Overview

overview

10

Static

static

3

2cbb3497bf...2d.dll

windows7-x64

10

2cbb3497bf...2d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2cbb3497bfa28d9966c1feeae96d452d.dll

  • Size

    1.6MB

  • MD5

    2cbb3497bfa28d9966c1feeae96d452d

  • SHA1

    9ef94c7d3fedc71bb3ed1abf542dfc7ec692883d

  • SHA256

    85c3b718090144dadeb8035ac287d46b9d3458f9de409229217d42a475f42868

  • SHA512

    eed7b210655030b3855f7a20f3bc7aecf8b927a33dfdaefe1d769fa42cbf7c88b1e8ab625f7258a79d2625e06005d25b03691fe911330876ae9e7f916ab2fe4c

  • SSDEEP

    24576:KlQyNmMnq70NDxLOd0+UU1Thef1HrmP1D2:KlQyNmMq70NDROd0+UU1ThoHrA

Score
10/10
quantumransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html

Family

quantum

Ransom Note
<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <b> <pre> f5de48b476c53833c47bc3b7c594420222d1b325c8947f3ebdf3164bbef62934 </pre> </b> <hr/> This message contains an information how to fix the troubles you've got with your network.<br><br> Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content.<br> The only way to get files back is a decryption with Key, provided by the Quantum Locker.<br><br> During the period your network was under our control, we downloaded a huge volume of information.<br> Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data.<br> Publishing of such data will cause serious consequences and even business disruption.<br><br> It's not a threat, on the contrary - it's a manual how to get a way out.<br> Quantum team doesn't aim to damage your company, our goals are only financial.<br><br> After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points.<br> If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc.<br><br> To contact our support and start the negotiations, please visit our support chat.<br> It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420222d1b325c8947f3ebdf3164bbef62934">http://lsxkornhwiuchwvtrm2ru2hr25rovmyvrurgej7kwv3vd6rvbznpdwid.onion/?cid=f5de48b476c53833c47bc3b7c594420222d1b325c8947f3ebdf3164bbef62934</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 32 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#1
      2⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F76D9AC.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"
          4⤵
          • Views/modifies file attributes
          PID:636
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\README_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html
    Filesize

    2KB

    MD5

    5de1f91f5692968ceaffa99e8cb58034

    SHA1

    65acc61eb9806f44d9ed790b4e03ab7962a318da

    SHA256

    5ec7a54192571e3d4fea6bce262716e2dcde520ad96d20ceec6f96d38dee3c17

    SHA512

    22409dcd15094ff29293ddbcd3373ab0a70cc19bc51a4b2bf85a94e72e9f9b1e2c64428e0472242f6ea3ec7a1ea7a1a44fff1b467dba43c39a9336d76177448d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    0ed3b65a3371f91991619b08adb27ef1

    SHA1

    0bd7fa10cd46d28ad5f8856fcdec46179c3064b3

    SHA256

    85b602f169ce4723ff470c002dbd4c2b73009e4c0121f36f962759c84b4931f8

    SHA512

    d3f799d1fd3721664256692dc2e242567093d8c5dec1c0939e3d55fe7cda79d74bfe5fa4f66f04b54cebf08d8dc25ccc1be8f946e7f2e15ce6826891192942e9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0cf55624334dd031bd8cbf1044893b98

    SHA1

    64dd976d8c5190535632844b4e2f321f5d71ccca

    SHA256

    df434d84d1083b14d5e6424d517bb1ba93b5eebedbd350c0dd356e5333e1e10d

    SHA512

    07f0f1fbeb87ab53b7f1fc369dd49ee59848bcc9fbefed6382810342125332e39e232acede584131432e2e0f52988f1d36855c907816aaaae108895e70ceafaa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fccd585015a1658fc4fead65cedb753c

    SHA1

    bff28e0ff1cca9639e708554494c46fd13e20e8d

    SHA256

    466c3adf085a513876d6813e6b797580b65beed5cc12623f0d72910f3d501abc

    SHA512

    6480e2088b798819f477a209b2f55a36f566494b76b41e99a6ec8db7eadbc6be190c456725a9c3e105a3241b4b27246d035c6b6bd80ece98ae53905dc97d0ffb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9592f9c4566a25933f689e81a4c9a808

    SHA1

    e9b0319f81e377d44b6a7ce909215fd9e435a183

    SHA256

    f57b557b6e3b168447364085213245f2c3ccb47d44e1d601ace8c4dc2b4fab51

    SHA512

    4cbd76d4612eb1cc4b774501887eff490ae3a234c27f9fd53a88029c5a240aabf8e9fc6d8410a9dd4dfcb9f120fb1d66d7e0073806df311c1a15109d4534f94d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b2610bbd0fd1f6c09830c3682c49dc57

    SHA1

    d801c9cbe3e014fcfd0ab30efe6c583532268da7

    SHA256

    7650923fd5b5e8ffc2b09ecd49ccf272092237e20b60f59fa9f474101cd6d64e

    SHA512

    eaa994195b84befddbb9ca554f10a3a4831218a1255f2e0972f88acaabf64a634ce40fee064d517280cc5e28a98ab081d6d1b6d01c573177d1960eccb3e9594d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a4dda43201bc1c6e1bcb9a9a0a9fa3d3

    SHA1

    2d92437890285cefe156fe24faa3d5a78bd0c95a

    SHA256

    cbd9560ca9646c0ea6e77c23fa86740d0de929c4b93f46ca652d84ab5f830134

    SHA512

    5886049f5e794f7d7991106ddb700ca50c4657e7f3bdc29fd5a33e557a1a15df7cf269322a6b9388e788ccbcd0bd7a843b70da8ae41b953248252c3784e05ba1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    eb6aeb9cb19c771566f0840ae5ad2cbf

    SHA1

    343178a82044de188d3f023b7113a0be23a2bebf

    SHA256

    32a0b46b8fec22d0b19af6111a074908a47928b236972bf201c2d16edeafa1fd

    SHA512

    1cd9d19f3b091582d572178ca322510c3cd56bf5ec30640ca2552d3775d8ede88130089645e60000d5654ff39d8958073bb4edae3756ddac995e7d25239fe46e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    049a6604d88c5a081e74fccadf42c5a6

    SHA1

    0831a75581bbcb7969a4a7b29b84fbf4b35a8383

    SHA256

    853daf51db25855c1f7495d9d5d24c65eb05e794b87415723fb24d2573e0a525

    SHA512

    18f74ca1f87c2d1c4df346f7d14859745f630381024ca97dee2db6071ff472e8d7a6acff892a5c6a4a762bbe5102142d2b4ae8461fc509653793d719faaf09f9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    c2660bcd31d2401376b743323e09fa79

    SHA1

    c3d85f581efbaf3d8dbf2fe0c06b5fed29fd1f4a

    SHA256

    99723f2b1630f16a412ceab1956c7a8b1c21a973532d12ff21ab37d4abd7373e

    SHA512

    13f475943551c764910545b3c9ce3dee01bc04b2c89ec7d4945fb8c96d74b4029de619c233c05deefa0abf2fd130c698bba7166c815d7376395c8907f410026f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0F76D9AC.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar267A.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • memory/2036-8-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-27-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-554-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-537-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-474-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-0-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-26-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-543-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-45-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-44-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-7-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-4-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-2-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/2036-1-0x0000000000500000-0x00000000005D1000-memory.dmp

    Filesize

    836KB

    Download