Overview

overview

10

Static

static

1

8458e0c8de...b8.exe

windows7-x64

10

8458e0c8de...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2023 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8458e0c8dedee593b99025ec99ad7fa692b3302e5e2aa243920dd434b732c2b8.exe

  • Size

    75KB

  • MD5

    108b36a8250f1bb1d600d5d02106898c

  • SHA1

    6ca6566d0a6db3fae9a63d68e7fb7819a098d3d6

  • SHA256

    8458e0c8dedee593b99025ec99ad7fa692b3302e5e2aa243920dd434b732c2b8

  • SHA512

    8331edf61ed1d29c4eab2f283e8992e894863be5e327b35d4fe5d2a084e465b34c672f6c1a7e52ea12babce0f2328e7b56f68a51442375d3f3be1c56839225cb

  • SSDEEP

    1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGrSLYc:OfJGLs6BwNxnfTKsG8Y

Score
10/10
quantumransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Ransom Note
ALL YOUR DATA IS ENCRYPTED by QUANTUM What happened? All your files are encrypted on all devices across the network Huge volume of your data including financial, customer, partner and employees data was downloaded to our internal servers What's next? If you don't get in touch with us next 48 hours, we'll start publishing your data to the Data Leaks Portal / TOR Data Leaks Portal How do I recover? There is no way to decrypt your files manually unless we provide a special decryption tool Please download TOR browser and CONTACT US for further instructions Hours Minutes Seconds

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8458e0c8dedee593b99025ec99ad7fa692b3302e5e2aa243920dd434b732c2b8.exe
    "C:\Users\Admin\AppData\Local\Temp\8458e0c8dedee593b99025ec99ad7fa692b3302e5e2aa243920dd434b732c2b8.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C2F5B.bat" "C:\Users\Admin\AppData\Local\Temp\8458e0c8dedee593b99025ec99ad7fa692b3302e5e2aa243920dd434b732c2b8.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\8458e0c8dedee593b99025ec99ad7fa692b3302e5e2aa243920dd434b732c2b8.exe"
        3⤵
        • Views/modifies file attributes
        PID:736
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\006C2F5B.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\006C2F5B.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9BB6.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9CD3.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    0dbab907f708365c408acdf1fffc9a41

    SHA1

    6367310ed51d5fd3fc36f85d5ffa3d04466586ac

    SHA256

    8469c9938cc93d67a91e7ead03a7e7df587a8c36fcfe02fb8b405a8a703394a1

    SHA512

    83e9f91143ad91797cbca2f48ddda8bc07c72e2ad24d7f6345ef3ce337839419e6f276ea954ed7b9c9b6b780ea16b3b29ed267faf02fc718a5421447284124ca

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    0dbab907f708365c408acdf1fffc9a41

    SHA1

    6367310ed51d5fd3fc36f85d5ffa3d04466586ac

    SHA256

    8469c9938cc93d67a91e7ead03a7e7df587a8c36fcfe02fb8b405a8a703394a1

    SHA512

    83e9f91143ad91797cbca2f48ddda8bc07c72e2ad24d7f6345ef3ce337839419e6f276ea954ed7b9c9b6b780ea16b3b29ed267faf02fc718a5421447284124ca

    Download Submit

  • memory/1648-306-0x0000000002890000-0x00000000028A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1984-307-0x00000000003E0000-0x00000000003E2000-memory.dmp

    Filesize

    8KB

    Download