Analysis Overview
score
10/10
SHA256
faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d
Threat Level: Known bad
The file faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Modifies extensions of user files
Deletes itself
Drops desktop.ini file(s)
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-22 03:06
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-22 03:06
Reported
2023-02-22 03:08
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d.dll,#1
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\JoinUninstall.png => \??\c:\Users\Admin\Pictures\JoinUninstall.png.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LockCompress.raw => \??\c:\Users\Admin\Pictures\LockCompress.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadConnect.tif => \??\c:\Users\Admin\Pictures\ReadConnect.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendMerge.png => \??\c:\Users\Admin\Pictures\SuspendMerge.png.quantum | C:\Windows\system32\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1060 wrote to memory of 872 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1060 wrote to memory of 872 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1060 wrote to memory of 872 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 872 wrote to memory of 1608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 872 wrote to memory of 1608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 872 wrote to memory of 1608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d.dll,#1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C65C6.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
Network
N/A
Files
memory/1060-54-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1060-55-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1060-58-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1060-56-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1060-59-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 21bbb8eea42568480717270d2d0a25c7 |
| SHA1 | 1ffddf6756e0920b0eb663c8e4a52b4411ed249f |
| SHA256 | 709d3a538f19e5bae305b487df9f412c31debc381c04446ad0faad65aaa8a41c |
| SHA512 | d349cbb09de87fe2bfbbf9fd745ec16cc99f66c92ba38b9d2dc6412c593ba681dfa6af44df418416c581b3907da72f885130daf27293642d8f3a0692c59b5c3c |
memory/1060-302-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1060-305-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\006C65C6.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\006C65C6.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\.log
| MD5 | 7548dd0b2f3255f83bb16942f8370ec4 |
| SHA1 | 2ad9d91ce01523487b0f4073a43fbdb5a72cf242 |
| SHA256 | 1782e433e771a124f1942e8203e6eafc4e24ff4bfd10cc109edf69d840bbcf41 |
| SHA512 | 067a0fd3b3d66f885cb56af513bf8ac04353d9fe678248882fb7559a5b439b2a587d62bb9598908d380bb023305bce1b9d7e2951108953b92cee55976494b1ef |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-22 03:06
Reported
2023-02-22 03:08
Platform
win10v2004-20230220-en
Max time kernel
85s
Max time network
90s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d.dll,#1
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ExitRename.tif => \??\c:\Users\Admin\Pictures\ExitRename.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\InitializeProtect.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeProtect.tiff => \??\c:\Users\Admin\Pictures\InitializeProtect.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishAdd.tif => \??\c:\Users\Admin\Pictures\PublishAdd.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallComplete.tif => \??\c:\Users\Admin\Pictures\UninstallComplete.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchRequest.tif => \??\c:\Users\Admin\Pictures\WatchRequest.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 3412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 4464 wrote to memory of 3412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 3412 wrote to memory of 4208 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 3412 wrote to memory of 4208 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d.dll,#1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E56D391.bat" """
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4464 -ip 4464
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4464 -s 376
Network
| Country | Destination | Domain | Proto |
| US | 104.208.16.90:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 84.53.175.11:80 | tcp |
Files
memory/4464-133-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
memory/4464-135-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
memory/4464-137-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
memory/4464-139-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
C:\Users\Admin\3D Objects\README_TO_DECRYPT.html
| MD5 | 518afc7a84fa8348ed86dd8bf5948696 |
| SHA1 | a163aa6fdbf872f2795404c5e9de40638ebd5c3e |
| SHA256 | 96f7339a86df8e1bd2c06162376b9eba377feefc41b1797abe4ebb34a39a5386 |
| SHA512 | 586e86ccbce06644fd6e729d901cacf4ed707e3079bdc2b209fbe2e3ac75bfb9e7718718f3e14f81cec90a88aaca1d7456c2fff8d41c7af8c5d3107e09a9d39e |
memory/4464-190-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
memory/4464-360-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
memory/4464-365-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
memory/4464-363-0x00007FF4291A0000-0x00007FF4291B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E56D391.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\.log
| MD5 | 2faaf31a1027be730d5d14468850901d |
| SHA1 | 61009262e82cdb757bd79e157936cb85f9e42505 |
| SHA256 | 9ebe34a350938038d8b8657bdcc3c0c4f8bb0363f4659419f1e054bbf7750208 |
| SHA512 | eda4e335410d229d050a5b15b53bc0bbcc537062727885c305526c404b71812d79bbeca29cf30f19a7f2413a2be76e99639d1efdfde82e1a303391d054bec267 |