Overview
overview
10Static
static
100225a30270...24.exe
windows10-1703-x64
30225a30270...24.exe
windows7-x64
70225a30270...24.exe
windows10-2004-x64
30225a30270...24.exe
windows11-21h2-x64
305072a7ec4...7f.exe
windows10-1703-x64
1005072a7ec4...7f.exe
windows7-x64
1005072a7ec4...7f.exe
windows10-2004-x64
1005072a7ec4...7f.exe
windows11-21h2-x64
101fca1cd049...77.exe
windows10-1703-x64
11fca1cd049...77.exe
windows7-x64
11fca1cd049...77.exe
windows10-2004-x64
11fca1cd049...77.exe
windows11-21h2-x64
120bab94e6d...52.exe
windows10-1703-x64
120bab94e6d...52.exe
windows7-x64
120bab94e6d...52.exe
windows10-2004-x64
120bab94e6d...52.exe
windows11-21h2-x64
12704e269fb...66.exe
windows10-1703-x64
102704e269fb...66.exe
windows7-x64
102704e269fb...66.exe
windows10-2004-x64
102704e269fb...66.exe
windows11-21h2-x64
102cbb3497bf...2d.dll
windows10-1703-x64
102cbb3497bf...2d.dll
windows7-x64
102cbb3497bf...2d.dll
windows10-2004-x64
102cbb3497bf...2d.dll
windows11-21h2-x64
1037546b811e...f6.exe
windows10-1703-x64
1037546b811e...f6.exe
windows7-x64
1037546b811e...f6.exe
windows10-2004-x64
1037546b811e...f6.exe
windows11-21h2-x64
1049d828087c...2d.exe
windows10-1703-x64
149d828087c...2d.exe
windows7-x64
149d828087c...2d.exe
windows10-2004-x64
149d828087c...2d.exe
windows11-21h2-x64
1General
-
Target
Desktop.zip
-
Size
14.2MB
-
Sample
240518-s8bvwaag9y
-
MD5
a5ecde14c94b30dea5ad15347b436243
-
SHA1
ecf42b21df9d3e240f4acb0f145ccd23d2b2a36f
-
SHA256
99cb0f92c60d88aadbb3e821f277ab51f6d8861c202cc1e16bb9ff0da10348a9
-
SHA512
e78dbfaf4fd23fe3d7811b884002fc19f380e4aa451ac389da5433621738ba89ecacff62c408fe82f07c1fe4edfafe785b890a55b67934dcf814f33df89f4678
-
SSDEEP
393216:84DICqy0qRoFk0fTyf7VdVcBIqs7BmT/3zu2C3WB:8Btnk0fWfZoBIq2B6HC3G
Behavioral task
behavioral1
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win11-20240426-en
Behavioral task
behavioral29
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win11-20240426-en
Malware Config
Extracted
agenda
-
company_id
gBBQsRxAcQ
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: gBBQsRxAcQ Domain: ru3q4ftbaqmpobhamqlnseorxywhhmqwhzx4pv4sqaacqz4m2ptleiid.onion login: 2200ffdb-68c4-43ed-83d8-52fe9d4d7a03 password:
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]
[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]
[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]
[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]
[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\README_TO_DECRYPT.html
quantum
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\README_TO_DECRYPT.html
quantum
Extracted
C:\Users\Admin\3D Objects\README_TO_DECRYPT.html
quantum
Extracted
C:\README_TO_DECRYPT.html
quantum
Targets
-
-
Target
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224
-
Size
1.5MB
-
MD5
07563c3b4988c221314fdab4b0500d2f
-
SHA1
a5f53c9b0f7956790248607e4122db18ba2b8bd9
-
SHA256
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224
-
SHA512
e0264bf772ba43377d1dcdc95dccdacc16ccafee28e8d91a9d532cf2383b0d1ad43625cd0b09555018583db796a59603ad12d568e2aea154594b5d02248d0ecb
-
SSDEEP
12288:+OFevZPYI+MbO7NkfWcIV8wZ9CeqFrOdS2KCwILo2bx9I5Nweb/yCdwO4Pzjzbf4:jFaoccQ7XUCdw1X32ekwVXeU+
Score7/10-
Loads dropped DLL
-
-
-
Target
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
-
Size
1.4MB
-
MD5
0ada88218b67a313a4f5ab0062fbc4e6
-
SHA1
15dfcef932d666fdc7501bcee357ec2aabfcfdee
-
SHA256
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
-
SHA512
0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed
-
SSDEEP
24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj
-
Modifies WinLogon for persistence
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (95) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Modifies WinLogon
-
Sets desktop wallpaper using registry
-
-
-
Target
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577
-
Size
9.3MB
-
MD5
f9481915373852640150ffe98e7218ab
-
SHA1
682fa27b596bab8fc5b7f2a0c002447e6e2f1f6b
-
SHA256
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577
-
SHA512
71c8bb648323818529ef1de610c6d60ea9610407636a4d4305409451fa5591ec2d27b6e0acc573a0d08c20a454b69fed269b281f9319e5ff931d3fa465c22908
-
SSDEEP
98304:m39m4olnLynE2TIx7cEsnRIiTgQQwfZtqifsjEiwkA+DUg47V6pH/LZAtpla02dC:m39GlmjTzEsKmBttRiA+4GJtAZa088V
Score1/10 -
-
-
Target
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352
-
Size
3.3MB
-
MD5
bc292d6f5c3ed8bf4165eb5b2c88fede
-
SHA1
acf5a996668cc5f90ca677c19587e568f41fbdfa
-
SHA256
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352
-
SHA512
e66a5af265785031c3126ac13927101295b6b3e8024eef434004c8eb7ba05f38866a84282551c93a5b96e63cbcccd34623e9b28f9975a3ab68cf51ebb9727b69
-
SSDEEP
49152:F+qq5l3uaUp/rb/TuvO90dL3BmAFd4A64nsfJp9xTq91OmwwasZV45El0gPup6vb:M35yQcZvE4wY
Score1/10 -
-
-
Target
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
-
Size
55KB
-
MD5
9376f223d363e28054676bb6ef2c3e79
-
SHA1
aed68cfa282ec2b0f8a681153beaebe3a17d04ee
-
SHA256
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
-
SHA512
bcff01de14993db92551e661b34591860bc2bc4ffea5d79e337b1c2c4a43f42ffc872cd88414079b5792de031ac46a18e91c42195338314fcdb300831668a1bb
-
SSDEEP
1536:hNeRBl5PT/rx1mzwRMSTdLpJgL0UHg1tuP4ib:hQRrmzwR5JS0UA1Rib
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (444) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
2cbb3497bfa28d9966c1feeae96d452d
-
Size
1.6MB
-
MD5
2cbb3497bfa28d9966c1feeae96d452d
-
SHA1
9ef94c7d3fedc71bb3ed1abf542dfc7ec692883d
-
SHA256
85c3b718090144dadeb8035ac287d46b9d3458f9de409229217d42a475f42868
-
SHA512
eed7b210655030b3855f7a20f3bc7aecf8b927a33dfdaefe1d769fa42cbf7c88b1e8ab625f7258a79d2625e06005d25b03691fe911330876ae9e7f916ab2fe4c
-
SSDEEP
24576:KlQyNmMnq70NDxLOd0+UU1Thef1HrmP1D2:KlQyNmMq70NDROd0+UU1ThoHrA
Score10/10-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Deletes itself
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6
-
Size
1.6MB
-
MD5
14dec91fdcaab96f51382a43adb84016
-
SHA1
a85d9d2a3913011cd282abc7d9711b2346c23899
-
SHA256
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6
-
SHA512
ee1b721bc6b6ade20544274cc56896d1b39126351be630807adc398c1fa68cd8612acd743caecb2abbef9c0aaaddfe2a3af111d9bc93e8ef3fc4a8d4d0cfb565
-
SSDEEP
24576:7BzG7bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khbkyITnoXlIEvXX:746Rvik2VUKnzhQ4tkWXUy
Score10/10-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
-
-
Target
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d
-
Size
389KB
-
MD5
ba95a2f1f1f39a24687ebe3a7a7f7295
-
SHA1
b4da6af343b27594fee7109a02ef699ba52f6e46
-
SHA256
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d
-
SHA512
4611ac65840c3ecee27f8821705f378de09ddbf1130476517f857abf3b1cf0f169ca618c82cc905d56f224019dbb01795ca458453a64cc51e100f7bbfc2781ee
-
SSDEEP
6144:SKmb+LOzyGKPCVqlea2MqxOnsAOK1RUa+jE6S3qVFvxTn:SfaLQyGK6kAa2XgsA1RUa+jE6S3qRT
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
7