Quantum Ransomware By editor Published: 2022-04-25 · Archived: 2026-04-05 14:17:23 UTC In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an IcedID payload delivered via email. We have observed IcedID malware being utilized as the initial access by various ransomware groups. Examples from some of our previous cases include: XingLocker – IcedID to XingLocker Ransomware in 24 hours Conti – Stolen Images Campaign Ends in Conti Ransomware and Conti Ransomware REvil – Sodinokibi (aka REvil) Ransomware Once the initial IcedID payload was executed, approximately 2 hours after initial infection, the threat actors appeared to begin hands-on-keyboard activity. Cobalt Strike and RDP were used to move across the network before using WMI and PsExec to deploy the Quantum ransomware. This case exemplified an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes. The DFIR Report Services Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel. Private Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT&CK with test examples. DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs are available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds. Contact us today for pricing or a demo! Case Summary The threat actor was able to enter the network when a user endpoint was compromised by an IcedID payload contained within an ISO image. We have high confidence this payload was delivered via email, however we were not able to identify the delivery email. The ISO contained a DLL file (IcedID malware) and a LNK shortcut to execute it. The end user after clicking into the ISO file, could see just a single file named “document”, which is a LNK shortcut to a hidden DLL packaged in the ISO. When the user clicks on the LNK file, the IcedID DLL is executed. Upon this execution of the IcedID DLL, a battery of discovery tasks were executed using built-in Windows utilities like ipconfig, systeminfo, nltest, net, and chcp. The IcedID malware also created a scheduled task as a means of persistence on the beachhead host. Around two hours later, Cobalt Strike was deployed using process hollowing and injection techniques. This marked the start of “hands-on-keyboard” activity by the threat actors. This activity included using AdFind through a batch script called adfind.bat to perform discovery of the target organizations active directory structure. The threat actors gathered host based network information by running a batch script named ns.bat , which ran nslookup for each host in the environment. The Cobalt Strike process then proceeded to access LSASS memory to extract credentials, which a few minutes later were tested to run remote WMI discovery tasks on a server. After confirming their credentials worked with the WMI actions, the threat actor proceeded to RDP into that server, and attempted to drop and execute a Cobalt Strike DLL beacon on that server. This appeared to fail so the threat actor then opened cmd and proceeded to execute a PowerShell Cobalt Strike Beacon. This Beacon was successful in connecting to the same command and control server observed on the beachhead host. For the next hour, the threat actor proceeded to make RDP connections to other servers in the environment. Once the threat actor had a handle on the layout of the domain, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe ) to each host through the C$ share folder. They used two methods of remote execution to detonate the ransomware binary, WMI and PsExec. This ransomware deployment concluded less than four hours from the initial IcedID execution. While the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is possible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data. https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 1 of 19 Timeline Report Lead: @svch0st Contributing Analysts: @0xtornado, @samaritan_o Initial Access https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 2 of 19 The threat actor gained initial access through the common malware, IcedID. The payload was delivered within an ISO file, docs_invoice_173.iso , via email, where a user opened and executed the malware. Shout out to @k3dg3 for making these ISOs available. We were able to determine the user mounted the ISO using the Event ID 12 in Microsoft-Windows-VHDMP-Operational.evtx as shown below: When mounted, the ISO contained two files: document.lnk dar.dll (hidden attribute enabled) Typical end user perspective after opening the ISO file: The file document.lnk is a shortcut or lnk file and dar.dll was the IcedID payload.   Execution  A quick look at document.lnk ‘s properties highlight the command line that is executed on launch: C:\Windows\System32\rundll32.exe dar.dll,DllRegisterServer https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 3 of 19 But we can do a lot better than that with a .lnk file! These .lnk files provide a wealth of knowledge to investigators. For example, below is a partial output of the tool LECmd.exe (by Eric Zimmerman). When used on the file document.lnk , it parses out metadata such as when the shortcut file was made, what hostname and the MAC Address of the device it was created on and even the directory path of the user that created it! We were able to determine when the user clicked on the lnk file and when a new process was created with the command line mentioned above. Furthermore, the Event ID 4663 in Security.evtx highlighted when explorer.exe accessed document.lnk : Additionally, the context of execution location and parent process can also be used to follow the user execution process. https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 4 of 19 Shortly after execution of the payload, several child processes were spawned that created persistence and began discovery on the host. This included an instance of C:\Windows\SysWOW64\cmd.exe , which the IcedID malware used to hollow out and then inject a Cobalt Strike beacon into. There were several additional indications of Cobalt Strike we observed to verify it was utilized by the threat actor. The cmd.exe process spawned a suspicious instance of rundll32.exe . There were no command line arguments for this process which is atypical for rundll32.exe. A further indication was the rundll32.exe process creating a named pipe, postex_304a. This behavior of rundll32.exe and a named pipe that matches postex_[0-9a-f] {4} , is the default behavior used by Cobalt Strike 4.2+ post exploitation jobs. For more information on Cobalt Strike, you can read our article Cobalt Strike, a Defender’s Guide. When we reviewed the memory of this process, we were able to confirm it was in fact Cobalt Strike when we successfully extracted the beacon configuration (additional details can be found in the Command and Control section). The threat actor https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 5 of 19 also executed a PowerShell Cobalt Strike payload on some servers: This payload is using the default Cobalt Strike obfuscation scheme (XOR 35), and can easily be decoded using CyberChef: The output can be analyzed using scdbg to highlight what Windows API calls the shellcode makes: Prior to using the PowerShell beacon the threat actor dropped a DLL beacon on the server (p227.dll), but this appears to have failed for unknown reasons after which, the threat actor moved on to the PowerShell beacon which executed successfully. Persistence After the initial execution of the IcedID malware, it established persistence by creating a copy of the malware (Ulfefi32.dll) in the AppData directory of the affected user and created a scheduled task to execute it every hour. The task \kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A} was created with the execution action below: https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 6 of 19 Defense Evasion Process injection was observed during the intrusion by both IcedID and Cobalt Strike. On one system, the threat actor injected into the winlogon process. Cobalt Strike Processes Identified by in Memory Yara Scanning. { "Pid": 7248, "ProcessName": "cmd.exe", "CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe", "Detection": [ "win_cobalt_strike_auto", "cobaltstrike_beacon_4_2_decrypt" ] } { "Pid": 584, "ProcessName": "winlogon.exe", "CommandLine": "winlogon.exe", "Detection": [ "win_cobalt_strike_auto", "cobaltstrike_beacon_4_2_decrypt" ] } { "Pid": 5712, "ProcessName": "powershell.exe", "CommandLine": "\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo - "Detection": [ "win_cobalt_strike_auto", "cobaltstrike_beacon_4_2_decrypt" ] } Volatility Malfind output shows the embedded MZ header in the winlogon process with the setting PAGE_EXECUTE_READWRITE protection settings on the memory space, a commonly observed attribute of process injection. https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 7 of 19 Network connections to the Cobalt Strike server by winlogon were also observed in the process logs. Credential Access LSASS Access Suspicious accesses to LSASS process memory were observed during this intrusion. As illustrated below, those accesses have been made using both Windows Task Manager and rundll32.exe which is assessed to be a Cobalt Strike temporary beacon (as shown in the Execution graph): The threat actors managed to steal administrator account credentials, allowing them to move laterally across the Active Directory domain. Discovery As mentioned in the Execution section, the IcedID process ran several initial discovery commands that provided environmental information about the host, network, and domain, to the threat actor. Given the timing of these commands were immediately after the execution of IcedID, we believe these commands were executed automatically upon check-in. cmd.exe /c chcp >&2 WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List ipconfig /all systeminfo https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 8 of 19 net config workstation nltest /domain_trusts nltest /domain_trusts /all_trusts net view /all /domain net view /all net group "Domain Admins" /domain A cmd.exe process spawned from IcedID which ran additional discovery queries. The threat actor dropped the following files in C:\Windows\Temp directory: 7.exe (7zip) adfind.exe (AdFind) adfind.bat (pictured below) The actor used the Active Directory enumeration tool AdFind to collect information such as the users, computers and subnets in the domain. The file ad.7z , was the resulting output of the AdFind commands above. After that, an additional batch script was created, ns.bat , which enumerated all host names in the domain with nslookup to identify the IP address of the host. Prior to the first lateral movement from the beachhead host, the threat actor tested credentials and gathered information from their targeted remote server using WMI https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 9 of 19 C:\Windows\system32\cmd.exe, /C, wmic, /node:X.X.X.X, /user:administrator, /password:*****, os, get, caption Lateral Movement Remote Desktop Protocol The threat actor used RDP to move laterally to critical hosts. In particular, we have evidence on multiple machines of RDP using the Administrator account. The attacker in this intrusion initiated RDP connections from a workstation, named TERZITERZI. See the screenshot below: The RDP connections were established from the Cobalt Strike process running the beacon indicating the threat actor utilizing proxy on the beachhead host to facilitate the RDP traffic.: PsExec PsExec was used to facilitate the ransomware execution. The threat actor utilized the “-r” option in PsExec to define a custom name ( mstdc ) of the remote service created on the target host (by default it’s PSEXESVC). WMI Through-out the intrusion the threat actor was also observed using WMIC to perform lateral activities including discovery actions remotely, and as a second option, to ensure all the remote hosts successfully executed the final ransomware payload. The WMIC commands prefaced with /node:IP Address allowed the threat actor to run commands on remote hosts. Command and Control IcedID As we saw from the execution section, dar.dll  was used to contact the below domains: dilimoretast[.]com 138[.]68.42.130:443 Ja3: a0e9f5d64349fb13191bc781f81f42e1 Ja3s: ec74a5c51106f0419184d0dd08fb05bc Certificate: [3e:f4:e9:d6:3e:47:e3:ce:51:2e:2a:91:e5:48:41:54:5e:53:54:e2 ] Not Before: 2022/03/22 09:34:53 UTC Not After: 2023/03/22 09:34:53 UTC Issuer Org: Internet Widgits Pty Ltd Subject Common: localhost Subject Org: Internet Widgits Pty Ltd Public Algorithm: rsaEncryption antnosience[.]com https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 10 of 19 157[.]245.142.66:443 JA3: a0e9f5d64349fb13191bc781f81f42e1 Ja3s: ec74a5c51106f0419184d0dd08fb05bc Certificate: [0c:eb:c1:4b:0d:a1:b6:9d:7d:60:ed:c0:30:56:b7:48:10:d1:b1:6c ] Not Before: 2022/03/19 09:22:57 UTC Not After: 2023/03/19 09:22:57 UTC Issuer Org: Internet Widgits Pty Ltd Subject Common: localhost Subject Org: Internet Widgits Pty Ltd Public Algorithm: rsaEncryption oceriesfornot[.]top 188[.]166.154.118:80 Cobalt Strike 185.203.118[.]227 Watermark: 305419776 Ja3: 72a589da586844d7f0818ce684948eea Ja3s: f176ba63b4d68e576b5ba345bec2c7b7 Certificate: [72:a1:ac:20:97:a0:cb:4f:b5:41:db:6e:32:fb:f5:7b:fd:43:9b:4b ] Not Before: 2022/03/21 22:16:04 UTC Not After: 2023/03/21 22:16:04 UTC Issuer Org: Google GMail Subject Common: gmail.com Subject Org: Google GMail Public Algorithm: rsaEncryption { "beacontype": [ "HTTPS" ], "sleeptime": 60000, "jitter": 15, "maxgetsize": 1049376, "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==", "license_id": 305419776, "cfg_caution": false, "kill_date": "2022-04-22", "server": { "hostname": "185.203.118.227", "port": 443, "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+Q }, "host_header": "", "useragent_header": null, "http-get": { "uri": "/_/scs/mail-static/_/js/", "verb": "GET", "client": { "headers": null, "metadata": null }, "server": { "output": [ "print", "append 375 characters", "append 250 characters", "prepend 4 characters", "prepend 28 characters", "prepend 36 characters", "prepend 18 characters", "prepend 4 characters", "prepend 28 characters", "prepend 36 characters", "prepend 17 characters", https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 11 of 19 "prepend 4 characters" ] } }, "http-post": { "uri": "/mail/u/0/", "verb": "POST", "client": { "headers": null, "id": null, "output": null } }, "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "crypto_scheme": 0, "proxy": { "type": null, "username": null, "password": null, "behavior": "Use IE settings" }, "http_post_chunk": 0, "uses_cookies": true, "post-ex": { "spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "spawnto_x64": "%windir%\\sysnative\\rundll32.exe" }, "process-inject": { "allocator": "VirtualAllocEx", "execute": [ "CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread" ], "min_alloc": 0, "startrwx": true, "stub": "tUr+Aexqde3zXhpE+L05KQ==", "transform-x86": null, "transform-x64": null, "userwx": true }, "dns-beacon": { "dns_idle": null, "dns_sleep": null, "maxdns": null, "beacon": null, "get_A": null, "get_AAAA": null, "get_TXT": null, "put_metadata": null, "put_output": null }, "pipename": null, "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "stage": { "cleanup": false }, "ssh": { "hostname": null, "port": null, "username": null, "password": null, "privatekey": null } } Exfiltration https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 12 of 19 While the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is possible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data. Impact Just shy of four hours into the intrusion, the threat actors began acting on their final objectives, domain wide ransomware deployment. With their pivot point from one of the domain controllers, the actor used a combination of both PsExec and WMI to remotely execute the ransomware. They first copied the payload, ttsel.exe , to the C$ share of each host on the network. C:\Windows\system32\cmd.exe /K copy ttsel.exe \\\c$\windows\temp\ PsExec The threat actor utilized the “-r” option in PsExec to define a custom name (“mstdc”) of the remote service created on the target host (by default is PSEXESVC). psexec.exe \\ -u \Administrator -p "" -s -d -h -r mstdc -accepteula -nobanner c This resulted in the file C:\Windows\mstdc.exe being created on the target endpoint when PsExec was executed. WMI The alternate execution method the actor employed was a WMI call to start a remote process on the target host. wmic /node:"" /user:"\Administrator" /password:"" process call create "cmd.exe / The Quantum ransomware began to encrypt files across all hosts in the environment which then dropped the following ransom note: README_TO_DECRYPT.html The Quantum portal had a unique option to create and set a password to the negotiation chat. https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 13 of 19 Once authenticated, it displays the chat window with the threat actor. Diamond Model Feedback always appreciated: https://thedfirreport.com/contact/ Indicators Files https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 14 of 19 docs_invoice_173.iso e051009b12b37c7ee16e810c135f1fef 415b27cd03d3d701a202924c26d25410ea0974d7 5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b dar.dll 4a6ceabb2ce1b486398c254a5503b792 08a1c43bd1c63bbea864133d2923755aa2f74440 4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36 document.lnk adf0907a6114c2b55349c08251efdf50 aa25ae2f9dbe514169f4526ef4a61c1feeb1386a 3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6 adf.bat ebf6f4683d8392add3ef32de1edf29c4 444c704afe4ee33d335bbdfae79b58aba077d10d 2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04 Ulfefi32.dll 49513b3b8809312d34bb09bd9ea3eb46 445294080bf3f58e9aaa3c9bcf1f346bc9b1eccb 6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7 license.dat e9ad8fae2dd8f9d12e709af20d9aefad db7d1545c3c7e60235700af672c1d20175b380cd 84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238 ttsel.exe b1eff4fffe66753e5f4265bc5332f72e da2caf36b52d81a0d983407ab143bef8df119b8d b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda p227.dll 350f82de99b8696fea6e189fcd4ca454 deea45010006c8bde12a800d73475a5824ca2e6f c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3 Network IcedID dilimoretast[.]com antnosience[.]com oceriesfornot[.]top 138[.]68.42.130:443 157[.]245.142.66:443 188[.]166.154.118:80 Cobalt Strike C2/IP: 185.203.118[.]227:443 Watermark: 305419776 Detections Network ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke) ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory ET MALWARE Win32/IcedID Request Cookie ET POLICY PE EXE or DLL Windows file download HTTP ET POLICY PsExec service created ET RPC DCERPC SVCCTL - Remote Service Control Manager Access ET POLICY SMB2 NT Create AndX Request For an Executable File ET DNS Query to a *.top domain - Likely Hostile https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 15 of 19 ET INFO HTTP Request to a *.top domain ET POLICY SMB Executable File Transfer Sigma https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_d https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_dis https://github.com/SigmaHQ/sigma/blob/dfdaecc52ca385c66d1b16971ce867e81bdce82e/rules/windows/pipe_created/pipe_created_psexec_pipes_artifa https://github.com/SigmaHQ/sigma/blob/625f05df3c477c4cd7a22e2a7a19742615da1eb5/rules/windows/file/file_event/file_event_win_tool_psexec.yml https://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_rem https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wm https://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_pow https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_sys https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32 https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml Yara /* YARA Rule Set Author: The DFIR Report Date: 2022-04-24 Identifier: Quantum Case 12647 Reference: https://thedfirreport.com */ /* Rule Set ----------------------------------------------------------------- */ import "pe" rule docs_invoice_173 { meta: description = "IcedID - file docs_invoice_173.iso" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2022-04-24" hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b" strings: $x1 = "dar.dll,DllRegisterServer!%SystemRoot%\\System32\\SHELL32.dll" fullword wide $x2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii $s3 = "C:\\Users\\admin\\Desktop\\data" fullword wide $s4 = "Desktop (C:\\Users\\admin)" fullword wide $s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s6 = "1t3Eo8.dll" fullword ascii $s7 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide $s8 = "DAR.DLL." fullword ascii $s9 = "dar.dll:h" fullword wide $s10 = "document.lnk" fullword wide $s11 = "DOCUMENT.LNK" fullword ascii $s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe $s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f $s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82 $s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de $s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f $s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a56 $s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f41 $s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331 https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 16 of 19 $s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e condition: uint16(0) == 0x0000 and filesize < 600KB and 1 of ($x*) and 4 of them } rule quantum_license { meta: description = "IcedID - file license.dat" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2022-04-24" hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238" strings: $s1 = "W* |[h" fullword ascii $s2 = "PSHN,;x" fullword ascii $s3 = "ephu\"W" fullword ascii $s4 = "LwUw9\\" fullword ascii $s5 = "VYZP~pN," fullword ascii $s6 = "eRek?@" fullword ascii $s7 = "urKuEqR" fullword ascii $s8 = "1zjWa{`!" fullword ascii $s9 = "YHAV{tl" fullword ascii $s10 = "bwDU?u" fullword ascii $s11 = "SJbW`!W" fullword ascii $s12 = "BNnEx1k" fullword ascii $s13 = "SEENI3=" fullword ascii $s14 = "Bthw?:'H*" fullword ascii $s15 = "NfGHNHC" fullword ascii $s16 = "xUKlrl'>`" fullword ascii $s17 = "gZaZ^;Ro2" fullword ascii $s18 = "JhVo5Bb" fullword ascii $s19 = "OPta)}$" fullword ascii $s20 = "cZZJoVB" fullword ascii condition: uint16(0) == 0x44f8 and filesize < 1000KB and 8 of them } rule quantum_p227 { meta: description = "Cobalt Strike - file p227.dll" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2022-04-24" hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3" strings: $s1 = "Remote Event Log Manager4" fullword wide $s2 = "IIdRemoteCMDServer" fullword ascii $s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */ $s4 = "<*=.=2=6=<=\\=" fullword ascii /* hex encoded string '&' */ $s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */ $s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */ $s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */ $s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */ $s9 = ":<:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii $s10 = "%IdThreadMgr" fullword ascii $s11 = "AutoHotkeys3F3f3m3t3}3" fullword ascii $s15 = "3\"3(3<3]3o3" fullword ascii $s16 = "9 9*909B9" fullword ascii $s17 = "9.979S9]9a9w9" fullword ascii $s18 = "txf9(tsf9)tnj\\P" fullword ascii $s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii $s20 = "<2=7=>=E={=" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and ( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them ) } https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 18 of 19 MITRE T1204 - User Execution T1614.001 - System Location Discovery: System Language Discovery T1218.011 - Signed Binary Proxy Execution: Rundll32 T1059.001 - Command and Scripting Interpreter: PowerShell T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1055 - Process Injection T1055.012 - Process Injection: Process Hollowing T1003.001 - OS Credential Dumping: LSASS Memory T1486 - Data Encrypted for Impact T1482 - Domain Trust Discovery T1021.002 - Remote Services: SMB/Windows Admin Shares T1083 - File and Directory Discovery T1518.001 - Software Discovery: Security Software Discovery T1047 - Windows Management Instrumentation T1087.002 - Account Discovery: Domain Account T1082 - System Information Discovery T1018 - Remote System Discovery T1053.005 - Scheduled Task/Job: Scheduled Task T1071.001 - Web Protocols S0029 - PsExec S0039 - Net S0100 - ipconfig S0359 - Nltest S0483 - IcedID S0552 - AdFind S0154 - Cobalt Strike Internal case #12647 Source: https://thedfirreport.com/2022/04/25/quantum-ransomware/ https://thedfirreport.com/2022/04/25/quantum-ransomware/ Page 19 of 19