Analysis Overview
score
10/10
SHA256
652c394928687ed453c34befbbe373f78a0258a40b0f40db425ad232ad761b85
Threat Level: Known bad
The file quantum_locker.zip was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Modifies extensions of user files
Deletes itself
Drops desktop.ini file(s)
Unsigned PE
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-05 18:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-05 18:56
Reported
2023-05-05 18:58
Platform
win7-20230220-en
Max time kernel
94s
Max time network
83s
Command Line
"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\AddSet.png => \??\c:\Users\Admin\Pictures\AddSet.png.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitUnblock.raw => \??\c:\Users\Admin\Pictures\SplitUnblock.raw.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartUninstall.png => \??\c:\Users\Admin\Pictures\StartUninstall.png.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitBlock.png => \??\c:\Users\Admin\Pictures\SubmitBlock.png.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503cfa86837fd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c000000000200000000001066000000010000200000006d9e9cedd12adcf581f74f7fbfa520aba04658562aea00d86512771d6b684d77000000000e800000000200002000000022979fc30b5ab6baab2939663359ec838495960f3b7e86551812092626fac39a9000000042190c0de81474a93bc0a51f5df81ee36e38545ca6e9e7f9e091250a084ded1e980de1c38026db1d7752fe8f599c5113b03b24cacf70442fee5be9b2ef7839ba66230eba823d07b076f34b955bdb5305eb6d6ba661b3431379edc7e6abdcdaf6f3e2e5d3d2bb01ee60dcff390c4bfa08a571abd91f577206224b88d00647b635ed8dde63e730a63e22fcfe873589a77e400000008f650a61948c1a69e6ff0845449b34a421bb11f71e2c6139a47ce4ca5698b5e807006445c7b9112cd52b544787d19704fd57ce5e4bf6dceec4c8865f872d0bb6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000fe2364bf6ac54c7996dc2f5d6e1466b684c4442626f6fe44757584edef096c3a000000000e8000000002000020000000b47268f4ce4c93d6d28257f737e51cf347db586986a6f9f636768608bbf59355200000007cb2bcdc3db9d6d28a385fc36854715884bb3f54c62cf1b18ea7164820d1deaf400000003b150ea2c16600e14647ac3844882776ac338bbbe90749a4b09d61c3c70a541628294c73437a93d1417ff03dc7ec869ce24785e265ea4ad62f1f13462d4221c6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC2B4AA1-EB76-11ED-B5FB-D6914D53598A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe
"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006CAE98.bat" "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe""
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
Network
Files
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 557a3275e4a8d8782f3e3579adecf628 |
| SHA1 | 49bc27e4fa9e96ed7a19ebe97f57984c8fcd574a |
| SHA256 | 9999a3b8ac4c1c59bfcd79f92c64dad69e7a7ba3e4ddf8c8aedf0f81b819c935 |
| SHA512 | 97d6e689d4741220d5dde3b14b498187a52cfc4a5197a822f796e532c9916e022cfed6d5933c23ca0097387518b88bd878326b34f8a7d885586a8e2fb5063fb7 |
C:\Users\Admin\AppData\Local\Temp\006CAE98.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\006CAE98.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
| MD5 | 557a3275e4a8d8782f3e3579adecf628 |
| SHA1 | 49bc27e4fa9e96ed7a19ebe97f57984c8fcd574a |
| SHA256 | 9999a3b8ac4c1c59bfcd79f92c64dad69e7a7ba3e4ddf8c8aedf0f81b819c935 |
| SHA512 | 97d6e689d4741220d5dde3b14b498187a52cfc4a5197a822f796e532c9916e022cfed6d5933c23ca0097387518b88bd878326b34f8a7d885586a8e2fb5063fb7 |
C:\Users\Admin\AppData\Local\Temp\Cab81B0.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar837D.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\Local\Temp\Cab8558.tmp
| MD5 | b5fcc55cffd66f38d548e8b63206c5e6 |
| SHA1 | 79db08ababfa33a4f644fa8fe337195b5aba44c7 |
| SHA256 | 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1 |
| SHA512 | aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 575fcb473ae2ef376c6a6281f519f9f5 |
| SHA1 | 6bfed923e1783b7551e95a166a150851005953e6 |
| SHA256 | 6580912e1f774d580c9f35760173d3d0726b8e636e261f19cd66db4943137b19 |
| SHA512 | fc39358e804df61665ef065c0e99d622be43e82af7da8d38dcf5f3bba97620363041597979f60342722732500f276952ba81b6e9bb7a3371d6a9e00576205aa2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5d6da10a327d0ce4691129e6150c833 |
| SHA1 | 4f6739d4de32f429e40f52963c0b98dd4330566a |
| SHA256 | f661bdbc07c88b56a542f76e55e28f661f261ef24d969bb972bfec371c8147b7 |
| SHA512 | 5fb8b957fdbd8d9ba92d15c68ae08eaa5890cec24bf40c340030d47ba67306689955b32d7d75bb7db6897d9dc8cf0c789c925dca2a9a6369ddc30ec2ec393b1a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e5488a791c9b9dad002af7b59972dc7 |
| SHA1 | fa3840e74993b93d4d8105d766b762d3de8fdae3 |
| SHA256 | 01f334926124ba100ea1dfdaa0fbf50c96e58ec46115929799c2998e8b457bf4 |
| SHA512 | 951b1be5e9a1f2abe299619f11a90dfdb8739f2c3b8e4664f1e7fcd8cc542560dd20d2b8cb9cf254e190ba3740ce51dfcc0b27dee58fa264fb0eeaf4ee5b1bec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79520f2eddf928901934f51f0c8165ca |
| SHA1 | 68a3c542982b9bad1c184f720af7dd76cfb0d2db |
| SHA256 | 8ec3112896dff8f37a16bf139fc4fe49f88e7f6e6223c3566306f13494a7f19d |
| SHA512 | 6a93f116bef2e5cfc5137c9acb700f87490e31fd44342528be0add3a10f013fcf3c735ff20c9454c0e5562fff847f5551f0273052581391a56c0d7369b91980b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c610ee4fb31b47e6c1097c294751657 |
| SHA1 | a2ecbffb9071f4ce61b102ed96949990f50438d7 |
| SHA256 | e15b776a7774963b3bac1114f02e76980ac2657bd42b5b9576bb12274fb27323 |
| SHA512 | d1757f978ae85fa7c8f5daa0e856b801f195764cf433de64593980de13bc703a5644fe8b70475fcf2bfccaa5f824b59b5338d1872b57666e0c6eee67bcdc6391 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-05 18:56
Reported
2023-05-05 18:59
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
150s
Command Line
"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
Signatures
Quantum Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\JoinResolve.crw => \??\c:\Users\Admin\Pictures\JoinResolve.crw.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LockClear.raw => \??\c:\Users\Admin\Pictures\LockClear.raw.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveEnter.png => \??\c:\Users\Admin\Pictures\MoveEnter.png.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishMount.tif => \??\c:\Users\Admin\Pictures\PublishMount.tif.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FindGet.tif => \??\c:\Users\Admin\Pictures\FindGet.tif.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\MergeStop.tiff | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MergeStop.tiff => \??\c:\Users\Admin\Pictures\MergeStop.tiff.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenRename.crw => \??\c:\Users\Admin\Pictures\OpenRename.crw.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenUnpublish.tif => \??\c:\Users\Admin\Pictures\OpenUnpublish.tif.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromSwitch.raw => \??\c:\Users\Admin\Pictures\ConvertFromSwitch.raw.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.quantum\shell\Open\command | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.quantum | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.quantum\shell | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.quantum\shell\Open | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | C:\Windows\system32\cmd.exe |
| PID 2976 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe | C:\Windows\system32\cmd.exe |
| PID 2380 wrote to memory of 2460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 2380 wrote to memory of 2460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe
"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E574DD2.bat" "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe""
C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.146.190.20.in-addr.arpa | udp |
| US | 20.44.10.122:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
C:\Users\Admin\3D Objects\README_TO_DECRYPT.html
| MD5 | 381254e10593ad42a7e96f069305dbbb |
| SHA1 | 7b5ccdf55377b694fe761368f3372899a3c8d1aa |
| SHA256 | d19cef6340014cde9a2a60e7b1f57043f338590c64b454c75bf2358cf2c4f256 |
| SHA512 | fd4db6144cdf2e6774cc20fd1732b9a457572f59c7cd639181da8c7716a1f3b6c35b6ba2447045e65e2ad9ba713ec8ee857ee5695b1d28fa338a613a7c35d2fc |
C:\Users\Admin\AppData\Local\Temp\0E574DD2.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |