fantom | 8b11977fad03dca09599067274a89de032aaf99c9c493aa68c3875f5af5628d4

Analysis

max time kernel
903s
max time network
903s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
09-08-2022 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Score

10^/10

fantom evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3440072777-2118400376-1759599358-1000\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>jG3V2VjJzKJaSGH9l115f2UeU4pfKSBUWG8tzbiO1KOLVdDdwvvZUa/PyJj87zEJ06NNsTZtwQNjxzmpIsV4vCcMsjUIVOsjvHBPZYg+51uhcwdKIw89PWAmc2LFLU/0Hz7v4QCdaVBMs4/95KFQ5tMfgo7QotntAiv9ImomAsMDyTz6OflVmvEuoVhOsiyLsW5Q4GKgCOhJfU7pRpgCQvLidv9ITXVTNR6z3vNCr5mwWCuE5lVr6RFzfcKvx/DHzTnOahkLpygl2/9y6RF1ESgm0dkeJrb8jErt37tZHbYayUSLoBlXUeiAwssFNQiHS8lwNhIYPYBENjv8lhHklg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 29 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	WindowsUpdate.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ReadClose.crw => C:\Users\Admin\Pictures\ReadClose.crw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\UnregisterAssert.tif => C:\Users\Admin\Pictures\UnregisterAssert.tif.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\DismountOpen.raw => C:\Users\Admin\Pictures\DismountOpen.raw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\EnableAssert.tif => C:\Users\Admin\Pictures\EnableAssert.tif.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\GrantLimit.raw => C:\Users\Admin\Pictures\GrantLimit.raw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.fantom	Fantom.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Loads dropped DLL 1 IoCs

pid	Process
2012	Fantom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl007.inf_amd64_neutral_935cd017fcb965ee\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseE\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_requires.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_neutral_269d7150439b3372\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Users.gif	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_types.ps1xml.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Comparison_Operators.help.txt	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5060t.xml	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Starter\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\adminui-dl.man	Fantom.exe
File created	C:\Windows\SysWOW64\Tasks\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\com\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_neutral_7e1053ab483310f6\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\lv-LV\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\MUI\0C0A\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremium\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicN\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0013\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_execution_policies.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_escape_characters.help.txt	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WCN\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmeric2.inf_amd64_neutral_a0575ec9ce5c7de9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmkortx.inf_amd64_neutral_1975687236603184\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_neutral_15940559c66fe8d9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\IME\shared\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BC.log	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupra.inf_amd64_neutral_c4fe81ea47c6df87\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc4.inf_amd64_neutral_310871d800afa82a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\iis-webdav-rm.man	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pipelines.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_FAQ.help.txt	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-AppServer-Licensing\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterN\license.rtf	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Starter\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\license.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\it-IT\lpeula.rtf	Fantom.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\license.rtf	Fantom.exe
File created	C:\Windows\System32\LogFiles\Fax\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_neutral_be2f30f68f2a5567\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\2d5s8g4ed.jpg"	Fantom.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	Fantom.exe
File opened for modification	C:\Program Files\SelectPing.xltx	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	Fantom.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Adobe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Doc.css	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Casual.css	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	Fantom.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png	Fantom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	Fantom.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif	Fantom.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	Fantom.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	Fantom.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	Fantom.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_nl-nl_b7ca4d8b5a0ff58b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_netr28x.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_367b46b1910aef06\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.applocker_help.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_384eaa27d84131f9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..n-shvhost.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5aa71d84c72a7424\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.resources\3.5.0.0_ja_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..tedlinktracking-adm_31bf3856ad364e35_6.1.7600.16385_none_9f07bdbfcdd751fe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\hint_over.png	Fantom.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_common_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_e30a73284d02ae8d\UninstallCommon.sql	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_he-il_3ebf4d44318de6de\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..rting-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4bae483184c817b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-parent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1eee290dae7a167a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.inetsrvmmc.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ff54d237e996751d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0155c6b8340819bb\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..tional-codepage-874_31bf3856ad364e35_6.1.7600.16385_none_cec03856fc83cf16\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\45d49301a9e8ff19669155b1ec5c45ce\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50\RasDdm-Repl.man	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..hared-versiondialog_31bf3856ad364e35_6.1.7600.16385_none_0a65a5db9b5b8955\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_48441e06b17c89b0\license.rtf	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..r-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf3a391cd0ba3496\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-restartmanager_31bf3856ad364e35_6.1.7600.16385_none_800bbdee85723191\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_display.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e2c8381067c21eeb\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..sions-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_48452452cb99e1ab\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpoa430t.xml	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cabview.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_836815df27654150\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\PLA\System\System Diagnostics.xml	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_809ad1b1fd87a64c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0f5710be8aabeaef\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_de-de_f06f5fc570802050\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8ccb1180127a7713\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-daunpenh_31bf3856ad364e35_6.1.7601.17514_none_65eab3ba3a64f6af\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000041e_31bf3856ad364e35_6.1.7600.16385_none_5a4674826f15c53e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\Memories_buttonClear.png	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00020402_31bf3856ad364e35_6.1.7600.16385_none_9439cf849722c125\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\d660f850b373b57c4e22a7100feeb1a4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Media\Afternoon\Windows Ding.wav	Fantom.exe
File created	C:\Windows\winsxs\amd64_ricoh.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_79ea42e05da38b24\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7601.17514_none_82bb0d73fd19227d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a412dbba527dc14e\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_6.1.7600.16385_none_ecec366cd1b30e6c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_scsidev.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3539c222e90859c0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..ional-normalization_31bf3856ad364e35_6.1.7600.16385_none_5c369cae1c02add4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sysprep-aecache_31bf3856ad364e35_6.1.7600.16385_none_f4906b14fa5f4e62\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\msil_system.workflow.runtime.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f292b941fa7197a9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-computer-name-ui_31bf3856ad364e35_6.1.7601.17514_none_100e917a4cc5476d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_32\mcstoredb\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Vss\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-devicecenter.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e4aa9fc8d76c7111\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_6.1.7600.16385_none_372622adf05a6587\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_93209fb7e6211ac9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_prnky009.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c39078928ba1350\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sl-si_49ee58083def9b4b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shmig.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fb2d88c68d4d756\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_e8c7e489ddaf3a0c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-bitlock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2821be55ed5228d1\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-flippage_31bf3856ad364e35_6.1.7600.16385_none_0f19716417635239\NavigationUp_ButtonGraphic.png	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winlogon-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1fc94b65b3d8ffd0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_6.1.7600.16385_it-it_399ef387d4797613\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a0b8ce5c8bdc72bb\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9f6186c5e6b7f98\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ab-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1a1bfba77693a730\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\winsxs\amd64_nvraid.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_df1c66ee6e5650e5\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
360	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Fantom.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Fantom.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	Fantom.exe
2012	Fantom.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	Fantom.exe
Token: SeBackupPrivilege	1604	vssvc.exe
Token: SeRestorePrivilege	1604	vssvc.exe
Token: SeAuditPrivilege	1604	vssvc.exe
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1168	2012	Fantom.exe	27
PID 2012 wrote to memory of 1168	2012	Fantom.exe	27
PID 2012 wrote to memory of 1168	2012	Fantom.exe	27
PID 2012 wrote to memory of 1168	2012	Fantom.exe	27
PID 2012 wrote to memory of 1972	2012	Fantom.exe	28
PID 2012 wrote to memory of 1972	2012	Fantom.exe	28
PID 2012 wrote to memory of 1972	2012	Fantom.exe	28
PID 2012 wrote to memory of 1972	2012	Fantom.exe	28
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 824	2012	Fantom.exe	30
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 2012 wrote to memory of 1560	2012	Fantom.exe	32
PID 1972 wrote to memory of 360	1972	cmd.exe	35
PID 1972 wrote to memory of 360	1972	cmd.exe	35
PID 1972 wrote to memory of 360	1972	cmd.exe	35
PID 1972 wrote to memory of 360	1972	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update0.bat" "
  2⤵
  PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
71B

MD5
b132f4472ca04d3aa18bb37aaa230630

SHA1
fe549c6c96c7d9341fd13e12fc24d3551b0c1f67

SHA256
75ffe7befe62da3753a0c83c65e269ad159a6083ae893acf2651557f9f1a3c2c

SHA512
c11ea34e3c696dffd66acf2353cbe12796fef417bccacdeaede500a3222fac4b8efc18747d8c726212623cf8cf99046527978686ebd329e40592837688f54605

Download Submit
C:\Users\Admin\AppData\Local\Temp\update0.bat

Filesize
78B

MD5
397dc7373e23f1980ecf849a29708041

SHA1
6c91608ebe57a3d9375f646ff287e46a9f18c861

SHA256
3ffedf213b18d61561cdbdf3de6946284c7b0541a69a89ebda74add1aff7fd5a

SHA512
9c8cf8355cde0402b71fb4e713d14ed12a1031c3120b4a1af6e10ce02dd5828b8d27345ef28f40c34da329e47b36f4f0da74c7cd4cf3d3964d004a16e72096fb

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
35B

MD5
d41ac96c53b4fe0dfbe1b080649141c1

SHA1
b4d75213c61646b5bd48eadf723542fa9aef8b00

SHA256
325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238

SHA512
a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
memory/1168-62-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1168-64-0x000000001AFB6000-0x000000001AFD5000-memory.dmp

Filesize
124KB

Download
memory/1168-63-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1168-68-0x000000001AFB6000-0x000000001AFD5000-memory.dmp

Filesize
124KB

Download
memory/2012-66-0x00000000046AA000-0x00000000046BB000-memory.dmp

Filesize
68KB

Download
memory/2012-65-0x00000000046AA000-0x00000000046BB000-memory.dmp

Filesize
68KB

Download
memory/2012-54-0x00000000046E0000-0x0000000004712000-memory.dmp

Filesize
200KB

Download
memory/2012-57-0x0000000004C40000-0x0000000004C4E000-memory.dmp

Filesize
56KB

Download
memory/2012-56-0x0000000075791000-0x0000000075793000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000004710000-0x0000000004742000-memory.dmp

Filesize
200KB

Download
memory/2012-75-0x00000000046AA000-0x00000000046BB000-memory.dmp

Filesize
68KB

Download