Malware Analysis Report

2024-09-11 01:37

Sample ID 230222-d4e96shf67
Target 0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2
SHA256 0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2
Tags
quantum ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2

Threat Level: Known bad

The file 0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2 was found to be: Known bad.

Malicious Activity Summary

quantum ransomware

Quantum Ransomware

Modifies extensions of user files

Deletes itself

Drops desktop.ini file(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Defense Evasion
TA0005
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-02-22 03:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-22 03:33

Reported

2023-02-22 03:36

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\BlockSubmit.png => \??\c:\Users\Admin\Pictures\BlockSubmit.png.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\DenyDisable.png => \??\c:\Users\Admin\Pictures\DenyDisable.png.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\PingImport.raw => \??\c:\Users\Admin\Pictures\PingImport.raw.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\SaveOut.tiff C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\SaveOut.tiff => \??\c:\Users\Admin\Pictures\SaveOut.tiff.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\TraceProtect.png => \??\c:\Users\Admin\Pictures\TraceProtect.png.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\WaitLock.crw => \??\c:\Users\Admin\Pictures\WaitLock.crw.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveGroup.crw => \??\c:\Users\Admin\Pictures\ApproveGroup.crw.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.quantum\shell C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe C:\Windows\system32\cmd.exe
PID 1396 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1396 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1396 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe

"C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3802.bat" "C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe"

Network

N/A

Files

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 71998acc8f03ff3b5b8cbe995403dc95
SHA1 e2374a082835039f73b6a98bfd0f7c6c969b64d0
SHA256 044a1fccf9a01c5e6aa8fa972599976ba044568b0ff5d16034386bde44d91f6d
SHA512 fe87771a900defac24023e70078e85935f0d13d7e8e01b687c11b38fde9158a3909ff34a00fd886b4f22c706a2a1350ca439180c44bb518593a09e47db4213c0

C:\Users\Admin\AppData\Local\Temp\006C3802.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Temp\006C3802.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-22 03:33

Reported

2023-02-22 03:36

Platform

win10v2004-20230220-en

Max time kernel

60s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Pictures\EditAdd.tiff C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\RedoSelect.tiff C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\RequestPing.tiff C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\UseConvertFrom.raw => \??\c:\Users\Admin\Pictures\UseConvertFrom.raw.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\WriteComplete.tiff C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\WriteComplete.tiff => \??\c:\Users\Admin\Pictures\WriteComplete.tiff.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\EditAdd.tiff => \??\c:\Users\Admin\Pictures\EditAdd.tiff.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\PublishSet.png => \??\c:\Users\Admin\Pictures\PublishSet.png.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\RedoSelect.tiff => \??\c:\Users\Admin\Pictures\RedoSelect.tiff.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File renamed C:\Users\Admin\Pictures\RequestPing.tiff => \??\c:\Users\Admin\Pictures\RequestPing.tiff.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1652 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe

"C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E569501.bat" "C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2.exe"

Network

Country Destination Domain Proto
NL 8.238.179.126:80 tcp
US 52.182.141.63:443 tcp
US 93.184.220.29:80 tcp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp

Files

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

MD5 d8714ac7168930fcf50d1ec1bf900b90
SHA1 5e983f5151e69042c6df3c90763475dfa7e2dad2
SHA256 cc1620bbc9e812ceac951f835a13d67387307f1cdb09ba1a8c4ab58d10b77d24
SHA512 bd4f96ec26c7fc4697d9970fbf72ae4fd53a9e4406ed8d648fba236d06fa151335091d6da60b1e5e007e29bc1e47211c5cdaf6ab7c6d1be7bc2e57e63216190d

C:\Users\Admin\AppData\Local\Temp\0E569501.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611