quantum | bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
Size

75KB
MD5

c53e027bf91d7e8c8da245ccd28279e5
SHA1

4d1fb9ab277f997a63cd42fd76467715b67579e4
SHA256

bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e
SHA512

5444f4b9737639dcf3321ae8d8ecea2e8865de3acae50a054136d741911371b4102b7a7f47a66d15d08c63022cb1afd3c00ee3241bb8be38ccfd8adda53a674a
SSDEEP

1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGff:OfJGLs6BwNxnfTKsGff

Score

10^/10

quantum ransomware

Malware Config

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Deletes itself 1 IoCs

pid	Process
1692	cmd.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d023fe7ad1cbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A67F8761-37C4-11EF-9BF1-5630532AF2EE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ad7db6755e524bdbc3a1a69d19054ba005740def9e78381aa9a4a429ecf4a761000000000e8000000002000020000000a2ae91bf29794ec83bb09dc38de7a2e5b10c8c30377884146af52bf9939f410b2000000051a975c11654ad60f7c93f3d9071f827e5c4c1de7a393e2267dd7267da56a70540000000dcee28e92edaffc41afd619c82b9864364c8597f03a3e403e935f986e20a3dbb10e853ea1b67d8fae36a3021ac60836a931bb55b659611601d0412ca5a23dd7e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426012212"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000002d06e32c93d0184ee11b3a85b7ce6468dda276390f9e81d7559f4223d677d4db000000000e800000000200002000000018c3bcc6967de4f6d8198c7a7dff3d299445a13c455f0bb5279d44c89d9af4d69000000073f9c3dec09ec0332a8eed034d412033c7428cbf3106a6a9b5d52119bf116db6394977b1862ac41e1db459f635f166f024eef9cbb5759ed6f1d585ae7d93e091f2c341eb18af61da8d481fc76d35f27e64f4c94d37af1671d2820d7b962f7d54b8780e9aa84677f2812b4caca36aa238d0cd190390f42638f804f5d1f9434104970781fbfdc2337db285beee972ceac14000000037dded4e8b3efea98c03a709282ddd6323074d610d67422f8a3cdc4ce0d971d2c3f3ffd0e680e18dfa32d8010ac29c00db55eb13a220f13ea10a7a610194dec4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell\Open	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum\shell\Open\command	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.quantum	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
Token: SeDebugPrivilege	492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2184	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2184	iexplore.exe
2184	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 1692	492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe	30
PID 492 wrote to memory of 1692	492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe	30
PID 492 wrote to memory of 1692	492	bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe	30
PID 1692 wrote to memory of 1768	1692	cmd.exe	32
PID 1692 wrote to memory of 1768	1692	cmd.exe	32
PID 1692 wrote to memory of 1768	1692	cmd.exe	32
PID 2184 wrote to memory of 1780	2184	iexplore.exe	35
PID 2184 wrote to memory of 1780	2184	iexplore.exe	35
PID 2184 wrote to memory of 1780	2184	iexplore.exe	35
PID 2184 wrote to memory of 1780	2184	iexplore.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe
"C:\Users\Admin\AppData\Local\Temp\bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F762146.bat" "C:\Users\Admin\AppData\Local\Temp\bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\bb6ec92275ec00a69b2c6e0532509222093d7026c8766274a69d985bcc1eb65e.exe"
    3⤵
    - Views/modifies file attributes
    PID:1768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F762146.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
7KB

MD5
df136228be0a9e7fddc938fb15c2a136

SHA1
0b2e39b4cac2e54eda4b9184e90205ae961e40e1

SHA256
6d6b47dbbb2e0faa18a0d71d43d861f8a877541124a46aa5f7c148f296a65cda

SHA512
ece691a60e1e73cef9d2de76a93b96f75c6af13e23119bea2b19b9eeeaee07b862b82c5efd220bcf1413e3d86c867635b63951ef474152df5c9304290e6fb76a

Download Submit