Analysis Overview
SHA256
204ad9cc8149d5f6f24e76ac18883c4843081878397ad9cf2dc29842fc28f277
Threat Level: Known bad
The file sample.zip was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Modifies extensions of user files
Drops desktop.ini file(s)
Program crash
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 01:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 01:46
Reported
2023-02-24 01:47
Platform
win10-20230220-en
Max time kernel
32s
Max time network
39s
Command Line
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Pictures\DebugNew.tiff | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugNew.tiff => \??\c:\Users\Admin\Pictures\DebugNew.tiff.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RemoveCompare.tif => \??\c:\Users\Admin\Pictures\RemoveCompare.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestartSync.crw => \??\c:\Users\Admin\Pictures\RestartSync.crw.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveJoin.tif => \??\c:\Users\Admin\Pictures\SaveJoin.tif.quantum | C:\Windows\system32\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StepClear.raw => \??\c:\Users\Admin\Pictures\StepClear.raw.quantum | C:\Windows\system32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.quantum | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 4888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 3796 wrote to memory of 4888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 4888 wrote to memory of 528 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 4888 wrote to memory of 528 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample\quantumlocker64_faf496.dll,#1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E571A8D.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3796 -s 432
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
| NL | 20.50.201.195:443 | tcp | |
| NL | 88.221.25.155:80 | tcp |
Files
memory/3796-121-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
memory/3796-122-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
memory/3796-125-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
memory/3796-127-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
C:\README_TO_DECRYPT.html
| MD5 | b7f6959164e820e178cf8a31fe982940 |
| SHA1 | ade9490ff6c1e393ad44756274f0999770ae05e7 |
| SHA256 | fc88a0e27b674dede4ec1535cd3210481719c1ea98d44558ca413fbcbbf1df49 |
| SHA512 | 41ff1781645a00dc5f7c9ad27016ea3a47b02ed04d0e34068f105cf74387d2597847a56e99feb0151302b068c691d1df0d5ebea8f33ce7392a2797f282d23a42 |
memory/3796-351-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
memory/3796-352-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
memory/3796-354-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
memory/3796-365-0x00007FF75C0C0000-0x00007FF75C0D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E571A8D.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\sample\.log
| MD5 | beb197fbb0feea94e44fd053dde081b5 |
| SHA1 | edc46284fcdbf9e63b09c984a1cddf3b36abb16b |
| SHA256 | 915af8896051755f8e0d1d0c77591f90db8b302f31a923179537fe3702e9abd5 |
| SHA512 | 6770cc1df3e78c62d71c359fd6de8409a7a846db6289bde80e8da76492ed7255e3dfa2209ea793e574f1a71823041475204a4ad884a3b28d8fc9f9f77785a95e |