Cybereason vs. Quantum Locker Ransomware

MITRE Techniques

• [T1566.001] Phishing – The campaign begins with a phishing email containing an .iso attachment that carries the IcedID loader payload. “…phishing attack via email. The email contained an .iso image file that contains the IcedID loader payload in the form of a DLL (dar.dll) and shortcut file – an .LNK file – that targets the IcedID payload and masquerades as a document.”
• [T1204.002] User Execution – The end user clicks the shortcut named “document”, triggering the IcedID DLL execution. “When mounting the .iso file, the end user only sees the shortcut file named “document”, and the DLL itself is hidden. After the user clicks on the shortcut, the IcedID DLL is executed.”
• [T1071] Command and Control – The unpacked loader begins communication with the C2. “The unpacked DLL is loaded into memory (loader_dll_64.dll) and it begins its communication with the C2:”
• [T1069.002] Active Directory Discovery – AdFind.bat and AdFind.exe are used to collect information about the Active Directory. “The AdFind.bat script is dropped in the %temp% directory, along with the AdFind.exe binary and 7Zip binary named 7.exe. The output is saved into .txt files and sent to the C2.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Batch scripts (adfind.bat, ns.bat) are used to query AD and domain information (nslookup for each host). “The batch file removes tracks by deleting the script, the AdFind binary, the .txt files and the 7Zip binary.”
• [T1047] Windows Management Instrumentation – Remote WMI discovery tasks test the gained credentials. “start spreading in the network by copying the ransomware binary to the other machine’s c$windowstemp shared folder and then execute them remotely via WMI and PsExec.”
• [T1021.001] Remote Desktop Protocol – Lateral movement includes connecting to other servers in the environment to spread the infection (RDP references appear in the broader lateral movement narrative).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Ransomware copies itself to remote machine shares (c$ windows temp) and executes via remote services (PsExec).
• [T1486] Data Encrypted for Impact – The ransomware encrypts files and appends the .quantum extension, accompanied by a ransom note. “The ransomware starts its encryption routine. It encrypts the files on the disc and appends the .quantum extension to it.”
• [T1070.004] File Deletion – The attacker cleans up traces by deleting the dropped scripts and binaries after use. “the batch file removes tracks by deleting the script, the AdFind binary, the .txt files and the 7Zip binary.”
• [T1562.001] Impair Defenses – The ransomware checks for and terminates security-related processes/services before encryption. “If found, the ransomware tries to kill the service / process” followed by a list of security tools.