Malware Analysis Report

2024-09-11 01:36

Sample ID 230222-ebnarahf94
Target 0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f
SHA256 0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f
Tags
quantum ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f

Threat Level: Known bad

The file 0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f was found to be: Known bad.

Malicious Activity Summary

quantum ransomware

Quantum Ransomware

Modifies extensions of user files

Deletes itself

Drops desktop.ini file(s)

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Modifies registry class

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Defense Evasion
TA0005
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-02-22 03:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-22 03:46

Reported

2023-02-22 03:48

Platform

win7-20230220-en

Max time kernel

30s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe"

Signatures

Quantum Ransomware

ransomware quantum

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Pictures\TestHide.tiff C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File renamed C:\Users\Admin\Pictures\TestHide.tiff => \??\c:\Users\Admin\Pictures\TestHide.tiff.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File renamed C:\Users\Admin\Pictures\TestReceive.crw => \??\c:\Users\Admin\Pictures\TestReceive.crw.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File renamed C:\Users\Admin\Pictures\MoveStart.crw => \??\c:\Users\Admin\Pictures\MoveStart.crw.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File renamed C:\Users\Admin\Pictures\PopSave.tif => \??\c:\Users\Admin\Pictures\PopSave.tif.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File renamed C:\Users\Admin\Pictures\PushConnect.tif => \??\c:\Users\Admin\Pictures\PushConnect.tif.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 748 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 748 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe

"C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C6FA5.bat" "C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe"

Network

N/A

Files

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 5da67e32f238009195ddc98dbc8fa7dd
SHA1 688b93f5d00ae6aaafbeb0a33ab5487975b4aa50
SHA256 7748b1e324112859cace7c9e60eea134503e86e24c3b49f51738b44c3e9b5971
SHA512 64164d7e99ff1e31c892f1ea3f55d5673cc2958d8c74b0bc6d08e3000bc8e4236aae48338e193cdd1464a0e3ccd3561a83aaf1c215d26e127ecdb81d7644d21b

C:\Users\Admin\AppData\Local\Temp\006C6FA5.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

C:\Users\Admin\AppData\Local\Temp\006C6FA5.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-22 03:46

Reported

2023-02-22 03:48

Platform

win10v2004-20230220-en

Max time kernel

131s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe

"C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 176 -p 3628 -ip 3628

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3628 -s 656

Network

Country Destination Domain Proto
NL 8.238.177.126:80 tcp
US 52.168.112.66:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp

Files

N/A