quantum | 652c394928687ed453c34befbbe373f78a0258a40b0f40db425ad232ad761b85

Analysis

max time kernel
94s
max time network
83s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quantum_locker/quantum_locker.exe
Size

75KB
MD5

0706764b3963df092079d3bdef787a1f
SHA1

73c2460d59f3d0637523ca6d35425aae14358ba1
SHA256

b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
SHA512

3af7ff3b2aa689eb4c410562b5ead74ff77417da941521928391c6fac3dcc6a75f6d866f52b12f67a41564cfa81afcda51857c0f208f9e90e8629e0f0b5d5cb4
SSDEEP

1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGp:OfJGLs6BwNxnfTKsG

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 9064d8b148a0f19a9e3598a6e0b0aeb1602bd79273359845164eefdf45b6ef32 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb1602bd79273359845164eefdf45b6ef32">http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb1602bd79273359845164eefdf45b6ef32</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb1602bd79273359845164eefdf45b6ef32 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb1602bd79273359845164eefdf45b6ef32

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

quantum_locker.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddSet.png => \??\c:\Users\Admin\Pictures\AddSet.png.quantum	quantum_locker.exe
File renamed	C:\Users\Admin\Pictures\SplitUnblock.raw => \??\c:\Users\Admin\Pictures\SplitUnblock.raw.quantum	quantum_locker.exe
File renamed	C:\Users\Admin\Pictures\StartUninstall.png => \??\c:\Users\Admin\Pictures\StartUninstall.png.quantum	quantum_locker.exe
File renamed	C:\Users\Admin\Pictures\SubmitBlock.png => \??\c:\Users\Admin\Pictures\SubmitBlock.png.quantum	quantum_locker.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1084 cmd.exe

pid	process
1084	cmd.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

quantum_locker.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	quantum_locker.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	quantum_locker.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503cfa86837fd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c000000000200000000001066000000010000200000006d9e9cedd12adcf581f74f7fbfa520aba04658562aea00d86512771d6b684d77000000000e800000000200002000000022979fc30b5ab6baab2939663359ec838495960f3b7e86551812092626fac39a9000000042190c0de81474a93bc0a51f5df81ee36e38545ca6e9e7f9e091250a084ded1e980de1c38026db1d7752fe8f599c5113b03b24cacf70442fee5be9b2ef7839ba66230eba823d07b076f34b955bdb5305eb6d6ba661b3431379edc7e6abdcdaf6f3e2e5d3d2bb01ee60dcff390c4bfa08a571abd91f577206224b88d00647b635ed8dde63e730a63e22fcfe873589a77e400000008f650a61948c1a69e6ff0845449b34a421bb11f71e2c6139a47ce4ca5698b5e807006445c7b9112cd52b544787d19704fd57ce5e4bf6dceec4c8865f872d0bb6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000fe2364bf6ac54c7996dc2f5d6e1466b684c4442626f6fe44757584edef096c3a000000000e8000000002000020000000b47268f4ce4c93d6d28257f737e51cf347db586986a6f9f636768608bbf59355200000007cb2bcdc3db9d6d28a385fc36854715884bb3f54c62cf1b18ea7164820d1deaf400000003b150ea2c16600e14647ac3844882776ac338bbbe90749a4b09d61c3c70a541628294c73437a93d1417ff03dc7ec869ce24785e265ea4ad62f1f13462d4221c6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC2B4AA1-EB76-11ED-B5FB-D6914D53598A} = "0"	iexplore.exe

Modifies registry class 5 IoCs

Processes:

quantum_locker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command	quantum_locker.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum	quantum_locker.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell	quantum_locker.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open	quantum_locker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	quantum_locker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

quantum_locker.exe

pid process

748 quantum_locker.exe
748 quantum_locker.exe

pid	process
748	quantum_locker.exe
748	quantum_locker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

quantum_locker.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	748	quantum_locker.exe
Token: SeDebugPrivilege	748	quantum_locker.exe
Token: 33	1196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1196	AUDIODG.EXE
Token: 33	1196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1196	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1748 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1748 iexplore.exe
1748 iexplore.exe
1440 IEXPLORE.EXE
1440 IEXPLORE.EXE
1440 IEXPLORE.EXE
1440 IEXPLORE.EXE

pid	process
1748	iexplore.exe

pid	process
1748	iexplore.exe
1748	iexplore.exe
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

quantum_locker.execmd.exeiexplore.exe

description	pid	process	target process
PID 748 wrote to memory of 1084	748	quantum_locker.exe	cmd.exe
PID 748 wrote to memory of 1084	748	quantum_locker.exe	cmd.exe
PID 748 wrote to memory of 1084	748	quantum_locker.exe	cmd.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	attrib.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	attrib.exe
PID 1084 wrote to memory of 2028	1084	cmd.exe	attrib.exe
PID 1748 wrote to memory of 1440	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1440	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1440	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1440	1748	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2028 attrib.exe

pid	process
2028	attrib.exe

C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe
"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006CAE98.bat" "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
3⤵
- Views/modifies file attributes
PID:2028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1440

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
575fcb473ae2ef376c6a6281f519f9f5

SHA1
6bfed923e1783b7551e95a166a150851005953e6

SHA256
6580912e1f774d580c9f35760173d3d0726b8e636e261f19cd66db4943137b19

SHA512
fc39358e804df61665ef065c0e99d622be43e82af7da8d38dcf5f3bba97620363041597979f60342722732500f276952ba81b6e9bb7a3371d6a9e00576205aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a5d6da10a327d0ce4691129e6150c833

SHA1
4f6739d4de32f429e40f52963c0b98dd4330566a

SHA256
f661bdbc07c88b56a542f76e55e28f661f261ef24d969bb972bfec371c8147b7

SHA512
5fb8b957fdbd8d9ba92d15c68ae08eaa5890cec24bf40c340030d47ba67306689955b32d7d75bb7db6897d9dc8cf0c789c925dca2a9a6369ddc30ec2ec393b1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e5488a791c9b9dad002af7b59972dc7

SHA1
fa3840e74993b93d4d8105d766b762d3de8fdae3

SHA256
01f334926124ba100ea1dfdaa0fbf50c96e58ec46115929799c2998e8b457bf4

SHA512
951b1be5e9a1f2abe299619f11a90dfdb8739f2c3b8e4664f1e7fcd8cc542560dd20d2b8cb9cf254e190ba3740ce51dfcc0b27dee58fa264fb0eeaf4ee5b1bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
79520f2eddf928901934f51f0c8165ca

SHA1
68a3c542982b9bad1c184f720af7dd76cfb0d2db

SHA256
8ec3112896dff8f37a16bf139fc4fe49f88e7f6e6223c3566306f13494a7f19d

SHA512
6a93f116bef2e5cfc5137c9acb700f87490e31fd44342528be0add3a10f013fcf3c735ff20c9454c0e5562fff847f5551f0273052581391a56c0d7369b91980b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6c610ee4fb31b47e6c1097c294751657

SHA1
a2ecbffb9071f4ce61b102ed96949990f50438d7

SHA256
e15b776a7774963b3bac1114f02e76980ac2657bd42b5b9576bb12274fb27323

SHA512
d1757f978ae85fa7c8f5daa0e856b801f195764cf433de64593980de13bc703a5644fe8b70475fcf2bfccaa5f824b59b5338d1872b57666e0c6eee67bcdc6391

Download Submit
C:\Users\Admin\AppData\Local\Temp\006CAE98.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006CAE98.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab81B0.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8558.tmp
Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar837D.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
Filesize
2KB

MD5
557a3275e4a8d8782f3e3579adecf628

SHA1
49bc27e4fa9e96ed7a19ebe97f57984c8fcd574a

SHA256
9999a3b8ac4c1c59bfcd79f92c64dad69e7a7ba3e4ddf8c8aedf0f81b819c935

SHA512
97d6e689d4741220d5dde3b14b498187a52cfc4a5197a822f796e532c9916e022cfed6d5933c23ca0097387518b88bd878326b34f8a7d885586a8e2fb5063fb7

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
Filesize
2KB

MD5
557a3275e4a8d8782f3e3579adecf628

SHA1
49bc27e4fa9e96ed7a19ebe97f57984c8fcd574a

SHA256
9999a3b8ac4c1c59bfcd79f92c64dad69e7a7ba3e4ddf8c8aedf0f81b819c935

SHA512
97d6e689d4741220d5dde3b14b498187a52cfc4a5197a822f796e532c9916e022cfed6d5933c23ca0097387518b88bd878326b34f8a7d885586a8e2fb5063fb7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads