Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    762s
  • max time network
    765s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2022, 02:40

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2372564722-193526734-2636556182-1000\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>gPnpnoUrgj5XPEOeM5CQxmNNhiI0lfAMmrj/xgSi6zykDfqv5gP3GIXiKmzVJ2CGHlsnKhCsXSTT4eZSt/RuSLVtylgv4iqCGDJuZd7HVO0OlHxClzlOU0bTevwskKdc/BtBrhhyPHIx3epMBvE+EabQF89xhgS24lCIwn3o/yKSSTRgam9h4S8rQMppTMY0dqonYsrZK3nyjYeuDlNm7ULAMLwL6wSqh5LdKzzc3ONSmHmfYJ5mZh9dgSLh0oLoSgRSP6aoQMz2Fg5FpB3yZwSwwBUwqWUZq+sftdAzFNuS6oY/NHOxLvB80syScUsrBrcb1Ca0Jn+Lq6GA6EKUuQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 19 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
      2⤵
        PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update0.bat" "
        2⤵
          PID:2488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
          2⤵
            PID:4248

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

          Filesize

          21KB

          MD5

          fec89e9d2784b4c015fed6f5ae558e08

          SHA1

          581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

          SHA256

          489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

          SHA512

          e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

          Filesize

          21KB

          MD5

          fec89e9d2784b4c015fed6f5ae558e08

          SHA1

          581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

          SHA256

          489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

          SHA512

          e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

        • C:\Users\Admin\AppData\Local\Temp\update.bat

          Filesize

          71B

          MD5

          b132f4472ca04d3aa18bb37aaa230630

          SHA1

          fe549c6c96c7d9341fd13e12fc24d3551b0c1f67

          SHA256

          75ffe7befe62da3753a0c83c65e269ad159a6083ae893acf2651557f9f1a3c2c

          SHA512

          c11ea34e3c696dffd66acf2353cbe12796fef417bccacdeaede500a3222fac4b8efc18747d8c726212623cf8cf99046527978686ebd329e40592837688f54605

        • C:\Users\Admin\AppData\Local\Temp\update0.bat

          Filesize

          78B

          MD5

          397dc7373e23f1980ecf849a29708041

          SHA1

          6c91608ebe57a3d9375f646ff287e46a9f18c861

          SHA256

          3ffedf213b18d61561cdbdf3de6946284c7b0541a69a89ebda74add1aff7fd5a

          SHA512

          9c8cf8355cde0402b71fb4e713d14ed12a1031c3120b4a1af6e10ce02dd5828b8d27345ef28f40c34da329e47b36f4f0da74c7cd4cf3d3964d004a16e72096fb

        • C:\Users\Admin\AppData\Roaming\delback.bat

          Filesize

          35B

          MD5

          d41ac96c53b4fe0dfbe1b080649141c1

          SHA1

          b4d75213c61646b5bd48eadf723542fa9aef8b00

          SHA256

          325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238

          SHA512

          a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563

        • memory/1696-138-0x00007FF91F9E0000-0x00007FF9204A1000-memory.dmp

          Filesize

          10.8MB

        • memory/1696-136-0x0000000000470000-0x000000000047C000-memory.dmp

          Filesize

          48KB

        • memory/1696-137-0x00007FF91F9E0000-0x00007FF9204A1000-memory.dmp

          Filesize

          10.8MB

        • memory/1696-141-0x00007FF91F9E0000-0x00007FF9204A1000-memory.dmp

          Filesize

          10.8MB

        • memory/4980-130-0x0000000004B70000-0x0000000005114000-memory.dmp

          Filesize

          5.6MB

        • memory/4980-132-0x0000000005320000-0x000000000532A000-memory.dmp

          Filesize

          40KB

        • memory/4980-131-0x0000000005120000-0x00000000051B2000-memory.dmp

          Filesize

          584KB