Analysis Overview
SHA256
686c57db4eb63748c3ddfcfdecc9258e47fa0dc62762ffd4c0519f4a92d074dd
Threat Level: Known bad
The file 686c57db4eb63748c3ddfcfdecc9258e47fa0dc62762ffd4c0519f4a92d074dd was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Deletes itself
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-04 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 18:26
Reported
2024-02-04 18:28
Platform
win10v2004-20231222-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Quantum Ransomware
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.quantum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.quantum\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.quantum\shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.quantum\shell\Open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1880 wrote to memory of 1064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1880 wrote to memory of 1064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1880 wrote to memory of 1064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1064 wrote to memory of 2968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1064 wrote to memory of 2968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2968 wrote to memory of 3692 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 2968 wrote to memory of 3692 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 2968 wrote to memory of 3692 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E578C90.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/1064-0-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-4-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-3-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-10-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-13-0x0000000001F00000-0x0000000001FD1000-memory.dmp
C:\Recovery\WindowsRE\README_TO_DECRYPT.html
| MD5 | b0c287170ce4d76de772541fb1e07af9 |
| SHA1 | 8deac84cebf47496091daf7234a5a8e652dac41c |
| SHA256 | c49df7683e7a93c8bb3f8894ed2da8c0aded33b78f56f5fc65137ac9aca67746 |
| SHA512 | 4508a33f7f5f07acd69d3435c7293db390fdaa7f3b754e7b81b3eb16c14ea1ced372898c3363cb9d5a2a0621a35b34a1b0cfa0f86016007630077587e7bfb8fb |
memory/1064-118-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-53-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-1-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-127-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-129-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-1141-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-1144-0x0000000001F00000-0x0000000001FD1000-memory.dmp
memory/1064-1150-0x0000000001F00000-0x0000000001FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E578C90.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 18:26
Reported
2024-02-04 18:28
Platform
win7-20231215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Quantum Ransomware
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EW3J74TG\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TNEMG9GL\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VFIJ47B3\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V17S5RKJ\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\README_TO_DECRYPT.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.quantum\shell\Open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.quantum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.quantum\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.quantum\shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F772C6D.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
Network
Files
memory/2392-0-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-1-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-2-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-4-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-6-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-7-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-8-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-17-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-26-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-16-0x0000000000960000-0x0000000000A31000-memory.dmp
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html
| MD5 | bc8488c86ea588f7ff8bcdddabd26d6a |
| SHA1 | 56b5128957664b48d9bfa75ee3b9304c2d86007c |
| SHA256 | 53703a38c75a4dc3f5c8be7a7a85b708196122d31de3e95b24f2c96b9833a8e6 |
| SHA512 | 4f5f61f23fcfbca8fce0e37f6447e2bdbab2635e9f9890463a26ddee0a12015c74b82b896fd0e923acbb568d1ceacaaf7c0557dec4ffa94f766f5074b44ffe69 |
memory/2392-360-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-361-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-568-0x0000000000960000-0x0000000000A31000-memory.dmp
memory/2392-579-0x0000000000960000-0x0000000000A31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F772C6D.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
memory/2392-590-0x0000000000960000-0x0000000000A31000-memory.dmp