Overview
overview
10Static
static
100225a30270...24.exe
windows10-1703-x64
30225a30270...24.exe
windows7-x64
70225a30270...24.exe
windows10-2004-x64
30225a30270...24.exe
windows11-21h2-x64
305072a7ec4...7f.exe
windows10-1703-x64
1005072a7ec4...7f.exe
windows7-x64
1005072a7ec4...7f.exe
windows10-2004-x64
1005072a7ec4...7f.exe
windows11-21h2-x64
101fca1cd049...77.exe
windows10-1703-x64
11fca1cd049...77.exe
windows7-x64
11fca1cd049...77.exe
windows10-2004-x64
11fca1cd049...77.exe
windows11-21h2-x64
120bab94e6d...52.exe
windows10-1703-x64
120bab94e6d...52.exe
windows7-x64
120bab94e6d...52.exe
windows10-2004-x64
120bab94e6d...52.exe
windows11-21h2-x64
12704e269fb...66.exe
windows10-1703-x64
102704e269fb...66.exe
windows7-x64
102704e269fb...66.exe
windows10-2004-x64
102704e269fb...66.exe
windows11-21h2-x64
102cbb3497bf...2d.dll
windows10-1703-x64
102cbb3497bf...2d.dll
windows7-x64
102cbb3497bf...2d.dll
windows10-2004-x64
102cbb3497bf...2d.dll
windows11-21h2-x64
1037546b811e...f6.exe
windows10-1703-x64
1037546b811e...f6.exe
windows7-x64
1037546b811e...f6.exe
windows10-2004-x64
1037546b811e...f6.exe
windows11-21h2-x64
1049d828087c...2d.exe
windows10-1703-x64
149d828087c...2d.exe
windows7-x64
149d828087c...2d.exe
windows10-2004-x64
149d828087c...2d.exe
windows11-21h2-x64
1Analysis
-
max time kernel
315s -
max time network
1608s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
18-05-2024 15:47
Behavioral task
behavioral1
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win11-20240426-en
Behavioral task
behavioral29
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win11-20240426-en
General
-
Target
2cbb3497bfa28d9966c1feeae96d452d.dll
-
Size
1.6MB
-
MD5
2cbb3497bfa28d9966c1feeae96d452d
-
SHA1
9ef94c7d3fedc71bb3ed1abf542dfc7ec692883d
-
SHA256
85c3b718090144dadeb8035ac287d46b9d3458f9de409229217d42a475f42868
-
SHA512
eed7b210655030b3855f7a20f3bc7aecf8b927a33dfdaefe1d769fa42cbf7c88b1e8ab625f7258a79d2625e06005d25b03691fe911330876ae9e7f916ab2fe4c
-
SSDEEP
24576:KlQyNmMnq70NDxLOd0+UU1Thef1HrmP1D2:KlQyNmMq70NDROd0+UU1ThoHrA
Malware Config
Extracted
C:\README_TO_DECRYPT.html
quantum
Signatures
-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Drops desktop.ini file(s) 24 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\f: rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\Program Files\README_TO_DECRYPT.html rundll32.exe File created \??\c:\Program Files (x86)\README_TO_DECRYPT.html rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell\Open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell\Open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3476 rundll32.exe 3476 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 3476 rundll32.exe Token: SeDebugPrivilege 3476 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.execmd.exedescription pid process target process PID 2280 wrote to memory of 3476 2280 rundll32.exe rundll32.exe PID 2280 wrote to memory of 3476 2280 rundll32.exe rundll32.exe PID 2280 wrote to memory of 3476 2280 rundll32.exe rundll32.exe PID 3476 wrote to memory of 4112 3476 rundll32.exe cmd.exe PID 3476 wrote to memory of 4112 3476 rundll32.exe cmd.exe PID 3476 wrote to memory of 4112 3476 rundll32.exe cmd.exe PID 4112 wrote to memory of 316 4112 cmd.exe attrib.exe PID 4112 wrote to memory of 316 4112 cmd.exe attrib.exe PID 4112 wrote to memory of 316 4112 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#12⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E578B67.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""3⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"4⤵
- Views/modifies file attributes
PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dc9ee4b120a90025ce0fde1a24782d63
SHA1a8a27c75e387664beb9b17480c6062f8fe5272b8
SHA256a3a584e6f7faa1a374aa96ff3d0862c1ac09038fb0b4eceb2d439690b10034f8
SHA51241ea08feb97f71deb6be0991646d0afd0d9d145893846e527f62d4043cc49f6aaf26410e7e94f6c36679d0597f380bfdb9c84ad04f7702905b90264addfc3c44
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611