5dc0d32">http://iwwbtudyckekvukw7462v32ugqgnzzzaxsyw5yfxhe24ok5hbc46x6qd.onion/?cid=5f9d05e06bea5711acba31a7b1740c806cd99c792cc74b7548ea0fb0e5dc0d32</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://iwwbtudyckekvukw7462v32ugqgnzzzaxsyw5yfxhe24ok5hbc46x6qd.onion/?cid=5f9d05e06bea5711acba31a7b1740c806cd99c792cc74b7548ea0fb0e5dc0d32 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://iwwbtudyckekvukw7462v32ugqgnzzzaxsyw5yfxhe24ok5hbc46x6qd.onion/?cid=5f9d05e06bea5711acba31a7b1740c806cd99c792cc74b7548ea0fb0e5dc0d32

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\StopSet.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\StopSet.tiff => \??\c:\Users\Admin\Pictures\StopSet.tiff.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UpdateGet.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UpdateGet.tiff => \??\c:\Users\Admin\Pictures\UpdateGet.tiff.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ShowGrant.tiff => \??\c:\Users\Admin\Pictures\ShowGrant.tiff.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MountGrant.raw => \??\c:\Users\Admin\Pictures\MountGrant.raw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\PushUnregister.raw => \??\c:\Users\Admin\Pictures\PushUnregister.raw.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ShowGrant.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnblockExit.tif => \??\c:\Users\Admin\Pictures\UnblockExit.tif.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ExpandGet.png => \??\c:\Users\Admin\Pictures\ExpandGet.png.quantum	rundll32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1924 cmd.exe

pid	process
1924	cmd.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94E42D81-B25A-11ED-80B1-DEF2FB1055A6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1048 rundll32.exe
1048 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeRestorePrivilege 1048 rundll32.exe
Token: SeDebugPrivilege 1048 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1856 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1856 iexplore.exe
1856 iexplore.exe
812 IEXPLORE.EXE
812 IEXPLORE.EXE
812 IEXPLORE.EXE
812 IEXPLORE.EXE

pid	process
1048	rundll32.exe
1048	rundll32.exe

description	pid	process
Token: SeRestorePrivilege	1048	rundll32.exe
Token: SeDebugPrivilege	1048	rundll32.exe

pid	process
1856	iexplore.exe

pid	process
1856	iexplore.exe
1856	iexplore.exe
812	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.execmd.exeiexplore.exe

description	pid	process	target process
PID 1048 wrote to memory of 1924	1048	rundll32.exe	cmd.exe
PID 1048 wrote to memory of 1924	1048	rundll32.exe	cmd.exe
PID 1048 wrote to memory of 1924	1048	rundll32.exe	cmd.exe
PID 1924 wrote to memory of 680	1924	cmd.exe	attrib.exe
PID 1924 wrote to memory of 680	1924	cmd.exe	attrib.exe
PID 1924 wrote to memory of 680	1924	cmd.exe	attrib.exe
PID 1856 wrote to memory of 812	1856	iexplore.exe	IEXPLORE.EXE
PID 1856 wrote to memory of 812	1856	iexplore.exe	IEXPLORE.EXE
PID 1856 wrote to memory of 812	1856	iexplore.exe	IEXPLORE.EXE
PID 1856 wrote to memory of 812	1856	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

680 attrib.exe

pid	process
680	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll,#1
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C6539.bat" "C:\Users\Admin\AppData\Local\Temp\1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58.dll"
3⤵
- Views/modifies file attributes
PID:680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:812

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
37d508a97857e4d3bb467d6d4e88f7dd

SHA1
1f1913c3a5d5a614ba7fe0b393a5a834fcedc895

SHA256
f113ce0b2c68c412eba3d0a3e0a85ae5a4324610bb6ddc6c4919da0dc5710bcd

SHA512
25f7262997d1b6ca4642d15601b6a437451bf567b462becaf342202404f428709dd33b68c52c898630bcccf75ef7af6b246ef9b74f9194fbb818542c986b4844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a5a35b739a682db0ad1a5676b3577328

SHA1
5b4fa23426ad4669ad7c4451151399867431d000

SHA256
0b1496d20af83e5bb836a6779ce05cf7a8fb13712d2c4b4a211119c59a4f2d24

SHA512
2251b08df5706a35222bac975461e1f9585d0eeb488f24283e110af0409dcce5e37a475bbcea28b6dba9703e201a8640b12a075a8200f790bd2cf1ace16a11e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e5646c2b8987276e2a005e38139a0e56

SHA1
0693a3e9b90125ba8b124436fe840d558a5f7ef9

SHA256
97de76816161cd7d27682d56d228a57700f95b701d90d07519ce7befd82aa670

SHA512
3931b1cda5a69de196738f66282c9d2c0e78300df141ae8f41d142479ca4b09608566da1019a9aaf631c12dc391179bbf027b3dbf5700821a58ae96e58bb8e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8663ece71573879d2b2f88301823e2e0

SHA1
f629b2091736e453dd977182527b971e27577a33

SHA256
78d4bec6b54c960529b49437d1a7be8cfdd58366eb2ddb9fe7bbe59b4f776a5d

SHA512
85b6bd43b97a1e3e92f27dc01cb68b0a19c8d22c39e399ab8d0e19d34ec136848481589535ca85a343c5c9ff7c8921e367291dea8176164b64c46081bfb92517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e0ec06be5a594756abf4f30e4f0b5620

SHA1
a64d9d201c26d6b0a69fe717b7660a9815ffe8f5

SHA256
9cbc1f5288ef717ca80a5695ed05199c0132ece159b9e7f1a19bf8dfbb67081e

SHA512
7584d0036909458842f54535d582beb8f29b13f2c0341c968241e0566d543c6e4452c7309333a12718d4f8c815043d89622f86fe47a4642bdb94937d9dcc27e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ab9d346927d65fa1df8f12ce12254f54

SHA1
167b110b28caeea8562192edf58ee264cacf9280

SHA256
2a5d7d6dea8a1c5cc6d2f343768b092a86aada11ad31adcbf80b7ec0b1d38642

SHA512
2635548d74fa7643b8c76452f6e1e6362cc62ebfd20b5bdf0c99722b1116c78c54ab5a2ada750c2dd72f675337e32b88c4115436d78240c82cde75b41670ce89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4c2d2c45ef87f11ed546bb0eb4552768

SHA1
fe0b1e4b0fe71828d246031d68e2bb9b5c20ea89

SHA256
589e9422dd717c16b669e7a40131bfabe723ff8d5d9aef0dae0adf23815f5951

SHA512
fc470430d4525aee131e52c5030ba9059d0ed98a64febd9415f46e53ae0081b511cdb9f0ced34338a4f582a4a5d7a93658a096bca763fa8736fb28bf79f1ed1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4c2d2c45ef87f11ed546bb0eb4552768

SHA1
fe0b1e4b0fe71828d246031d68e2bb9b5c20ea89

SHA256
589e9422dd717c16b669e7a40131bfabe723ff8d5d9aef0dae0adf23815f5951

SHA512
fc470430d4525aee131e52c5030ba9059d0ed98a64febd9415f46e53ae0081b511cdb9f0ced34338a4f582a4a5d7a93658a096bca763fa8736fb28bf79f1ed1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9ff58f582c12deaf9d21858488685ec2

SHA1
897b36711496280d4649b3e599878905c110390d

SHA256
f726d674ed70d8885ecd2535d946c7beb7e0cfffa4f9a17ecf6b56a89c7f082c

SHA512
0e592e2280fd977c9751497678b0283da7eb62572ed0fa549620261ac3e8611dae3d3d788b609fa662faa1dedfc26ddf5485391e50f50ccb49c7db475c3241fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C6539.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C6539.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3FD.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC47E.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
Filesize
2KB

MD5
4df060dc750138c9798a4bd67c12df48

SHA1
dcfe51c4f91986c4b7dc2e2021cc5e2f4067f4ee

SHA256
292a998380e66a988ccf413eb661e03c9ea9697059bf51af53bbe47c1c0e1160

SHA512
7e5babf2137c0cfafee337440b7c66f64a0d1621e90b27cf51ff1789b33998ada6e900be45876d8059dbd863eb1e97be393848a8ae32bb4769a783f6c19966a6

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
Filesize
2KB

MD5
4df060dc750138c9798a4bd67c12df48

SHA1
dcfe51c4f91986c4b7dc2e2021cc5e2f4067f4ee

SHA256
292a998380e66a988ccf413eb661e03c9ea9697059bf51af53bbe47c1c0e1160

SHA512
7e5babf2137c0cfafee337440b7c66f64a0d1621e90b27cf51ff1789b33998ada6e900be45876d8059dbd863eb1e97be393848a8ae32bb4769a783f6c19966a6

Download Submit
memory/812-352-0x0000000002880000-0x0000000002882000-memory.dmp

Filesize
8KB

Download
memory/1856-351-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads