Overview

overview

10

Static

static

1

76c75318d9...d0.exe

windows7-x64

10

76c75318d9...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2023 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76c75318d96c33c268f5e3454b1d220761c3a62a94775fee7e6df6423dd7e8d0.exe

  • Size

    64KB

  • MD5

    b0b3acefd8c8ae6f30daf7610cacb78a

  • SHA1

    8b713f8940c1a275eaf8399e6e44967925e46863

  • SHA256

    76c75318d96c33c268f5e3454b1d220761c3a62a94775fee7e6df6423dd7e8d0

  • SHA512

    37cb13a9ff501583f6948d6f427f451ba6d6d7db4067d13146fe75cc4483ce8a5e104c161da3995f88026bc8801ed3750a875222484d8a41895755dcf94e1f0d

  • SSDEEP

    768:GnJ9uwtbJD/QpEdTrArzVpCK1w22TYgNvCJ037FLxZKQJRNz0TqXUNxlEfZf3u0L:G+wr1AB0AwB57F9npz0Ta5fRu0L

Score
10/10
quantumransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Ransom Note
ALL YOUR DATA IS ENCRYPTED by QUANTUM What happened? All your files are encrypted on all devices across the network Huge volume of your data including financial, customer, partner and employees data was downloaded to our internal servers What's next? If you don't get in touch with us next 48 hours, we'll start publishing your data to the Data Leaks Portal / TOR Data Leaks Portal How do I recover? There is no way to decrypt your files manually unless we provide a special decryption tool Please download TOR browser and CONTACT US for further instructions Hours Minutes Seconds

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\76c75318d96c33c268f5e3454b1d220761c3a62a94775fee7e6df6423dd7e8d0.exe
    "C:\Users\Admin\AppData\Local\Temp\76c75318d96c33c268f5e3454b1d220761c3a62a94775fee7e6df6423dd7e8d0.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C56D8.bat" "C:\Users\Admin\AppData\Local\Temp\76c75318d96c33c268f5e3454b1d220761c3a62a94775fee7e6df6423dd7e8d0.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\76c75318d96c33c268f5e3454b1d220761c3a62a94775fee7e6df6423dd7e8d0.exe"
        3⤵
        • Views/modifies file attributes
        PID:768
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\006C56D8.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\006C56D8.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    e2023a501c3a5bbd5a37482841b34a53

    SHA1

    0172584ab0a393b1e608e4a470398d010405a674

    SHA256

    942904508fcdb8db57e17f570554089233df8b2e1eb9f21bdd077dd2bfb6d2d2

    SHA512

    8c5dc8ed89fccb411d0053f560228194dfd66711c3f95b7c7f712085b134650cf24ff05bef5eebd3b8b9c544ef88ae09f4d4a3b7d7ab3e89f5231959df093ae7

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    e2023a501c3a5bbd5a37482841b34a53

    SHA1

    0172584ab0a393b1e608e4a470398d010405a674

    SHA256

    942904508fcdb8db57e17f570554089233df8b2e1eb9f21bdd077dd2bfb6d2d2

    SHA512

    8c5dc8ed89fccb411d0053f560228194dfd66711c3f95b7c7f712085b134650cf24ff05bef5eebd3b8b9c544ef88ae09f4d4a3b7d7ab3e89f5231959df093ae7

    Download Submit

  • memory/1488-333-0x00000000011C0000-0x00000000011C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1776-332-0x0000000002F40000-0x0000000002F50000-memory.dmp

    Filesize

    64KB

    Download