quantum | a2eecf17e60223705e045692e1b84228d3b978300fac235c621a9c015f2a2936

Analysis

max time kernel
41s
max time network
43s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2eecf17e60223705e045692e1b84228d3b978300fac235c621a9c015f2a2936.dll
Size

77KB
MD5

c1fbbf273c1e4094f6bf0cdde36d2764
SHA1

bcf4ed6e49e30c5ab9e0fdfcaf5ee8e2756cc98a
SHA256

a2eecf17e60223705e045692e1b84228d3b978300fac235c621a9c015f2a2936
SHA512

a66ddd695b9d4e45e32c210deca5e02005d3f005742d491b223a4eafd3a391f16d6028580efcb91638555a28f11015259cdb1b80ef1040554992e51a7f4eb669
SSDEEP

1536:6aX1IbkVQJih8Ls2RZYbz+n26HNmAC6Usgt4:rKntfmzK2736Us6

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> ac76ebfba8f313e3035387cd174939e03682a865ccbd0e8e01799fd203769b61 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=ac76ebfba8f313e3035387cd174939e03682a865ccbd0e8e01799fd203769b61">http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=ac76ebfba8f313e3035387cd174939e03682a865ccbd0e8e01799fd203769b61</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=ac76ebfba8f313e3035387cd174939e03682a865ccbd0e8e01799fd203769b61 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=ac76ebfba8f313e3035387cd174939e03682a865ccbd0e8e01799fd203769b61

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SetUse.crw => \??\c:\Users\Admin\Pictures\SetUse.crw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CompleteDeny.png => \??\c:\Users\Admin\Pictures\CompleteDeny.png.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromShow.tif => \??\c:\Users\Admin\Pictures\ConvertFromShow.tif.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\RestartProtect.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RestartProtect.tiff => \??\c:\Users\Admin\Pictures\RestartProtect.tiff.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\GrantCompare.raw => \??\c:\Users\Admin\Pictures\GrantCompare.raw.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\OpenSkip.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\OpenSkip.tiff => \??\c:\Users\Admin\Pictures\OpenSkip.tiff.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SaveNew.crw => \??\c:\Users\Admin\Pictures\SaveNew.crw.quantum	rundll32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1792 cmd.exe

pid	process
1792	cmd.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D702DA1-B6CC-11ED-B8E8-C6F40EA7D53E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1976 rundll32.exe
1976 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeRestorePrivilege 1976 rundll32.exe
Token: SeDebugPrivilege 1976 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1460 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1460 iexplore.exe
1460 iexplore.exe
1528 IEXPLORE.EXE
1528 IEXPLORE.EXE
1528 IEXPLORE.EXE
1528 IEXPLORE.EXE

pid	process
1976	rundll32.exe
1976	rundll32.exe

description	pid	process
Token: SeRestorePrivilege	1976	rundll32.exe
Token: SeDebugPrivilege	1976	rundll32.exe

pid	process
1460	iexplore.exe

pid	process
1460	iexplore.exe
1460	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.execmd.exeiexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 1792	1976	rundll32.exe	cmd.exe
PID 1976 wrote to memory of 1792	1976	rundll32.exe	cmd.exe
PID 1976 wrote to memory of 1792	1976	rundll32.exe	cmd.exe
PID 1792 wrote to memory of 756	1792	cmd.exe	attrib.exe
PID 1792 wrote to memory of 756	1792	cmd.exe	attrib.exe
PID 1792 wrote to memory of 756	1792	cmd.exe	attrib.exe
PID 1460 wrote to memory of 1528	1460	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 1528	1460	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 1528	1460	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 1528	1460	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

756 attrib.exe

pid	process
756	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2eecf17e60223705e045692e1b84228d3b978300fac235c621a9c015f2a2936.dll,#1
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3B0E.bat" "C:\Users\Admin\AppData\Local\Temp\a2eecf17e60223705e045692e1b84228d3b978300fac235c621a9c015f2a2936.dll""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\a2eecf17e60223705e045692e1b84228d3b978300fac235c621a9c015f2a2936.dll"
3⤵
- Views/modifies file attributes
PID:756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
867da2a6c7be48350650f2d907120dd3

SHA1
09512e5fcba19af0f9dc9cb4dcda51117c323a6b

SHA256
a019dbfde02f0a9e9bcbc99b09b27d7b4877bed24bd0219d035e45fd1c09a36d

SHA512
9a615ff586fea4f053fa41b3a39b8c79d6d138fc4a53c888ae6705fef21203d5f4287117dbe88c261a1127e6f225538382d31d87f0a3806520744fd9b7792e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
21b9f7049d0ff79321091f9675ac5704

SHA1
5e625bc561574dcc4ee1cd8a0f764703fa361cfe

SHA256
f393f7282627597427dc917c07b032849e5c0c07a28f2e09d5bd4f54d4e3feeb

SHA512
409cc97fff2496ce0f9cc58cece81d2111dbd292ba66875cd9f8489709fe51a0763b7ae3d0096e1728297abc99698af84970036dd8f7210248f1785cd577d1af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3daf15d2b57d98de6a927dfdb4b99df8

SHA1
b59fec04bbe4e59644ef9d920a486b629e1d6360

SHA256
a3923e74955ae267447d5184cb1097593f6dfda656da1109c2f2b00b52d40923

SHA512
1ac82b957d291719a187347565def5d7bde45b5c70af5f6e54bbea0659d4f5472986bbec95380fffacf77721d635cd3cad5331cde44d81c6500bcb505060b2f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
87928598497246a21f0e2959036f637a

SHA1
eabef9d61540e42dec658b8bb231b48ec49d3ee0

SHA256
2f5a1658c67a5a7d7becea9f994e8ba356b397aeea1eaec52a7dda7678fd97fe

SHA512
31870bd662681a7f77f1b772f59a88f624459593c7c435aa8ac01225ef37fd63513a552ed44730071e97e62e65470783069544fd5f66db547e7a3ca226d00c9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d980498f1ef29fa866b2f386920e34b8

SHA1
4114ba33d4e24a744315b96be1e1ec1cb572ff9b

SHA256
80604cc1102ea74e1d7570e93edae5587f9da726eee9667d496bcc8aa4b999aa

SHA512
5182d3d99bdb64195e690dd30bf83b54dd8d99a08ff81898df74595826d982a360e2bce7c9dcea61947daa8eadb1145bedae04af1a88d3cdd4e5496143518b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b8f6be9dfc799cb75f3d39ac1fdf2302

SHA1
24199c3ae674f45794c2a8af585983563f032f83

SHA256
c8367afa1da9b2714ca7b774c564491498d70628c7f1062e984a9df1e512895a

SHA512
98194009ac9247c63d156f91230168d875f0d1146b03bd043ea1bff8601338c823d0aa835551b346d19910e3f35e540971db162b3ff9b6ced3975ba5bbe57302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
07f851d72075c56853551b78d55b9ea8

SHA1
fb8781873759663df899c3fdf6a2b2822c9b02c4

SHA256
0cf78136049ce740bbe8b224b2b1ecda5169d67e144de901b004843b788cc927

SHA512
6526e03387769de2fcb0b0e57e70151d2d9a799935cf9f24920f25bf2a118426527ea50cceed4f8e80edd9f2af28c84e7c191773ad9aff1e8689e6bb56f0df4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
450fd3ef30e5d9fcf47095a13a48fcc6

SHA1
dd74b01f60f66e2d9e1b30a4ae9cdccd72f82d69

SHA256
33fd127c4623d2a72e37e49197dc145d16cba8c80c543f52886a0ee82a8dd3fc

SHA512
e1a1616201771a16546f1fc1c8901810df0a420c7dc6ef24c96ef4dfa24baf77c73aefaa970f3418b53519d463b876c9aea70645b515b883de1cf6ed13f36945

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3B0E.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3B0E.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA306.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA404.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
Filesize
2KB

MD5
f46ff2d55c963be6f57a9bc599452c40

SHA1
e36db8ed6ef3ddf5ef562c6dc5df148e4f3d1cc7

SHA256
7257116268be82e7872963ce983674528a1bee58668dccfc0b8da4811761107b

SHA512
caf060973e731c9e2e4a78d86f30d0d3bbbdc68d1f8c9820da79e59dbe3dbf6ff825c8a82c20dec4eb7de2bb8c2be02d3a1c87673312fd13eeef0878c0945273

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
Filesize
2KB

MD5
f46ff2d55c963be6f57a9bc599452c40

SHA1
e36db8ed6ef3ddf5ef562c6dc5df148e4f3d1cc7

SHA256
7257116268be82e7872963ce983674528a1bee58668dccfc0b8da4811761107b

SHA512
caf060973e731c9e2e4a78d86f30d0d3bbbdc68d1f8c9820da79e59dbe3dbf6ff825c8a82c20dec4eb7de2bb8c2be02d3a1c87673312fd13eeef0878c0945273

Download Submit
memory/1460-331-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/1528-332-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads