Overview

overview

10

Static

static

3

nount.exe

windows7-x64

10

nount.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2025, 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nount.exe

  • Size

    75KB

  • MD5

    41ba799c4931f0877d80a623ff9a3192

  • SHA1

    645ab2435541255106e0fbb8175a22bb7379836d

  • SHA256

    85afbb88525daf50e9256d24a98bae57f78f7c6ca8e5724820a460a5e9bd12b7

  • SHA512

    b2b55030993075280e6cea642569e8f11c0d835566a66dc397b5549abf7e389a6bf5f8123ebb9a32145867b8031e32a72a9e577f2854e157482c7312ad73102d

  • SSDEEP

    1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGEeoSawY:OfJGLs6BwNxnfTKsGkSar

Score
10/10
quantumransomware

Malware Config

Signatures

  • Quantum Ransomware

    A rebrand of the MountLocker ransomware first seen in August 2021.

    ransomwarequantum
  • Quantum family
    quantum
  • Drops desktop.ini file(s) 25 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\nount.exe
    "C:\Users\Admin\AppData\Local\Temp\nount.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E57A1CE.bat" "C:\Users\Admin\AppData\Local\Temp\nount.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\nount.exe"
        3⤵
        • Views/modifies file attributes
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0E57A1CE.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    Filesize

    7KB

    MD5

    6bcf9a761ce1dd861d83a9043d332343

    SHA1

    ccd9fef56d4a4c27a69580cd86e2fc53da22158d

    SHA256

    131c5f35e6854c2af29415062ec72e740f74fb27e06319efa5ab8ebb906c55cc

    SHA512

    bb85ba8a7ece43e428d9d1598cfdd9267d39b7afdd20b69831b99b042795f56e602ae1d8bff2cb7d3935268b639b0ca8acb722e68675deffd2e8378f94bd4941

    Download Submit