Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
08-06-2023 03:20
General
-
Target
quantum_locker/quantum_locker.exe
-
Size
75KB
-
MD5
0706764b3963df092079d3bdef787a1f
-
SHA1
73c2460d59f3d0637523ca6d35425aae14358ba1
-
SHA256
b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
-
SHA512
3af7ff3b2aa689eb4c410562b5ead74ff77417da941521928391c6fac3dcc6a75f6d866f52b12f67a41564cfa81afcda51857c0f208f9e90e8629e0f0b5d5cb4
-
SSDEEP
1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGp:OfJGLs6BwNxnfTKsG
Malware Config
Extracted
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
quantum
Signatures
-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops desktop.ini file(s) 26 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C2DD5.bat" "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"3⤵
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
Filesize
2KB
MD5e0ee6e7df64f93e12e3ecf246323524d
SHA147664f0e931cc2916e0933dc419c423447eda67c
SHA2564ec867d231198a5b8a4d65d2fc1256af31e9cfe220fd0f8525ecc92217914591
SHA5123087710bad5be25d35297cb9d74ab67fca55774d2914d1203ac546d8df54c7c41bd041b3e0157a0466296ee3c5511ec6e08af94b2ec8831523b7c9545b806569