Analysis Overview
SHA256
fd7ca7af9b2b6c5ffdb3206d647301de8bea33a69679e117be30e9a601c5dea2
Threat Level: Known bad
The file fd7ca7af9b2b6c5ffdb3206d647301de8bea33a69679e117be30e9a601c5dea2 was found to be: Known bad.
Malicious Activity Summary
Quantum Ransomware
Deletes itself
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 15:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 15:07
Reported
2024-04-10 15:09
Platform
win7-20240319-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Quantum Ransomware
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G5DX35ZA\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6ZEZX6DE\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\Sample Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QY1C4128\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\system32\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\system32\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\README_TO_DECRYPT.html | C:\Windows\system32\rundll32.exe | N/A |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\.quantum | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 2784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1192 wrote to memory of 2784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 1192 wrote to memory of 2784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 2784 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 2784 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 2784 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd7ca7af9b2b6c5ffdb3206d647301de8bea33a69679e117be30e9a601c5dea2.dll,#1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F76B819.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
Network
Files
memory/1192-0-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-1-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-2-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-4-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-9-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-8-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-7-0x0000000000180000-0x0000000000198000-memory.dmp
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html
| MD5 | c9450a9e98cf34a0fb4f3c5cbae32b1e |
| SHA1 | 4a20872dabe77b6ea1e953c40f2d51c8f291347c |
| SHA256 | b7a9b8438d376a9508205ebf25518f66960cf6fece75ed64e74ab97a8320e8c0 |
| SHA512 | 1ebeb31944f1d0089e1f2c52ed0de0d8165ad582d8b089cfd324b1c91b0b832febd7f22091f89cdf9f719cd731dec80a4962cbc39f06a34120cb8f4418f5ebfb |
memory/1192-439-0x0000000000180000-0x0000000000198000-memory.dmp
memory/1192-601-0x0000000000180000-0x0000000000198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F76B819.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
memory/1192-612-0x0000000000180000-0x0000000000198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.log
| MD5 | 87086d179f5b6f2cc1edbeed96f6a9de |
| SHA1 | 37f1e7c92e9c6990f74385900e2f4aca0b57f0e7 |
| SHA256 | 214f8f4d79a8d2ad4dcdd6a1ea109e14d56f7c1113559121959407f09c8381a1 |
| SHA512 | 4ac85aafa9d7fd2e2d550838d4f9920e7cc661b0a4759de95f77ca4042913bff128ccb73a2521f716e6e2ce6037de9a61338d6531cb903d86ced26e827b09b95 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 15:07
Reported
2024-04-10 15:09
Platform
win10v2004-20240226-en
Max time kernel
115s
Max time network
142s
Command Line
Signatures
Quantum Ransomware
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Users\Admin\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Searches\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Documents\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Downloads\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Libraries\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\3D Objects\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Desktop\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Favorites\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Public\AccountPictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Links\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\OneDrive\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Saved Games\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Contacts\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Music\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | \??\c:\Users\Admin\Videos\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Windows\system32\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files\README_TO_DECRYPT.html | C:\Windows\system32\rundll32.exe | N/A |
| File created | \??\c:\Program Files (x86)\README_TO_DECRYPT.html | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.quantum\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.quantum\shell\Open | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.quantum\shell\Open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.quantum | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3176 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 3176 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\cmd.exe |
| PID 4600 wrote to memory of 2784 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 4600 wrote to memory of 2784 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd7ca7af9b2b6c5ffdb3206d647301de8bea33a69679e117be30e9a601c5dea2.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2796 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E587C4F.bat" """
C:\Windows\system32\attrib.exe
attrib -s -r -h ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
Files
memory/3176-0-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-1-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-6-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-4-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-2-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-43-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-41-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-44-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
C:\Recovery\WindowsRE\README_TO_DECRYPT.html
| MD5 | ee02571ac1de418bd5b692b348dacfad |
| SHA1 | 9533efbc0cb7f77e1250da9e2d497c728c9c0ff1 |
| SHA256 | 6e2c184f6d35a30803beac896191b2c77be9e56dab52c4d993ace752d15531e2 |
| SHA512 | 1f98214e9bc8044b07d91f5b0348a5b7e123fb0d60907b50ef4ff59a8297d68479a55e6de316fc8f35c89f36546084fbb28d8840e65c0a3032cb68a6c2e6690f |
memory/3176-12-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-769-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-774-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-831-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-1380-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
memory/3176-1388-0x000001B49FC60000-0x000001B49FC78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E587C4F.bat
| MD5 | 348cae913e496198548854f5ff2f6d1e |
| SHA1 | a07655b9020205bd47084afd62a8bb22b48c0cdc |
| SHA256 | c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506 |
| SHA512 | 799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611 |
C:\Users\Admin\AppData\Local\Temp\.log
| MD5 | a8253125b89bb39d67a2f0926c176eca |
| SHA1 | 9b618b3355b03a0dbd7f2008505b1434969b1392 |
| SHA256 | bd9ee58f751e7bf2eef1b10df8a9fc2574d0deffd7d4291efa9094dffbc5b361 |
| SHA512 | 49e61f4036f4cb6b5e8f1c746a3f254a8f23dbfb36267f42b66d07e6340a43fe263d3f9c91415da2c2da41d7ef2e42bd0fe1c72f987c010aa357d936216cfe2e |