Analysis Overview
score
10/10
SHA256
b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
Threat Level: Known bad
The file b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192 was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Modifies extensions of user files
Drops desktop.ini file(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-28 14:36
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-28 14:36
Reported
2023-02-28 14:37
Platform
win7-20230220-en
Max time kernel
49s
Max time network
36s
Command Line
"C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DebugConnect.png => \??\c:\Users\Admin\Pictures\DebugConnect.png.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableRestart.crw => \??\c:\Users\Admin\Pictures\DisableRestart.crw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeSave.png => \??\c:\Users\Admin\Pictures\ResumeSave.png.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncUndo.tif => \??\c:\Users\Admin\Pictures\SyncUndo.tif.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Drops desktop.ini file(s)
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LinksExplorer\LinksType = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "290" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e8918d8a4bd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000914ce719af6d5e6c528ae684b40c0ef33f1f6e754d285dbe98bf1280a0820603000000000e8000000002000020000000ac947f75e7fe056ec650bd2732bd95ca5d93fea586efcec80d2cd978a748bd639000000009b18a2ab764c2d07a6017d5723c5a3f4dd2d00a9d754e8ca617c689d9063a91f900f35d418316543123aa227ead8e27dd138f8058c750075520d715c5d60e70717af65c9c58469d4552e38b3ba208b30756da65316a7f55744dbd16ad2b4db481efc4097873ea42664a8874ad6e10ae7717c13336b4c3af26fbc36e9c00143eb871c814f97e0288c22e3e04744a38ce4000000094c29c4e085c3d633099318ea3418443e75491f0ead0d95014392088df957764e2a01b25a7753cd5ae8bdd336aac27fc1ce3b9eab007c2f3dae9b0440bbef971 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LinksExplorer | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5D93761-B77D-11ED-89CC-52C255710AF6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc45899000000000200000000001066000000010000200000008d047de2f9523a6c17ff442e741f6bb151e1c091e271090bc99e204384aa1618000000000e8000000002000020000000e7ab28bfdebe98b9f9a58737189394d2ad9ce8bd04db17bdb68c6c24ab0f0bed20000000c366be607af867d154a59a51e2b75a28442c86417858becace7ccaf74a5cd4bf4000000083de1d2e1b8be1dfc0f8da7bad969873499acde722f85bdf8bb91eb2aa577b580a861ce79631eb2558b9c268881327870de02508c59110d2b7ab46fed8dec175 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
"C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3209.bat" "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe""
C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
Network
Files
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 466d9ecfe8602b940a0463764fd07b78 |
| SHA1 | 7b77fc2d4308a1ee0102a4a352e2d5ea402b5a98 |
| SHA256 | a5bacdaf1f6b4f8c0e21266d797e81c58d29cc1363b7a28b012eb24e1cb99455 |
| SHA512 | 058e74c4b94303202e8546abe09dbb8ec3b685dee908cb95a849902b71b8bc16405312dc16ee361afbc7178702d1eff9833295276de9b6d501af4403a03568a7 |
C:\Users\Admin\AppData\Local\Temp\006C3209.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
memory/568-321-0x0000000002B80000-0x0000000002B90000-memory.dmp
memory/588-322-0x0000000002D50000-0x0000000002D52000-memory.dmp
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 466d9ecfe8602b940a0463764fd07b78 |
| SHA1 | 7b77fc2d4308a1ee0102a4a352e2d5ea402b5a98 |
| SHA256 | a5bacdaf1f6b4f8c0e21266d797e81c58d29cc1363b7a28b012eb24e1cb99455 |
| SHA512 | 058e74c4b94303202e8546abe09dbb8ec3b685dee908cb95a849902b71b8bc16405312dc16ee361afbc7178702d1eff9833295276de9b6d501af4403a03568a7 |
C:\Users\Admin\Favorites\README_TO_DECRYPT.html
| MD5 | 466d9ecfe8602b940a0463764fd07b78 |
| SHA1 | 7b77fc2d4308a1ee0102a4a352e2d5ea402b5a98 |
| SHA256 | a5bacdaf1f6b4f8c0e21266d797e81c58d29cc1363b7a28b012eb24e1cb99455 |
| SHA512 | 058e74c4b94303202e8546abe09dbb8ec3b685dee908cb95a849902b71b8bc16405312dc16ee361afbc7178702d1eff9833295276de9b6d501af4403a03568a7 |
C:\Users\Admin\AppData\Local\Temp\Cab7B7A.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\Local\Temp\Tar7C39.tmp
| MD5 | 73b4b714b42fc9a6aaefd0ae59adb009 |
| SHA1 | efdaffd5b0ad21913d22001d91bf6c19ecb4ac41 |
| SHA256 | c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd |
| SHA512 | 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 441982728b0966b019be8b810da15a2d |
| SHA1 | 2608885d711cea33609d32a028f48b6eaa5a0a0f |
| SHA256 | c885adf1eb643ef1edc103493cb3f2345e2837ad10e7cf7930d00c2dfbb8ca39 |
| SHA512 | 72bd283c26a780d3c6ee55ce00510413bf376be2386eb4bb4bb6fd3f67aa4a578f3ebe5a4e8784946b3733411414492b3ca5534272a030ac9f478c630436a62c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e08d0259e4e7d34283f9d1562f03536 |
| SHA1 | 913154e942d18e695367b6d2c625bef76d1ee2fe |
| SHA256 | effd0831ce4ffe999ab729a612472dff583d240f0eabd924107bfc4f01c06c2d |
| SHA512 | fecb6d4f8458f7685964eb9daae3931e8f83755b9215cef5d77c95e22476a69c35a8dc2ab76aee176f913ffe3af65ace541dd0e5b568c56a1ce1f0e77fb364ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94c6cdeeb2b111cf6c17c6792a53aa68 |
| SHA1 | 6f420a578d125cd67793249cc31d38a5775ea239 |
| SHA256 | 8556620773692e71e581b848ea955af5b68593afcad55ac1d10ce07443b73bd1 |
| SHA512 | 69472b0bca1aeb489f804999d1b1b4794c3ccb43246b6fbd84b769aba541a2e78ee4866e1c29f27b95092d0a66fb700644f858eeef6fde05ec12661ec7a5da6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | daa6467fd75694763008ad1df57d42ba |
| SHA1 | 188ccb5fa3a3dd2529b926d30b4c038f4bb8355c |
| SHA256 | 693a85b14413238cd0bf5c1db7e1dc3db4c6a7f0e6422c1d5b28a5c09a135f85 |
| SHA512 | 21694be8ccd38abde48b873b4451825aaa96a1a25d3b8300b34e40780cca64630761dba2a4b8414948187a27dd8d4e51b52990976662d833e99f58a711ad5b17 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 792da1938eea2f88df5d632e7f81fa7a |
| SHA1 | 27f2ed7b636e9856f9193c94496ced8606eaf9d0 |
| SHA256 | 229f5c4a1c0c6799c616aad3ee47723be6674d59d5cb50ec680f8ff1983e8dc9 |
| SHA512 | 87e34e1d6d6124fb2637959900def72d7e36b36eea2153093280dea89779788db2c6a1268872c6badc889ed295140d355f71b60c38783627b58e40287ba4e1d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb86caefa90e9deeffcbf0e096f3ddae |
| SHA1 | e40a6d503084d06f5b9fbff80fff7282e48f709e |
| SHA256 | 521b105fbebde5537c04f0a3efb3bafe8a08ec9803c0466e70bfdd76e18ef0b6 |
| SHA512 | 014465dbc8b330f7fb1b874c48b7c7c7e95145b937d5e2b0c35ab04343f69403395f4182ba54353571d15e94cd7f02784312510ed586e159067de6a4ec0b37e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bad106deea04bf8f0be0ce52502c719 |
| SHA1 | fc06d7c1a6dd1c4a237453c86e8c4d62cc06970b |
| SHA256 | 15fc4eb2a738562f9fecf1f643ac4974d1844c403db55dde098dadfb88d0dc09 |
| SHA512 | fb8259fc499e75c12fd213d7d7f81018b67cedfc24afd1f3a3e8d7018e94494021a4d8676c9e407b174dbf5eb97c51ca701e7b62511c114ccaf3511ce9e7ed60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8321a5477b8f33e96e3285ad0113d71 |
| SHA1 | df16121f4f9cdb049a251a1e3f7381def4dbf5dd |
| SHA256 | 5fcd374ada1fec205d7fda582fe122f492d5ffe8ac3eb41511999cd9b880e4ee |
| SHA512 | 9d516202b19e61e7c955a5e7990254fb0e9b0660e79a0ac59593926f677da238bd9f009eae67f2badf011e9f15e8dbe8afcf3db964496b5c656ce985d60e4e0b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-28 14:36
Reported
2023-02-28 14:37
Platform
win10v2004-20230220-en
Max time kernel
64s
Max time network
66s
Command Line
"C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ImportClear.crw => \??\c:\Users\Admin\Pictures\ImportClear.crw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenPop.tif => \??\c:\Users\Admin\Pictures\OpenPop.tif.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipClose.crw => \??\c:\Users\Admin\Pictures\SkipClose.crw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoDisconnect.png => \??\c:\Users\Admin\Pictures\UndoDisconnect.png.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointConnect.crw => \??\c:\Users\Admin\Pictures\CheckpointConnect.crw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompressUnprotect.crw => \??\c:\Users\Admin\Pictures\CompressUnprotect.crw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RegisterGrant.crw => \??\c:\Users\Admin\Pictures\RegisterGrant.crw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitUnpublish.raw => \??\c:\Users\Admin\Pictures\SubmitUnpublish.raw.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseSplit.tif => \??\c:\Users\Admin\Pictures\UseSplit.tif.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Drops desktop.ini file(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell\Open\command | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.quantum\shell\Open | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1532 wrote to memory of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | C:\Windows\system32\cmd.exe |
| PID 1532 wrote to memory of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe | C:\Windows\system32\cmd.exe |
| PID 1128 wrote to memory of 636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 1128 wrote to memory of 636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe
"C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E5693F8.bat" "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe""
C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 20.42.65.90:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
Files
C:\Users\Admin\Contacts\README_TO_DECRYPT.html
| MD5 | a7666c61eac5209ab349bb22b56d21ee |
| SHA1 | 0196a5f6d00d36b5f0d4c150a83d3268f6a2c324 |
| SHA256 | 0ff90fa41cfe5a948185a8d2a4f398800df535c1a3386ad265e5753c518aa623 |
| SHA512 | 1be019bb7593bd2b6613840cc6115d53e52b1a3453f7bbc6cacb60eb76b692ec38731b28f0e7181259f3feba57d72cd8cbad4d37e2bfaafb84accb9fa3afe39f |
C:\Users\Admin\AppData\Local\Temp\0E5693F8.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |