Overview

overview

10

Static

static

10

Quantum.exe

windows7-x64

10

Quantum.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-08-2024 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quantum.exe

  • Size

    217KB

  • MD5

    e7bd89cb405b3a1e0b34bea003b27ec5

  • SHA1

    21061b3432c8e6a56f6b4e7b755d73f072f47f94

  • SHA256

    2a58499667712ca4e34cdf24cb2fa54828e76a254e780c3ac0fbb570f6148bf5

  • SHA512

    d0e592d846f0bc9a47f67036826079fe2ad4d777b52d5cd54bbfd0bf2f2834b54ea75e59ec34b2867aea51377cbd54f1186655d655f09c66ba2ec09407628231

  • SSDEEP

    3072:6ob0Exr9jos+uorMvZprdSyI+gPTfqyYgytVx9T8AOtZCWcW7ubxvOGIx3sBsNkw:P7r9jJ5orwrRS8gPFYTdOjbGXypU5

Score
10/10
chaosransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\wowie.txt

Ransom Note
Your files have been encrypted! All your important files have been encrypted. To regain access, you need to purchase a decryption key. Instructions: 1. Purchase $50 worth of Bitcoin at https://blockchain.com. 2. Email us at [email protected] 3. After we send you the wallet address and you give us the bitcoin, we will give you your decryption key. Important: You have 24 hours to do so. Failure to pay and decrypt your files, they are lost forever. Bonne chance!
URLs

https://blockchain.com

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quantum.exe
    "C:\Users\Admin\AppData\Local\Temp\Quantum.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Roaming\Quantum.exe
      "C:\Users\Admin\AppData\Roaming\Quantum.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\wowie.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:2840
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SubmitSwitch.xlsx.99y0
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SubmitSwitch.xlsx.99y0
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Quantum.exe
    Filesize

    217KB

    MD5

    e7bd89cb405b3a1e0b34bea003b27ec5

    SHA1

    21061b3432c8e6a56f6b4e7b755d73f072f47f94

    SHA256

    2a58499667712ca4e34cdf24cb2fa54828e76a254e780c3ac0fbb570f6148bf5

    SHA512

    d0e592d846f0bc9a47f67036826079fe2ad4d777b52d5cd54bbfd0bf2f2834b54ea75e59ec34b2867aea51377cbd54f1186655d655f09c66ba2ec09407628231

    Download Submit

  • C:\Users\Admin\Desktop\SubmitSwitch.xlsx.99y0
    Filesize

    21KB

    MD5

    c9ca59d2d0cf67d18212a8817c5c3ed3

    SHA1

    f515e2bfdbcf7b92e451fca4eddaed33d5ccb977

    SHA256

    bb6a5b6f3ebe42b4f6ecad20dbb8a6cd01c6033049a0bfdb3061a1b625a856fe

    SHA512

    de9571690a9fb10492282fc2b4c54b34058f65368c7531a51c6d59777e3fae6faa070e9deaf70c3ed1a152c05eb4468580d3838eda6fe28d6bb3e0c7d62eb278

    Download Submit

  • C:\Users\Admin\Documents\wowie.txt
    Filesize

    483B

    MD5

    e189fe383205d84d08aaeedc75c49bdf

    SHA1

    dd9e0491edb190f292979b3c470667a2cb32d9cf

    SHA256

    fc6befab05853de97d15e5c143314ed1f1a7c6228f29c136959f04eba981786d

    SHA512

    37383d62295713ced88499b0bd5b828f30559d9bdfa51c2aeda77409eeb0af68de8447309d99829589518a7fb7e10b0271e5ac9a89f3a1f5cf1f7a2e15c39ea3

    Download Submit

  • memory/2180-7-0x0000000000830000-0x000000000086C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2180-9-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2180-18-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2180-501-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2624-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2624-1-0x0000000001030000-0x000000000106C000-memory.dmp

    Filesize

    240KB

    Download