Overview

overview

10

Static

static

1

c227041d6e...d5.exe

windows7-x64

10

c227041d6e...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2023 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c227041d6e889f67413f2e669e1a8c027dfa1c6f40e13889faaee3cd87633cd5.exe

  • Size

    75KB

  • MD5

    043d54316b201b92d11df5a5ac76d104

  • SHA1

    b0b49a9bd4de2f3fa56a4faf612303e68878f751

  • SHA256

    c227041d6e889f67413f2e669e1a8c027dfa1c6f40e13889faaee3cd87633cd5

  • SHA512

    2a2e63af63d99bc3c0fc27ac6309b57998a4d91355ce680b52faa3447760230cbdebc74e8f8c1bd87957c572a96fb7abf72ed0283744fa929d71213bcb403382

  • SSDEEP

    1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJG/m6Fcr:OfJGLs6BwNxnfTKsGZc

Score
10/10
quantumransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Ransom Note
ALL YOUR DATA IS ENCRYPTED by QUANTUM What happened? All your files are encrypted on all devices across the network Huge volume of your data including financial, customer, partner and employees data was downloaded to our internal servers What's next? If you don't get in touch with us next 48 hours, we'll start publishing your data to the Data Leaks Portal / TOR Data Leaks Portal How do I recover? There is no way to decrypt your files manually unless we provide a special decryption tool Please download TOR browser and CONTACT US for further instructions Hours Minutes Seconds

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c227041d6e889f67413f2e669e1a8c027dfa1c6f40e13889faaee3cd87633cd5.exe
    "C:\Users\Admin\AppData\Local\Temp\c227041d6e889f67413f2e669e1a8c027dfa1c6f40e13889faaee3cd87633cd5.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C9D98.bat" "C:\Users\Admin\AppData\Local\Temp\c227041d6e889f67413f2e669e1a8c027dfa1c6f40e13889faaee3cd87633cd5.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\c227041d6e889f67413f2e669e1a8c027dfa1c6f40e13889faaee3cd87633cd5.exe"
        3⤵
        • Views/modifies file attributes
        PID:2040
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\006C9D98.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\006C9D98.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    bef6c59862262709c2613495cd1fd47c

    SHA1

    42b063d9566b06351c2a4d44b1f7d9246219d7b7

    SHA256

    47ee2a808f944af46a58f0eb7ecad1cac787e233631b72bf019739a04fce114b

    SHA512

    27bcd7e725fd8cc754558eb5093b69aaf7415471b5b155a5eb518ea722479e2bc69c152534aaf07843878f3cec879aa651401ff3f0502de0747fef0782827169

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    bef6c59862262709c2613495cd1fd47c

    SHA1

    42b063d9566b06351c2a4d44b1f7d9246219d7b7

    SHA256

    47ee2a808f944af46a58f0eb7ecad1cac787e233631b72bf019739a04fce114b

    SHA512

    27bcd7e725fd8cc754558eb5093b69aaf7415471b5b155a5eb518ea722479e2bc69c152534aaf07843878f3cec879aa651401ff3f0502de0747fef0782827169

    Download Submit

  • memory/916-318-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1632-319-0x0000000000500000-0x0000000000502000-memory.dmp

    Filesize

    8KB

    Download