Malware Analysis Report

2024-09-11 01:37

Sample ID 231125-dhxbkaga87
Target quantum_locker.zip
SHA256 652c394928687ed453c34befbbe373f78a0258a40b0f40db425ad232ad761b85
Tags
quantum ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

652c394928687ed453c34befbbe373f78a0258a40b0f40db425ad232ad761b85

Threat Level: Known bad

The file quantum_locker.zip was found to be: Known bad.

Malicious Activity Summary

quantum ransomware

Quantum Ransomware

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Views/modifies file attributes

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-11-25 03:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-25 03:01

Reported

2023-11-25 03:03

Platform

win7-20231023-en

Max time kernel

142s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"

Signatures

Quantum Ransomware

ransomware quantum

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407043174" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e90000000002000000000010660000000100002000000053fe0e92e8b22705e67681cc5e6f476e4a8d678097351c76e7f48bc6cf6ed29d000000000e80000000020000200000004d8b434bd4184e429030226350e136c101feb7b9e9db6f2e8463ea7a2f862b90900000006f992dac28a2416694c2c199c728d87a5d7ff42ea35df954fdb07a1c24e82cfc32ff46eb00735b7b78dd628ccb2a4720415a3f1faedc3cabdb171d20b8ccb4967a9e8711350de841f0bf4ffb296b057fd6c01f923904bb765c38272caba40e353fba9fe82656f809ccd8a91d3e93008f9257c95466a66bd5d31d6df266e9c9a394c59afe91ed674251d97a11faf6e820400000005a976dd1221846df66554c955e4ddf0e3c3fe387de79a3a965af6fdcef7de2dccc0311f82e0414c9e202241dc9bb78652ca64485a46e706140e19497e2ff801d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000d824cc73468c81b426c3c10ccfbc2f3c42b800d6547d10a93d74758fab93d6ae000000000e8000000002000020000000b9b8038417ea23d4e082e924d4acd0ded388533a48b0de3b82648918fefc16c22000000070dc7a1452a4c732bac800b43721138e892992da76f90e960f151c1ace102943400000005c6a33f0af5585eb98e9053003821a4847a12e1e5e31b1e1aea135041c655c579eb555bbacfb8c515c74d3e3b223c886d76d4c85416e96f3e30ee93a6e21038c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70045ecd4b1fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F84E2481-8B3E-11EE-888E-E6337F2BB1FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.quantum\shell C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 2984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 912 wrote to memory of 2984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 912 wrote to memory of 2984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 912 wrote to memory of 2984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe

"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\README_TO_DECRYPT.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion udp

Files

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

MD5 1078b97fb2d214bae3d544af353da509
SHA1 7155ed424f32deb0bc44d7fd57bc81293ed20d62
SHA256 54496acc9bdfbb474dd0379d0a31ba38e8420b8d0bcf935c07b8e450ccf38485
SHA512 6545f697ad564bda980b1d98977199ede80d6a2ed101ee1eebc4ef4476124d5ab8529e7993ac35cbd36caa8724dabfcf7c9cd7fa4db89766f05e00436b807708

C:\Users\Admin\Documents\README_TO_DECRYPT.html

MD5 1078b97fb2d214bae3d544af353da509
SHA1 7155ed424f32deb0bc44d7fd57bc81293ed20d62
SHA256 54496acc9bdfbb474dd0379d0a31ba38e8420b8d0bcf935c07b8e450ccf38485
SHA512 6545f697ad564bda980b1d98977199ede80d6a2ed101ee1eebc4ef4476124d5ab8529e7993ac35cbd36caa8724dabfcf7c9cd7fa4db89766f05e00436b807708

C:\Users\Admin\AppData\Local\Temp\CabCA34.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarCAB5.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da19bc5a39ee75efa1d55cb8cfc21e21
SHA1 fca90de8445a55a95dd104e9e431b85ea085438a
SHA256 3e73f26b7a54cf99c01c4be64d7ab6f64e5c5fecd5e1213f9dad0b79c8a5f933
SHA512 cf160ba864f529d8e906ddf3b752f754b1e54524e98f719e3a8821a6d74a68b11a7430d834422d9b97f6b8c602a3552dd0b0b92a04b505d60c4c486dd3bb4e49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ea6b039dab6302f5909e816b50bf793
SHA1 de0ea96095400f728623db36e43cb7f5f546da9b
SHA256 b2239bfd37aaae8926832d42a779d1d7dfa834c87c16316c188544e47cf726ce
SHA512 801c325629c14e4de232eacd4600571ffc3c7e123130d34d93587fd00484d8533da7915c38024a46da77c93f76015379158403afeb467dc9e6ade381d00052ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72d73d24e81421a94d3576e2e77d493c
SHA1 d33c25c482ffa102367f8ff8bd384a00d954c955
SHA256 e4a73b4b252f80a4c0a64f548e27dbcd81d6eb3e2fd4ec4789600afbdb2143b3
SHA512 ac18bdd139934e1a6877e0f126224a656dd5a72f6ed7eeb19df4c7ff72e42aeaaba2ca2d7e2b65815bc744539434f1e3f83fa300ce1bf57e33eff39026a2f07f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 486fbfe4f83af1fec3a8f7c5855f6d6f
SHA1 acc1d632c79349aba272c08deec46a55d763992a
SHA256 1c84efe3a6549fe90363e8c10b2d73aa2df89c02658eb447cee1aa2c6427aa08
SHA512 06daeb54490afb5826b5dbef12ec0e58a6c71e7ed9f38b499e445386ef5973df58c7c18f03177304b5ca77072173a3e71451229d89a5c81398e4d978f28be020

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce47b8ff22f5cac73c55bd38d2b64954
SHA1 bc5bff01e5bb945d923d89d88cf915de86a6be04
SHA256 5f2ad27a39f313438f28558e597de07ddbcecbcf735520eee8f8fc89e3113565
SHA512 f3e708a2af6b4b40a02984deb3f582bf0e1c1f7044a10eba9bc1f32e6312761ecf49a56f6b80d924463e7a870fd434845ff7e50a2fabb61e7967cf165040e0a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82bf6f201961bbb26999da4086b34167
SHA1 700d04f996d8b5d34060a211395e2a77c54c9d6d
SHA256 c2e8390434531c924d140bf932d69a78126f674c8ceeeec8664e65ef4956298c
SHA512 0508381a2eec735fc73d375d620dca1f9b4ba5978b5bb32615ca25e32981a059aa986d35470afa17f6d093adc66be488cc6ea081a9e7605ce6b7c209f370b6da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d108e7884bee33cc33a4521d8a7ae52a
SHA1 186ab5f91bb7214706649e3999767866a6cbfedb
SHA256 5199032e34040dbf3bdd607df7db4ee32c227c847aea1c545d88d4f9463f7a69
SHA512 bba9ea98427b66efa92676e5350c12c3fbcb44d8fae082e18ccf127ac492bdab5545cbb552762180f7ef9e230364f4dade13a4954e7cd8b6d751d97dead5f7fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e00e34ea44090d2c1d57ae0c549265f2
SHA1 3e62f7aa6f6f13c7663fe25a5755ca782c62a74e
SHA256 74571c0e04b44b2db046753edeee7da0ae81e5c959ea133cb0b9edb4282fb8e4
SHA512 eef1a8670dc3866552081e311cd7034e162b2ffe5cfdff8f31c44f419fabd9eeded88f4b005579e8d6476df08910d36ae0f7f3a41d05c807872bac9961bbe29e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 720a3add29ed96a98e3329c63c59940b
SHA1 7596fc85f53a6b704b55491a10f68eaf99b89d39
SHA256 3bb77c58bff153fb30c44b180a6a5297a58086d76834fa3a218a868ea54e22ab
SHA512 244282d83cead49f7b33d1d52cbd67aa24225d13c11d1dd41cd769a1b4a0d45ed8193a7dd35311d42848bddf1de5f113f19c345f7800ceec1ecfdf11e3a92d42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a793d7562f9c6416515bd8a57256183c
SHA1 db4f399504c99eacc3a7ca72e479dc5c24753bf5
SHA256 d3b9e519f720e0fbde5c030cfc6aaa3aa095f1f6ceadd1d5be81a3b612b13c8d
SHA512 dc372c57b93c096bd0fdc7cc192dd559fed2a037ef4d927f7ef65ef4229a470f03538dbb4d84907eb414e230cc3a65243343c690129807ebb7bd60340b0b4240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7173d71bcf74f645a30b92435c4e35d
SHA1 88fff6a15ed25415fcd2b12f4aa35bc99fb12376
SHA256 801a7b7c4ac6da43f1c3f53250ea07de362a3470fea80e53754120a4fc93b162
SHA512 6acb9215aada232a66233c7725453349103404464fc5817897b1cdb476f4ac33f9dc4be1305bd0f0e0c662a6b4e1d8f8dcb99d55cc506ef896aabbc58b568f87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 202846aed54a09b7aff5cb4975aa9e25
SHA1 475fe160b6c9d65b055c627876633c4ba302e6f7
SHA256 d0a6d7c98aeb11284d89fda5d171b82368fc3192bddbb85e2648a9ba0ed2dade
SHA512 adb3afed6a019e4fa629f88bc070963ea12d68505fa52ed6ad2c5c29a6c00818db527e6e4e6c05faf416204f7bd854de2555c713de9aa319bd5e74bff0a6f48d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5af4680dee5af4042fa7a4e0f58a51e
SHA1 efecfcd8031e3db34ccd89840d2e7acf51ccc14b
SHA256 47bccbbd4757153143c9628e8c16177231f9181fa7dff1706e22e0844c2742e3
SHA512 f8f3c8c16417ad4592c918d135c0dfa98df87b30b6802528d45013d41aac73b2d01c7525898a159734d49fb8909e53732da9d5cb0a796576e7b85d2c3c04f76d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e392c7b4f9e013b92ad5c44ec60d69e
SHA1 fd3e7b7fed9a740b4f971f4ba945b4b1aff9cd28
SHA256 7d03c2545934c40113458b0b37b13fd7df076050bf08f3eaec7201067f6863e6
SHA512 7362038a1d46de9a1c03263ccc58e20e253aa5e03088f2221f3a138821197c388f12a07c648702e9b2caa4222639c9e02226d34ff78fbe512b8713a909f1dc1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6e3cef12f9223fb44e9318fbdff6cbe
SHA1 e7ce90331ff41b69dc22d02912f3704e1cbc5b88
SHA256 fd54087b7916cfd1d6b1da165b81885c2424699d511ef14a4ed89d4e6b47ef04
SHA512 f0db0a0e338aeb29c1b6a8af68a20528bb326f59c17118d7d27ef62a8367d866a7f3db3eb72aaf906e946ad40e0ed105624cbc0e505c521bb25300758accd938

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5244a2b65399d13a0575f6502220ad02
SHA1 56c53f5fb9d569bb423714de2159989705443dec
SHA256 5114c1ad3c73998d396b751edfd350b8b80d53cd8faec7cfe47af80439473c83
SHA512 74e53b410074ba73edb3d5971aa4f03f7abfb072512c2acf11af6aa25cf101a5f614aef9bee42006807fe8137c44b28d91b31e9029c0e1302dd8c85883116b81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d6ab48c60bce9106c826b765d4fa116
SHA1 06621fb586eab38d3261f75b8a917bfd165701ff
SHA256 18b1ea876a4deaa79cabe39740b454138e0852e16328bec727c3d1f873b5cb6f
SHA512 7d15305a56b48c43f747518cbd97d605a99b80bfd8170b070e2b4722ef5b647dc5799fffff3ccd9e24626f51bac94f47776ab0beb0da39b5c0851a9340562623

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 331b1942f78f00334e89cec0830557f9
SHA1 4480dc303ca6630016ad6380f8bc070d33258ce9
SHA256 2d4d6f10fb83110fe335e22b01c8f97822a5b20e63f7d5dca832ccbf3fc84a3f
SHA512 fd92a24148af1fdb7d3335391f123d371d325bccf939adbaa931c867efcc835cd85960b9ec2482efc2ed2b9a2c3abb1881389588c7600729f0db7e4203e3851d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a63fb11d1d808cd44220cb5f127b578
SHA1 16bae018fc84395eda02a6c19a0a8c1155dc1934
SHA256 053ec2c0c96f8bdd93507642b7478fe633b5481dccf83c9464728537b7e4fb4c
SHA512 ac58c1dcb642ef5d672ac16f1952d69b00f76ece8dbc645b2af0f283138137b2d38dadb844ba2c37f6645a892f80752ce376435570c3d9b4d654b4f73f3c8163

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfb380b65ee5985ed08421bbdb28d1f0
SHA1 0900a4df3313982dabb663cf7bd0cb2f64558371
SHA256 0759783cb0f9062d92a60beb8d771cd715013c326deb1cdfd6a14aead74d8ed6
SHA512 7f83f8946833ea1a404165513e3d2514c92e81f085815aecdf32772ccdf4223a56e44c9bfc241dff299e52a8b01b30317d72b2f0af5fa538e77f3585d6fa174e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e24118b156e85d9c3e4905dbf1400bd5
SHA1 e61814505576a23a53e0420f31c28cd61a42d0d7
SHA256 c6d1012f681a6f3ecc281e3e1824b8a3883074033bd2233afb75b34c53ead1a2
SHA512 abe10e50fc69696181c8a88c1861567a24ad6c92471d1ff9e983dafa5de4112cef6d99a6c128280a18c9c664c9c559e05ea2809633fe80f3d4d249ef4bd028b8

memory/3068-1118-0x000000002FB81000-0x000000002FB82000-memory.dmp

memory/3068-1119-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3068-1120-0x00000000709DD000-0x00000000709E8000-memory.dmp

C:\Users\Admin\Documents\Are.docx

MD5 8d1210fe51f6306ccaffac41171dd656
SHA1 33d8688e7e5abaf53e8a41685cd215bde89007c4
SHA256 947d4fe7be066e70174ae601a968bb08c93e37f5b0530efb8683b21d2e2370e6
SHA512 35fe0bf8ddfe909076ac4ab7247c473f210c695d4a5615688af6cb4905c3cd9705f9bdd6a4a48862cd666d89c80c912a0801147bbfd429911aa5a75c75029e69

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f3b1f8b7435a675a5d3bd513df1e1001
SHA1 931068ac0cbdd9f264145c84583400f4ecce23c1
SHA256 3bd0ac1318ba3d7827ae1ca44ee3a331107117dbbc5c48002cbbb4729da0d0d7
SHA512 5312d6cc12734aa376b8c46fb1baf4965e93a4f07a24bbed9d6f01f286eff2351d2cdb2377bf4d3ddefcee741e70761210cca6f8e14adb19c21a412cb6588830

memory/3068-1143-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3068-1144-0x00000000709DD000-0x00000000709E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-25 03:01

Reported

2023-11-25 03:03

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"

Signatures

Quantum Ransomware

ransomware quantum

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
File opened for modification \??\c:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\.quantum\shell\Open\command C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\.quantum C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\.quantum\shell C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\.quantum\shell\Open C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe C:\Windows\system32\cmd.exe
PID 1504 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1504 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe

"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E580F3D.bat" "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe""

C:\Windows\system32\attrib.exe

attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\Contacts\README_TO_DECRYPT.html

MD5 37d37ee07cc60fb8778228cc0279d867
SHA1 f9aeef8388431d32d8ca871495ac5e30b9ed84c8
SHA256 a516094f8e9d015b7443b26f60c55d4da9ac878cfd2850402699a51504aa4457
SHA512 5e80b9a013ce5e8193247f218772593db0de9b5334b35a4a2007c25c433b772271f6fdd004cedfa38c4480913600c6e125ee89906f8c2c8d7b2938465677863d

C:\Users\Admin\AppData\Local\Temp\0E580F3D.bat

MD5 348cae913e496198548854f5ff2f6d1e
SHA1 a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256 c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611