Overview

overview

8

Static

static

3

QuantumBuilder.exe

windows7-x64

8

QuantumBuilder.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1563s
  • max time network
    1564s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QuantumBuilder.exe

  • Size

    4.2MB

  • MD5

    bf3d025fb91c91f1b96dfb1e92f2a11b

  • SHA1

    52cba78e1183fbe91ff8c335f44921ad6874bb8e

  • SHA256

    a1675b5baf55c3f91e4006f1375e6ffb09469998d2c83aa9d139136826e10ee2

  • SHA512

    d42efc9f14a973f74b8dc18329ba141a9961bed292baba722395fbaa9ff93cdd6f38b3b6a572246f179a47ba08d8efd7bca2839a15f5046aac3e8239b324dc5f

  • SSDEEP

    98304:jGr9gwfTvzxLCAb5ILw49Y7YxnOnPwbb7WY0ALOH8KZUC3Ue:jS9Pvz4CI0aKNPwbbp0AqHxZ/E

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuantumBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\QuantumBuilder.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:temp
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Users\Admin\AppData\Local\Temp\evb2962.tmp
      "C:\Users\Admin\AppData\Local\Temp\quantumsupport.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2572 -s 404
        3⤵
          PID:2304
      • C:\Users\Admin\AppData\Local\Temp\evb29B2.tmp
        "C:\Users\Admin\AppData\Local\Temp\QuantumBuilder.exe"
        2⤵
        • Executes dropped EXE
        PID:2584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\Users\Admin\AppData\Local\Temp\evb29B2.tmp
      Filesize

      1KB

      MD5

      cc971f988613632ec42ea9fb859e15cf

      SHA1

      bab15ce78acca96c8b6cc1f482b40ea62c748311

      SHA256

      24d2a96058e3cd46f7d3c9e932fc02362656db4f7627435195c12bdbc23a0d6f

      SHA512

      517eea60da40768f5ce596b78c50f362cb315bfbea021a3268f98275186b1eaf52e6c04826daf20a8f111fbf315ae6bcc2c59e1f946d632e58a42f74e6b8750b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\evb2962.tmp
      Filesize

      1KB

      MD5

      86d23632843c402a3a34828bb99317c9

      SHA1

      ee7082dcee56cb61d0cae037078efb2a4b32eaae

      SHA256

      eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

      SHA512

      9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

      Download Submit

    • memory/2068-11-0x00000000771B0000-0x0000000077359000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2068-12-0x00000000771B0000-0x0000000077359000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2068-8-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2068-9-0x0000000002350000-0x0000000002358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2068-10-0x00000000771B0000-0x0000000077359000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2180-46-0x00000000771B0000-0x0000000077359000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2180-21-0x00000000035B0000-0x0000000003BF1000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2180-0-0x0000000140000000-0x00000001400C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/2180-45-0x0000000140000000-0x00000001400C0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/2180-2-0x00000000771B0000-0x0000000077359000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2180-41-0x00000000035B0000-0x0000000003BF1000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2180-3-0x00000000771B0000-0x0000000077359000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2180-1-0x0000000077201000-0x0000000077202000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-27-0x00000000035B0000-0x0000000003BF1000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2572-31-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-62-0x0000000140000000-0x0000000140641000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2572-54-0x0000000140000000-0x0000000140641000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2572-28-0x00000000004F0000-0x00000000004F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-57-0x0000000140000000-0x0000000140641000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2572-14-0x0000000000430000-0x00000000004D3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2572-16-0x00000000004E0000-0x00000000004E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-58-0x0000000140000000-0x0000000140641000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2584-36-0x0000000000290000-0x00000000002D7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2584-42-0x00000000002F0000-0x00000000002F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2584-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2584-59-0x0000000000400000-0x0000000000596000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2584-60-0x0000000004B10000-0x0000000004B38000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2584-61-0x0000000005830000-0x00000000058B4000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2584-55-0x0000000002680000-0x0000000002812000-memory.dmp

      Filesize

      1.6MB

      Download