Overview

overview

10

Static

static

1

e2023e1b27...99.exe

windows7-x64

10

e2023e1b27...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2023 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199.exe

  • Size

    75KB

  • MD5

    0ea7b7b9e3c9327600e5f6c3d73d3b31

  • SHA1

    0e9fa74e170d65cfd2c30dbb97e15ec5d5101d2d

  • SHA256

    e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199

  • SHA512

    ffceee9d663a38c9ec163b3e175d84133f876eb238bff9b7e63deccf661807166900f7e12154db56554e234fb97ff5eed9cd7e3677923669b6449c8f3a881492

  • SSDEEP

    768:FbzkUtPX9DUetap1YOc8tmmSuDsCHJexou+nPp18vjILhussGdamRv5qmppQHUdZ:SaX1LGfDpRRuI0PuvtOuSG4PA

Score
10/10
quantumransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note
<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> ed0ee7039edd00c28a291fcf647e7ab23181bc0f94b4780ab6db7fe3d303a660 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=ed0ee7039edd00c28a291fcf647e7ab23181bc0f94b4780ab6db7fe3d303a660">http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=ed0ee7039edd00c28a291fcf647e7ab23181bc0f94b4780ab6db7fe3d303a660</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note
Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=ed0ee7039edd00c28a291fcf647e7ab23181bc0f94b4780ab6db7fe3d303a660 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org
URLs

http://kcbyz2zmg3kmtmoyrleznkcypippxn2pvknunqdytr5wi6io7pzwleid.onion/?cid=ed0ee7039edd00c28a291fcf647e7ab23181bc0f94b4780ab6db7fe3d303a660

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199.exe
    "C:\Users\Admin\AppData\Local\Temp\e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C2A0E.bat" "C:\Users\Admin\AppData\Local\Temp\e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199.exe"
        3⤵
        • Views/modifies file attributes
        PID:1680
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\006C2A0E.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\006C2A0E.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    2KB

    MD5

    7c3f07e8891497e40f8bedb8a0f5d5ae

    SHA1

    d3ae0ca8255928296dbeec3ca4884ae7afbea733

    SHA256

    afec47710ac52e7020d283aa026dbab118f0412a7ee85597dc2439abe94e1c9c

    SHA512

    374b506dacd5bd03075e473783635d4786f6b0750d187a009e8a3e6c46df7e2d811281ef4d9a76df0f7ca692905c0e94dce6b49521f39152eb7fc97698a92fd6

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    2KB

    MD5

    7c3f07e8891497e40f8bedb8a0f5d5ae

    SHA1

    d3ae0ca8255928296dbeec3ca4884ae7afbea733

    SHA256

    afec47710ac52e7020d283aa026dbab118f0412a7ee85597dc2439abe94e1c9c

    SHA512

    374b506dacd5bd03075e473783635d4786f6b0750d187a009e8a3e6c46df7e2d811281ef4d9a76df0f7ca692905c0e94dce6b49521f39152eb7fc97698a92fd6

    Download Submit

  • memory/296-346-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1168-345-0x00000000030A0000-0x00000000030B0000-memory.dmp

    Filesize

    64KB

    Download