{
	"id": "8e74ebd7-0685-4839-b627-09a7d1cbce06",
	"created_at": "2026-04-06T00:16:38.581437Z",
	"updated_at": "2026-04-10T03:24:23.736637Z",
	"deleted_at": null,
	"sha1_hash": "afbf53ebfe87e135ff606a8cd45883bcb6778610",
	"title": "Quantum Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5553692,
	"plain_text": "Quantum Ransomware\r\nBy editor\r\nPublished: 2022-04-25 · Archived: 2026-04-05 14:17:23 UTC\r\nIn one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to\r\ndomain wide ransomware. The initial access vector for this case was an IcedID payload delivered via email. We have\r\nobserved IcedID malware being utilized as the initial access by various ransomware groups. Examples from some of our\r\nprevious cases include:\r\nXingLocker – IcedID to XingLocker Ransomware in 24 hours\r\nConti – Stolen Images Campaign Ends in Conti Ransomware and Conti Ransomware\r\nREvil – Sodinokibi (aka REvil) Ransomware\r\nOnce the initial IcedID payload was executed, approximately 2 hours after initial infection, the threat actors appeared to\r\nbegin hands-on-keyboard activity. Cobalt Strike and RDP were used to move across the network before using WMI and\r\nPsExec to deploy the Quantum ransomware. This case exemplified an extremely short Time-to-Ransom (TTR) of 3 hours\r\nand 44 minutes.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test examples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nCase Summary\r\nThe threat actor was able to enter the network when a user endpoint was compromised by an IcedID payload contained\r\nwithin an ISO image. We have high confidence this payload was delivered via email, however we were not able to identify\r\nthe delivery email.\r\nThe ISO contained a DLL file (IcedID malware) and a LNK shortcut to execute it. The end user after clicking into the ISO\r\nfile, could see just a single file named “document”, which is a LNK shortcut to a hidden DLL packaged in the ISO. When\r\nthe user clicks on the LNK file, the IcedID DLL is executed.\r\nUpon this execution of the IcedID DLL, a battery of discovery tasks were executed using built-in Windows utilities like\r\nipconfig, systeminfo, nltest, net, and chcp. The IcedID malware also created a scheduled task as a means of persistence on\r\nthe beachhead host.\r\nAround two hours later, Cobalt Strike was deployed using process hollowing and injection techniques. This marked the start\r\nof “hands-on-keyboard” activity by the threat actors. This activity included using AdFind through a batch script called\r\nadfind.bat to perform discovery of the target organizations active directory structure. The threat actors gathered host\r\nbased network information by running a batch script named ns.bat , which ran nslookup for each host in the environment.\r\nThe Cobalt Strike process then proceeded to access LSASS memory to extract credentials, which a few minutes later were\r\ntested to run remote WMI discovery tasks on a server. After confirming their credentials worked with the WMI actions, the\r\nthreat actor proceeded to RDP into that server, and attempted to drop and execute a Cobalt Strike DLL beacon on that server.\r\nThis appeared to fail so the threat actor then opened cmd and proceeded to execute a PowerShell Cobalt Strike Beacon. This\r\nBeacon was successful in connecting to the same command and control server observed on the beachhead host.\r\nFor the next hour, the threat actor proceeded to make RDP connections to other servers in the environment. Once the threat\r\nactor had a handle on the layout of the domain, they prepared to deploy the ransomware by copying the ransomware (named\r\nttsel.exe ) to each host through the C$ share folder. They used two methods of remote execution to detonate the\r\nransomware binary, WMI and PsExec. This ransomware deployment concluded less than four hours from the initial IcedID\r\nexecution.\r\nWhile the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is\r\npossible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data.\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 1 of 19\n\nTimeline\r\nReport Lead: @svch0st\r\nContributing Analysts: @0xtornado, @samaritan_o\r\nInitial Access\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 2 of 19\n\nThe threat actor gained initial access through the common malware, IcedID. The payload was delivered within an ISO file,\r\ndocs_invoice_173.iso , via email, where a user opened and executed the malware. Shout out to @k3dg3 for making these\r\nISOs available. We were able to determine the user mounted the ISO using the Event ID 12 in Microsoft-Windows-VHDMP-Operational.evtx as shown below:\r\nWhen mounted, the ISO contained two files:\r\ndocument.lnk\r\ndar.dll (hidden attribute enabled)\r\nTypical end user perspective after opening the ISO file:\r\nThe file document.lnk is a shortcut or lnk file and dar.dll was the IcedID payload.  \r\nExecution\r\n A quick look at document.lnk ‘s properties highlight the command line that is executed on launch:\r\nC:\\Windows\\System32\\rundll32.exe dar.dll,DllRegisterServer\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 3 of 19\n\nBut we can do a lot better than that with a .lnk file! These .lnk files provide a wealth of knowledge to investigators. For\r\nexample, below is a partial output of the tool LECmd.exe (by Eric Zimmerman). When used on the file document.lnk , it\r\nparses out metadata such as when the shortcut file was made, what hostname and the MAC Address of the device it was\r\ncreated on and even the directory path of the user that created it!\r\nWe were able to determine when the user clicked on the lnk file and when a new process was created with the command line\r\nmentioned above. Furthermore, the Event ID 4663 in Security.evtx highlighted when explorer.exe accessed\r\ndocument.lnk :\r\nAdditionally, the context of execution location and parent process can also be used to follow the user execution process.\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 4 of 19\n\nShortly after execution of the payload, several child processes were spawned that created persistence and began discovery\r\non the host.\r\nThis included an instance of C:\\Windows\\SysWOW64\\cmd.exe , which the IcedID malware used to hollow out and then inject\r\na Cobalt Strike beacon into. There were several additional indications of Cobalt Strike we observed to verify it was utilized\r\nby the threat actor. The cmd.exe process spawned a suspicious instance of rundll32.exe . There were no command line\r\narguments for this process which is atypical for rundll32.exe. A further indication was the rundll32.exe process\r\ncreating a named pipe, postex_304a. This behavior of rundll32.exe and a named pipe that matches postex_[0-9a-f]\r\n{4} , is the default behavior used by Cobalt Strike 4.2+ post exploitation jobs. For more information on Cobalt Strike, you\r\ncan read our article Cobalt Strike, a Defender’s Guide.\r\nWhen we reviewed the memory of this process, we were able to confirm it was in fact Cobalt Strike when we successfully\r\nextracted the beacon configuration (additional details can be found in the Command and Control section). The threat actor\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 5 of 19\n\nalso executed a PowerShell Cobalt Strike payload on some servers:\r\nThis payload is using the default Cobalt Strike obfuscation scheme (XOR 35), and can easily be decoded using CyberChef:\r\nThe output can be analyzed using scdbg to highlight what Windows API calls the shellcode makes:\r\nPrior to using the PowerShell beacon the threat actor dropped a DLL beacon on the server (p227.dll), but this appears to\r\nhave failed for unknown reasons after which, the threat actor moved on to the PowerShell beacon which executed\r\nsuccessfully.\r\nPersistence\r\nAfter the initial execution of the IcedID malware, it established persistence by creating a copy of the malware (Ulfefi32.dll)\r\nin the AppData directory of the affected user and created a scheduled task to execute it every hour. The task\r\n\\kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A} was created with the execution action below:\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 6 of 19\n\nDefense Evasion\r\nProcess injection was observed during the intrusion by both IcedID and Cobalt Strike. On one system, the threat actor\r\ninjected into the winlogon process.\r\nCobalt Strike Processes Identified by in Memory Yara Scanning.\r\n{\r\n \"Pid\": 7248,\r\n \"ProcessName\": \"cmd.exe\",\r\n \"CommandLine\": \"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\r\n \"Detection\": [\r\n \"win_cobalt_strike_auto\",\r\n \"cobaltstrike_beacon_4_2_decrypt\"\r\n ]\r\n}\r\n{\r\n \"Pid\": 584,\r\n \"ProcessName\": \"winlogon.exe\",\r\n \"CommandLine\": \"winlogon.exe\",\r\n \"Detection\": [\r\n \"win_cobalt_strike_auto\",\r\n \"cobaltstrike_beacon_4_2_decrypt\"\r\n ]\r\n}\r\n{\r\n \"Pid\": 5712,\r\n \"ProcessName\": \"powershell.exe\",\r\n \"CommandLine\": \"\\\"c:\\\\windows\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\\\" -Version 5.1 -s -NoLogo -\r\n \"Detection\": [\r\n \"win_cobalt_strike_auto\",\r\n \"cobaltstrike_beacon_4_2_decrypt\"\r\n ]\r\n}\r\nVolatility Malfind output shows the embedded MZ header in the winlogon process with the setting\r\nPAGE_EXECUTE_READWRITE protection settings on the memory space, a commonly observed attribute of process injection.\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 7 of 19\n\nNetwork connections to the Cobalt Strike server by winlogon were also observed in the process logs.\r\nCredential Access\r\nLSASS Access\r\nSuspicious accesses to LSASS process memory were observed during this intrusion. As illustrated below, those accesses\r\nhave been made using both Windows Task Manager and rundll32.exe which is assessed to be a Cobalt Strike temporary\r\nbeacon (as shown in the Execution graph):\r\nThe threat actors managed to steal administrator account credentials, allowing them to move laterally across the Active\r\nDirectory domain.\r\nDiscovery\r\nAs mentioned in the Execution section, the IcedID process ran several initial discovery commands that provided\r\nenvironmental information about the host, network, and domain, to the threat actor. Given the timing of these commands\r\nwere immediately after the execution of IcedID, we believe these commands were executed automatically upon check-in.\r\ncmd.exe /c chcp \u003e\u00262\r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nipconfig /all\r\nsysteminfo\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 8 of 19\n\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nA cmd.exe process spawned from IcedID which ran additional discovery queries. The threat actor dropped the following\r\nfiles in C:\\Windows\\Temp directory:\r\n7.exe (7zip)\r\nadfind.exe (AdFind)\r\nadfind.bat (pictured below)\r\nThe actor used the Active Directory enumeration tool AdFind to collect information such as the users, computers and\r\nsubnets in the domain.\r\nThe file ad.7z , was the resulting output of the AdFind commands above. After that, an additional batch script was created,\r\nns.bat , which enumerated all host names in the domain with nslookup to identify the IP address of the host.\r\nPrior to the first lateral movement from the beachhead host, the threat actor tested credentials and gathered information from\r\ntheir targeted remote server using WMI\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 9 of 19\n\nC:\\Windows\\system32\\cmd.exe, /C, wmic, /node:X.X.X.X, /user:administrator, /password:*****, os, get, caption\r\nLateral Movement\r\nRemote Desktop Protocol\r\nThe threat actor used RDP to move laterally to critical hosts. In particular, we have evidence on multiple machines of RDP\r\nusing the Administrator account.\r\nThe attacker in this intrusion initiated RDP connections from a workstation, named TERZITERZI. See the screenshot below:\r\nThe RDP connections were established from the Cobalt Strike process running the beacon indicating the threat actor\r\nutilizing proxy on the beachhead host to facilitate the RDP traffic.:\r\nPsExec\r\nPsExec was used to facilitate the ransomware execution. The threat actor utilized the “-r” option in PsExec to define a\r\ncustom name ( mstdc ) of the remote service created on the target host (by default it’s PSEXESVC).\r\nWMI\r\nThrough-out the intrusion the threat actor was also observed using WMIC to perform lateral activities including discovery\r\nactions remotely, and as a second option, to ensure all the remote hosts successfully executed the final ransomware payload.\r\nThe WMIC commands prefaced with /node:IP Address allowed the threat actor to run commands on remote hosts.\r\nCommand and Control\r\nIcedID\r\nAs we saw from the execution section, dar.dll  was used to contact the below domains:\r\ndilimoretast[.]com\r\n138[.]68.42.130:443\r\nJa3: a0e9f5d64349fb13191bc781f81f42e1\r\nJa3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [3e:f4:e9:d6:3e:47:e3:ce:51:2e:2a:91:e5:48:41:54:5e:53:54:e2 ]\r\nNot Before: 2022/03/22 09:34:53 UTC\r\nNot After: 2023/03/22 09:34:53 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nantnosience[.]com\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 10 of 19\n\n157[.]245.142.66:443\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJa3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [0c:eb:c1:4b:0d:a1:b6:9d:7d:60:ed:c0:30:56:b7:48:10:d1:b1:6c ]\r\nNot Before: 2022/03/19 09:22:57 UTC\r\nNot After: 2023/03/19 09:22:57 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\noceriesfornot[.]top\r\n188[.]166.154.118:80\r\nCobalt Strike\r\n185.203.118[.]227\r\nWatermark: 305419776\r\nJa3: 72a589da586844d7f0818ce684948eea\r\nJa3s: f176ba63b4d68e576b5ba345bec2c7b7\r\nCertificate: [72:a1:ac:20:97:a0:cb:4f:b5:41:db:6e:32:fb:f5:7b:fd:43:9b:4b ]\r\nNot Before: 2022/03/21 22:16:04 UTC\r\nNot After: 2023/03/21 22:16:04 UTC\r\nIssuer Org: Google GMail\r\nSubject Common: gmail.com\r\nSubject Org: Google GMail\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 60000,\r\n \"jitter\": 15,\r\n \"maxgetsize\": 1049376,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 305419776,\r\n \"cfg_caution\": false,\r\n \"kill_date\": \"2022-04-22\",\r\n \"server\": {\r\n \"hostname\": \"185.203.118.227\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+Q\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/_/scs/mail-static/_/js/\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"append 375 characters\",\r\n \"append 250 characters\",\r\n \"prepend 4 characters\",\r\n \"prepend 28 characters\",\r\n \"prepend 36 characters\",\r\n \"prepend 18 characters\",\r\n \"prepend 4 characters\",\r\n \"prepend 28 characters\",\r\n \"prepend 36 characters\",\r\n \"prepend 17 characters\",\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 11 of 19\n\n\"prepend 4 characters\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/mail/u/0/\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 0,\r\n \"startrwx\": true,\r\n \"stub\": \"tUr+Aexqde3zXhpE+L05KQ==\",\r\n \"transform-x86\": null,\r\n \"transform-x64\": null,\r\n \"userwx\": true\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": false\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nExfiltration\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 12 of 19\n\nWhile the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is\r\npossible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data.\r\nImpact\r\nJust shy of four hours into the intrusion, the threat actors began acting on their final objectives, domain wide ransomware\r\ndeployment. With their pivot point from one of the domain controllers, the actor used a combination of both PsExec and\r\nWMI to remotely execute the ransomware.\r\nThey first copied the payload, ttsel.exe , to the C$ share of each host on the network.\r\nC:\\Windows\\system32\\cmd.exe /K copy ttsel.exe \\\\\u003cIP\u003e\\c$\\windows\\temp\\\r\nPsExec\r\nThe threat actor utilized the “-r” option in PsExec to define a custom name (“mstdc”) of the remote service created on the\r\ntarget host (by default is PSEXESVC).\r\npsexec.exe \\\\\u003cIP ADDRESS\u003e -u \u003cDOMAIN\u003e\\Administrator -p \"\u003cPASSWORD\u003e\" -s -d -h -r mstdc -accepteula -nobanner c\r\nThis resulted in the file C:\\Windows\\mstdc.exe being created on the target endpoint when PsExec was executed.\r\nWMI\r\nThe alternate execution method the actor employed was a WMI call to start a remote process on the target host.\r\nwmic /node:\"\u003cIP ADDRESS\u003e\" /user:\"\u003cDOMAIN\u003e\\Administrator\" /password:\"\u003cPASSWORD\u003e\" process call create \"cmd.exe /\r\nThe Quantum ransomware began to encrypt files across all hosts in the environment which then dropped the following\r\nransom note: README_TO_DECRYPT.html\r\nThe Quantum portal had a unique option to create and set a password to the negotiation chat.\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 13 of 19\n\nOnce authenticated, it displays the chat window with the threat actor.\r\nDiamond Model\r\nFeedback always appreciated: https://thedfirreport.com/contact/\r\nIndicators\r\nFiles\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 14 of 19\n\ndocs_invoice_173.iso\r\ne051009b12b37c7ee16e810c135f1fef\r\n415b27cd03d3d701a202924c26d25410ea0974d7\r\n5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b\r\ndar.dll\r\n4a6ceabb2ce1b486398c254a5503b792\r\n08a1c43bd1c63bbea864133d2923755aa2f74440\r\n4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36\r\ndocument.lnk\r\nadf0907a6114c2b55349c08251efdf50\r\naa25ae2f9dbe514169f4526ef4a61c1feeb1386a\r\n3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6\r\nadf.bat\r\nebf6f4683d8392add3ef32de1edf29c4\r\n444c704afe4ee33d335bbdfae79b58aba077d10d\r\n2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04\r\nUlfefi32.dll\r\n49513b3b8809312d34bb09bd9ea3eb46\r\n445294080bf3f58e9aaa3c9bcf1f346bc9b1eccb\r\n6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7\r\nlicense.dat\r\ne9ad8fae2dd8f9d12e709af20d9aefad\r\ndb7d1545c3c7e60235700af672c1d20175b380cd\r\n84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238\r\nttsel.exe\r\nb1eff4fffe66753e5f4265bc5332f72e\r\nda2caf36b52d81a0d983407ab143bef8df119b8d\r\nb6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda\r\np227.dll\r\n350f82de99b8696fea6e189fcd4ca454\r\ndeea45010006c8bde12a800d73475a5824ca2e6f\r\nc140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3\r\nNetwork\r\nIcedID\r\ndilimoretast[.]com\r\nantnosience[.]com\r\noceriesfornot[.]top\r\n138[.]68.42.130:443\r\n157[.]245.142.66:443\r\n188[.]166.154.118:80\r\nCobalt Strike\r\nC2/IP: 185.203.118[.]227:443\r\nWatermark: 305419776\r\nDetections\r\nNetwork\r\nET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)\r\nET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory\r\nET MALWARE Win32/IcedID Request Cookie\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET POLICY PsExec service created\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET DNS Query to a *.top domain - Likely Hostile\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 15 of 19\n\nET INFO HTTP Request to a *.top domain\r\nET POLICY SMB Executable File Transfer\r\nSigma\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup\r\nhttps://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_d\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_dis\r\nhttps://github.com/SigmaHQ/sigma/blob/dfdaecc52ca385c66d1b16971ce867e81bdce82e/rules/windows/pipe_created/pipe_created_psexec_pipes_artifa\r\nhttps://github.com/SigmaHQ/sigma/blob/625f05df3c477c4cd7a22e2a7a19742615da1eb5/rules/windows/file/file_event/file_event_win_tool_psexec.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_rem\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wm\r\nhttps://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_pow\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_sys\r\nhttps://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32\r\nhttps://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2022-04-24\r\nIdentifier: Quantum Case 12647\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule docs_invoice_173 {\r\nmeta:\r\ndescription = \"IcedID - file docs_invoice_173.iso\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2022-04-24\"\r\nhash1 = \"5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b\"\r\nstrings:\r\n$x1 = \"dar.dll,DllRegisterServer!%SystemRoot%\\\\System32\\\\SHELL32.dll\" fullword wide\r\n$x2 = \"C:\\\\Windows\\\\System32\\\\rundll32.exe\" fullword ascii\r\n$s3 = \"C:\\\\Users\\\\admin\\\\Desktop\\\\data\" fullword wide\r\n$s4 = \"Desktop (C:\\\\Users\\\\admin)\" fullword wide\r\n$s5 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s6 = \"1t3Eo8.dll\" fullword ascii\r\n$s7 = \")..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\rundll32.exe\" fullword wide\r\n$s8 = \"DAR.DLL.\" fullword ascii\r\n$s9 = \"dar.dll:h\" fullword wide\r\n$s10 = \"document.lnk\" fullword wide\r\n$s11 = \"DOCUMENT.LNK\" fullword ascii\r\n$s12 = \"6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe\r\n$s13 = \"03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f\r\n$s14 = \"d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82\r\n$s15 = \"7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de\r\n$s16 = \"89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f\r\n$s17 = \"8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a56\r\n$s18 = \"24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f41\r\n$s19 = \"827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 16 of 19\n\n$s20 = \"7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e\r\ncondition:\r\nuint16(0) == 0x0000 and filesize \u003c 600KB and\r\n1 of ($x*) and 4 of them\r\n}\r\nrule quantum_license {\r\nmeta:\r\ndescription = \"IcedID - file license.dat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2022-04-24\"\r\nhash1 = \"84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238\"\r\nstrings:\r\n$s1 = \"W* |[h\" fullword ascii\r\n$s2 = \"PSHN,;x\" fullword ascii\r\n$s3 = \"ephu\\\"W\" fullword ascii\r\n$s4 = \"LwUw9\\\\\" fullword ascii\r\n$s5 = \"VYZP~pN,\" fullword ascii\r\n$s6 = \"eRek?@\" fullword ascii\r\n$s7 = \"urKuEqR\" fullword ascii\r\n$s8 = \"1zjWa{`!\" fullword ascii\r\n$s9 = \"YHAV{tl\" fullword ascii\r\n$s10 = \"bwDU?u\" fullword ascii\r\n$s11 = \"SJbW`!W\" fullword ascii\r\n$s12 = \"BNnEx1k\" fullword ascii\r\n$s13 = \"SEENI3=\" fullword ascii\r\n$s14 = \"Bthw?:'H*\" fullword ascii\r\n$s15 = \"NfGHNHC\" fullword ascii\r\n$s16 = \"xUKlrl'\u003e`\" fullword ascii\r\n$s17 = \"gZaZ^;Ro2\" fullword ascii\r\n$s18 = \"JhVo5Bb\" fullword ascii\r\n$s19 = \"OPta)}$\" fullword ascii\r\n$s20 = \"cZZJoVB\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x44f8 and filesize \u003c 1000KB and\r\n8 of them\r\n}\r\nrule quantum_p227 {\r\nmeta:\r\ndescription = \"Cobalt Strike - file p227.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2022-04-24\"\r\nhash1 = \"c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3\"\r\nstrings:\r\n$s1 = \"Remote Event Log Manager4\" fullword wide\r\n$s2 = \"IIdRemoteCMDServer\" fullword ascii\r\n$s3 = \"? ?6?B?`?\" fullword ascii /* hex encoded string 'k' */\r\n$s4 = \"\u003c*=.=2=6=\u003c=\\\\=\" fullword ascii /* hex encoded string '\u0026' */\r\n$s5 = \"\u003e'?+?/?3?7?;???\" fullword ascii /* hex encoded string '7' */\r\n$s6 = \":#:':+:/:3:7:\" fullword ascii /* hex encoded string '7' */\r\n$s7 = \"2(252\u003c2[2\" fullword ascii /* hex encoded string '\"R\"' */\r\n$s8 = \":$;,;2;\u003e;F;\" fullword ascii /* hex encoded string '/' */\r\n$s9 = \":\u003c:D:H:L:P:T:X:\\\\:`:d:h:l:p:t:x:|:\" fullword ascii\r\n$s10 = \"%IdThreadMgr\" fullword ascii\r\n$s11 = \"AutoHotkeys\u003cmC\" fullword ascii\r\n$s12 = \"KeyPreview0tC\" fullword ascii\r\n$s13 = \":dmM:\\\\m\" fullword ascii\r\n$s14 = \"EFilerErrorH\" fullword ascii\r\n$s15 = \"EVariantBadVarTypeErrorL\" fullword ascii\r\n$s16 = \"IdThreadMgrDefault\" fullword ascii\r\n$s17 = \"Set Size Exceeded.*Error on call Winsock2 library function %s\u0026Error on loading Winsock2 library (%s)\"\r\n$s18 = \"CopyMode0\" fullword ascii\r\n$s19 = \"TGraphicsObject0\" fullword ascii\r\n$s20 = \"THintWindow8\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 17 of 19\n\n( pe.imphash() == \"c88d91896dd5b7d9cb3f912b90e9d0ed\" or 8 of them )\r\n}\r\nrule Ulfefi32 {\r\nmeta:\r\ndescription = \"IcedID - file Ulfefi32.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2022-04-24\"\r\nhash1 = \"6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7\"\r\nstrings:\r\n$s1 = \"WZSKd2NEBI.dll\" fullword ascii\r\n$s2 = \"3638df174d2e47fbc2cdad390fdf57b44186930e3f9f4e99247556af2745ec513b928c5d78ef0def56b76844a24f50ab5c3a10f\r\n$s3 = \"794311155e3d3b59587a39e6bdeaac42e5a83dbe30a056a059c59a1671d288f7a7cdde39aaf8ce26704ab467e6e7db6da36aec8\r\n$s4 = \"ce37d7187cf033f0f9144a61841e65ebe440d99644c312f2a7527053f27664fc788a70d4013987f40755d30913393c37067fb17\r\n$s5 = \"bacefbe356ece5ed36fa3f3c153e8e152cb204299243eba930136e4a954e8f6e4db70d7d7084822762c17da1d350d97c37dbcf2\r\n$s6 = \"acee4914ee999f6158bf7aa90e2f9640d51e2b046c94df4301a6ee1658a54d44e423fc0a5ab3b599d6be74726e266cdb71ccd08\r\n$s7 = \"e2d7e82b0fe30aa846abaa4ab85cb9d47940ec70487f2d5fb4c60012289b133b44e8c244e3ec8e276fa118a54492f348e34e992\r\n$s8 = \"afd386d951143fbfc89016ab29a04b6efcefe7cd9d3e240f1d31d59b9541b222c45bb0dc6adba0ee80b696b85939ac527af149f\r\n$s9 = \"3bb43aa0bbe8dee8d99aaf3ac42fbe3ec5bd8fa68fb85aea8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7be\r\n$s10 = \"a79e1facc14f0a1dfde8f71cec33e08ed6144aa2fd9fe3774c89b50d26b78f4a516a988e412e5cce5a6b6edb7b2cded7fe9212\r\n$s11 = \"69f9b12abc44fac17d92b02eb254c9dc0cfd8888676a9e59f0cb6d630151daccea40e850d615d32d011838f8042a2d6999fab3\r\n$s12 = \"cfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5\r\n$s13 = \"a8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eedc90afe65ba742c395bbdb\r\n$s14 = \"900796689b72e62f24b28affa681c23841f21e2c7a56a18a6bbb572042da8717abc9f195340d12f2fae6cf2a6d609ed5a0501e\r\n$s15 = \"35560790835fe34ed478758636d3b2b797ba95c824533318dfb147146e2b5debb4f974c906dce439d3c97e94465849c9b42e9c\r\n$s16 = \"0b3d20f3cf0f6b3a53c53b8f50f9116edd412776a8f218e6b0d921ccfeeb34875c4674072f84ac612004d8162a6b381f5a3d1f\r\n$s17 = \"72f69c37649149002c41c2d85091b0f6f7683f6e6cc9b9a0063c9b0ce254dddb9736c68f81ed9fed779add52cbb453e106ab81\r\n$s18 = \"f2b7f87aa149a52967593b53deff481355cfe32c2af99ad4d4144d075e2b2c70088758aafdabaf480e87cf202626bde30d3298\r\n$s19 = \"9867f0633c80081f0803b0ed75d37296bac8d3e25e3352624a392fa338570a9930fa3ceb0aaee2095dd3dcb0aab939d7d9a8d5\r\n$s20 = \"3d08b3fcfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 100KB and\r\n( pe.imphash() == \"81782d8702e074c0174968b51590bf48\" and ( pe.exports(\"FZKlWfNWN\") and pe.exports(\"IMlNwug\") a\r\n}\r\nrule quantum_ttsel {\r\nmeta:\r\ndescription = \"quantum - file ttsel.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2022-04-24\"\r\nhash1 = \"b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda\"\r\nstrings:\r\n$s1 = \"DSUVWj ]\" fullword ascii\r\n$s2 = \"WWVh@]@\" fullword ascii\r\n$s3 = \"expand 32-byte k\" fullword ascii /* Goodware String - occured 1 times */\r\n$s4 = \"E4PSSh\" fullword ascii /* Goodware String - occured 2 times */\r\n$s5 = \"tySjD3\" fullword ascii\r\n$s6 = \"@]_^[Y\" fullword ascii /* Goodware String - occured 3 times */\r\n$s7 = \"0`0h0p0\" fullword ascii /* Goodware String - occured 3 times */\r\n$s8 = \"tV9_\u003ctQf9_8tKSSh\" fullword ascii\r\n$s9 = \"Vj\\\\Yj?Xj:f\" fullword ascii\r\n$s10 = \"1-1:1I1T1Z1p1w1\" fullword ascii\r\n$s11 = \"8-999E9U9k9\" fullword ascii\r\n$s12 = \"8\\\"8)8H8i8t8\" fullword ascii\r\n$s13 = \"8\\\"868@8M8W8\" fullword ascii\r\n$s14 = \"3\\\"3)3\u003e3F3f3m3t3}3\" fullword ascii\r\n$s15 = \"3\\\"3(3\u003c3]3o3\" fullword ascii\r\n$s16 = \"9 9*909B9\" fullword ascii\r\n$s17 = \"9.979S9]9a9w9\" fullword ascii\r\n$s18 = \"txf9(tsf9)tnj\\\\P\" fullword ascii\r\n$s19 = \"5!5'5-5J5Y5b5i5~5\" fullword ascii\r\n$s20 = \"\u003c2=7=\u003e=E={=\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 200KB and\r\n( pe.imphash() == \"68b5e41a24d5a26c1c2196733789c238\" or 8 of them )\r\n}\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 18 of 19\n\nMITRE\r\nT1204 - User Execution\r\nT1614.001 - System Location Discovery: System Language Discovery\r\nT1218.011 - Signed Binary Proxy Execution: Rundll32\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\r\nT1055 - Process Injection\r\nT1055.012 - Process Injection: Process Hollowing\r\nT1003.001 - OS Credential Dumping: LSASS Memory\r\nT1486 - Data Encrypted for Impact\r\nT1482 - Domain Trust Discovery\r\nT1021.002 - Remote Services: SMB/Windows Admin Shares\r\nT1083 - File and Directory Discovery\r\nT1518.001 - Software Discovery: Security Software Discovery\r\nT1047 - Windows Management Instrumentation\r\nT1087.002 - Account Discovery: Domain Account\r\nT1082 - System Information Discovery\r\nT1018 - Remote System Discovery\r\nT1053.005 - Scheduled Task/Job: Scheduled Task\r\nT1071.001 - Web Protocols\r\nS0029 - PsExec\r\nS0039 - Net\r\nS0100 - ipconfig\r\nS0359 - Nltest\r\nS0483 - IcedID\r\nS0552 - AdFind\r\nS0154 - Cobalt Strike\r\nInternal case #12647\r\nSource: https://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nhttps://thedfirreport.com/2022/04/25/quantum-ransomware/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2022/04/25/quantum-ransomware/"
	],
	"report_names": [
		"quantum-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434598,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afbf53ebfe87e135ff606a8cd45883bcb6778610.pdf",
		"text": "https://archive.orkl.eu/afbf53ebfe87e135ff606a8cd45883bcb6778610.txt",
		"img": "https://archive.orkl.eu/afbf53ebfe87e135ff606a8cd45883bcb6778610.jpg"
	}
}