Overview

overview

10

Static

static

3

nount.exe

windows7-x64

10

nount.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2025, 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nount.exe

  • Size

    75KB

  • MD5

    41ba799c4931f0877d80a623ff9a3192

  • SHA1

    645ab2435541255106e0fbb8175a22bb7379836d

  • SHA256

    85afbb88525daf50e9256d24a98bae57f78f7c6ca8e5724820a460a5e9bd12b7

  • SHA512

    b2b55030993075280e6cea642569e8f11c0d835566a66dc397b5549abf7e389a6bf5f8123ebb9a32145867b8031e32a72a9e577f2854e157482c7312ad73102d

  • SSDEEP

    1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGEeoSawY:OfJGLs6BwNxnfTKsGkSar

Score
10/10
quantumransomware

Malware Config

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Quantum family
    quantum
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\nount.exe
    "C:\Users\Admin\AppData\Local\Temp\nount.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F782A6A.bat" "C:\Users\Admin\AppData\Local\Temp\nount.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\nount.exe"
        3⤵
        • Views/modifies file attributes
        PID:1096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0F782A6A.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    0f7dbc2df206e6b1a4608ffe3d7779dd

    SHA1

    b0bcb0979cf73c1b05eec8c44eb14eda929cfcbd

    SHA256

    a1583fb040f5f2e88b91c9b06e0d2bbe6425e01cf62f7dbdf364264e0e49ce58

    SHA512

    5f4cba951b902c0de4d6c88ad518b56bcdedfdb9f7451fc8fcb4da8841249c7ff2fc41373fcc2bfd555b0c083335afd478c5488fea3f36fbe386dd017289defb

    Download Submit