Analysis Overview
score
10/10
SHA256
faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d
Threat Level: Known bad
The file quantumlocker64_faf496.dll was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Modifies extensions of user files
Deletes itself
Drops desktop.ini file(s)
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-23 19:29
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-23 19:29
Reported
2023-02-23 19:29
Platform
win7-20230220-en
Max time kernel
29s
Max time network
31s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\quantumlocker64_faf496.dll,#1
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConnectSave.crw => \??\c:\Users\Admin\Pictures\ConnectSave.crw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveRepair.png => \??\c:\Users\Admin\Pictures\MoveRepair.png.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchMount.tif => \??\c:\Users\Admin\Pictures\SearchMount.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\SkipDisable.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\BlockImport.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockImport.tiff => \??\c:\Users\Admin\Pictures\BlockImport.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockSearch.tif => \??\c:\Users\Admin\Pictures\BlockSearch.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConfirmSend.raw => \??\c:\Users\Admin\Pictures\ConfirmSend.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipDisable.tiff => \??\c:\Users\Admin\Pictures\SkipDisable.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1208 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1208 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 544 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 544 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 544 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\quantumlocker64_faf496.dll,#1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C71A8.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
Network
N/A
Files
memory/1208-54-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1208-55-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1208-57-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1208-68-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | dbb237db15b08dd707f5b7dc3e5f4ce0 |
| SHA1 | 03a6d435f7f312adf4ee50c13e4884fdac3513e4 |
| SHA256 | dab86bea2d86359a2bfe80fac940af846c8bfbf3ed7c2910ace0a13ae5272dcc |
| SHA512 | 5d48868819bb45827b79dfebf88fdd018de000c04fcc1ff4c09f2d7a4690118a87d8e4c6459b1dcb9376374781725dd717a8faa54bc374c7472e88de05497da5 |
memory/1208-59-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1208-310-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
memory/1208-313-0x000007FFFFF90000-0x000007FFFFFA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\006C71A8.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\006C71A8.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\.log
| MD5 | cd2751a922c65f9fb8a580b378bae31f |
| SHA1 | f456431648eacefc9cc146ad3b7a753074e6037e |
| SHA256 | 3eedf62aead4379dde47656905a66ee23c8d97cb59e3cdf5715dc03e6f97a868 |
| SHA512 | 5b95c187b05aa29b271f0f64c0b98cf2c604cb52e2de067f0a9971b16bd4cdae309733e0dc9d97f7e1cf31c31b901601749854547a884932bda1bdf5fe94b7c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-23 19:29
Reported
2023-02-23 19:29
Platform
win10v2004-20230220-en
Max time kernel
39s
Max time network
43s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\quantumlocker64_faf496.dll,#1
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Pictures\ProtectStop.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncInvoke.png => \??\c:\Users\Admin\Pictures\SyncInvoke.png.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoGroup.tif => \??\c:\Users\Admin\Pictures\UndoGroup.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseAdd.crw => \??\c:\Users\Admin\Pictures\UseAdd.crw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddClose.tif => \??\c:\Users\Admin\Pictures\AddClose.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugMeasure.tiff => \??\c:\Users\Admin\Pictures\DebugMeasure.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantDebug.raw => \??\c:\Users\Admin\Pictures\GrantDebug.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewGrant.tif => \??\c:\Users\Admin\Pictures\NewGrant.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitResolve.tiff => \??\c:\Users\Admin\Pictures\SplitResolve.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\DebugMeasure.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallUnpublish.crw => \??\c:\Users\Admin\Pictures\InstallUnpublish.crw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectStop.tiff => \??\c:\Users\Admin\Pictures\ProtectStop.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\SplitResolve.tiff | C:\Windows\system32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2444 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 2444 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 3956 wrote to memory of 3416 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 3956 wrote to memory of 3416 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\quantumlocker64_faf496.dll,#1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E56EDB0.bat" """
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2444 -ip 2444
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2444 -s 764
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.2:443 | tcp |
Files
memory/2444-133-0x00007FF47A6D0000-0x00007FF47A6E8000-memory.dmp
memory/2444-137-0x00007FF47A6D0000-0x00007FF47A6E8000-memory.dmp
memory/2444-136-0x00007FF47A6D0000-0x00007FF47A6E8000-memory.dmp
C:\Users\Admin\3D Objects\README_TO_DECRYPT.html
| MD5 | 518afc7a84fa8348ed86dd8bf5948696 |
| SHA1 | a163aa6fdbf872f2795404c5e9de40638ebd5c3e |
| SHA256 | 96f7339a86df8e1bd2c06162376b9eba377feefc41b1797abe4ebb34a39a5386 |
| SHA512 | 586e86ccbce06644fd6e729d901cacf4ed707e3079bdc2b209fbe2e3ac75bfb9e7718718f3e14f81cec90a88aaca1d7456c2fff8d41c7af8c5d3107e09a9d39e |
memory/2444-172-0x00007FF47A6D0000-0x00007FF47A6E8000-memory.dmp
memory/2444-393-0x00007FF47A6D0000-0x00007FF47A6E8000-memory.dmp
memory/2444-396-0x00007FF47A6D0000-0x00007FF47A6E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E56EDB0.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\.log
| MD5 | 0867fa30ba4c76cf6e7d560da8ccc28f |
| SHA1 | f49ea422e8c94299b80aee6460e07a8067cfd446 |
| SHA256 | 7224256f5f9cdf3fb8044abc8e2f68fcc610135470d42d344099e82cb732b2cd |
| SHA512 | 8e21f7a2374c4812473d9766ef8b5611f77724a4132f94874b12af1f89c22ab7da4fc0e9acdbaf774bd06041325a2b892bf464e8946d92c9b1178732144e5fd5 |