fantom | 8b11977fad03dca09599067274a89de032aaf99c9c493aa68c3875f5af5628d4

Analysis

max time kernel
762s
max time network
765s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2022, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Score

10^/10

fantom evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2372564722-193526734-2636556182-1000\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>gPnpnoUrgj5XPEOeM5CQxmNNhiI0lfAMmrj/xgSi6zykDfqv5gP3GIXiKmzVJ2CGHlsnKhCsXSTT4eZSt/RuSLVtylgv4iqCGDJuZd7HVO0OlHxClzlOU0bTevwskKdc/BtBrhhyPHIx3epMBvE+EabQF89xhgS24lCIwn3o/yKSSTRgam9h4S8rQMppTMY0dqonYsrZK3nyjYeuDlNm7ULAMLwL6wSqh5LdKzzc3ONSmHmfYJ5mZh9dgSLh0oLoSgRSP6aoQMz2Fg5FpB3yZwSwwBUwqWUZq+sftdAzFNuS6oY/NHOxLvB80syScUsrBrcb1Ca0Jn+Lq6GA6EKUuQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	Fantom.exe

Executes dropped EXE 1 IoCs

pid	Process
1696	WindowsUpdate.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\GetUnprotect.raw => C:\Users\Admin\Pictures\GetUnprotect.raw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\SearchTest.crw => C:\Users\Admin\Pictures\SearchTest.crw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\SuspendConnect.crw => C:\Users\Admin\Pictures\SuspendConnect.crw.fantom	Fantom.exe
File renamed	C:\Users\Admin\Pictures\SyncEnable.crw => C:\Users\Admin\Pictures\SyncEnable.crw.fantom	Fantom.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Fantom.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_7f84203a67c210e4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_e879d41db6fd1ab8\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\SMI\Manifests\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\tr-TR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\it\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic_shutdown.inf_amd64_bce6891915e70bbf\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\AdvancedInstallers\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudss.inf_amd64_76a0499c8a4b3752\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_6f327fe9ac4fdb28\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\it\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_smrdisk.inf_amd64_bbef253cecafbb1a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_d677afecc5e43162\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\el-GR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\config\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_e3ded2b26d662526\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_ea60132f1a9a7a62\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_c20a3bb7ac1cd207\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\Speech\Common\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_0eaf27d749819837\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_hdc.inf_amd64_6e00e835fbceac58\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netclient.inf_amd64_b7f9bb71730aaf1a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_74bb5e3e01cfd526\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_1aae998f86058cec\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_9179c145f01530e4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtkr.inf_amd64_a8a4ecec7082e1aa\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\SMI\Store\Machine\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\0409\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp80xx.inf_amd64_efb36fdc260e8bc8\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\Tasks\Microsoft\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\ConfigurationStatus\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-24_altform-unplated_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\LogoBeta.png	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-RTL.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-125.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-100.png	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2_thumb.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-200.png	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	Fantom.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Money_Received.m4a	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\ui-strings.js	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-200.png	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\wiggle350.png	Fantom.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-32.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png	Fantom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-200_contrast-white.png	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a...appxmain.resources_31bf3856ad364e35_10.0.19041.1_es-es_ec5721bc1171e90d\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..cing-management-api_31bf3856ad364e35_10.0.19041.1_none_5cb2e5e4fea9a8fe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..istory-ui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_607b7ac29c642b40\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filesys-adm_31bf3856ad364e35_10.0.19041.1_none_8c592235de573df5\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rundll32.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_318cd87af60841ec\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-twinui-pcshell_31bf3856ad364e35_10.0.19041.264_none_d02b3c717f778f82\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\WideTile.scale-400.png	Fantom.exe
File created	C:\Windows\WinSxS\amd64_networking-mpssvc-wmi.resources_31bf3856ad364e35_10.0.19041.1023_en-us_88575558071a16db\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlm_31bf3856ad364e35_10.0.19041.1023_none_f18aa36117af2f20\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_23c0aa3b7bd960cd\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_hidvhf.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_57b1f28d6c3bbb40\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-pnp-devicemanagement_31bf3856ad364e35_10.0.19041.1151_none_c285b519477e2f35\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\x86_wpf-xamlviewer_31bf3856ad364e35_10.0.19041.1_none_afe0be8163ecf7d4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif	Fantom.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\it\SqlPersistenceService_Schema.sql	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-consentux-clientapi_31bf3856ad364e35_10.0.19041.746_none_f643f18d5152ff00\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-datacollection-adm_31bf3856ad364e35_10.0.19041.1081_none_309fd9c951d17145\r\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_da-dk_7f2a1321ccbad7ec\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..tioninput.resources_31bf3856ad364e35_10.0.19041.1_es-es_9d431d0253c285ef\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..panel-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c3ac92cceef4e3a4\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_system.security.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_be155b88eb7a654b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_windows-media-ocr_31bf3856ad364e35_10.0.19041.264_none_edcadf6b3d9a92df\r\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-icacls.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_da8d75ede4187e91\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\msil_system.xml.resources_b77a5c561934e089_10.0.19041.1_it-it_edd5bf8c28d86b7c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Common\v4.0_10.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\error.aspx	Fantom.exe
File created	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\DropAccept.scale-125.png	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ngversion-windows61_31bf3856ad364e35_10.0.19041.1_none_acdea4ff0e76389b\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\debuggerNextTab.png	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_11.0.19041.1_de-de_d354a43400cc6148\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipshrv.xml	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c088f2ee495d2d00\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_system.identitymodel.resources_b77a5c561934e089_4.0.15805.0_it-it_14834bc98f31d063\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ncdprop.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_765a49f1286c2ce9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_10.0.19041.1_none_c4caba43cb1943df\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ctx-directinput-cpl_31bf3856ad364e35_10.0.19041.1_none_4771065ace86f590\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\common\GifSequencePlayer.js	Fantom.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\TridentErrorPageStyles.css	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-family-client_31bf3856ad364e35_10.0.19041.746_none_790086a2b15c8e0a\r\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-mfc40u_31bf3856ad364e35_10.0.19041.1_none_4ce584053c904ece\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..erclasses.resources_31bf3856ad364e35_10.0.19041.1_en-us_a254f8aca952a484\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usbui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_04f426b836bed3c9\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..erplaydvddiagnostic_31bf3856ad364e35_10.0.19041.1_none_51d5a36c5020db24\WindowsMediaPlayerPlayDVD.xml	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft.appv.appvclientcomconsumer_31bf3856ad364e35_10.0.19041.746_none_4a2dc3cbc7724178\r\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_10.0.19041.1266_none_e32e0904acfc408f\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-pdc-dll_31bf3856ad364e35_10.0.19041.546_none_842a8106fb96e070\r\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_ds-ui-ext.resources_31bf3856ad364e35_10.0.19041.1_it-it_60d1e89763c83318\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devicesetupmanagerapi_31bf3856ad364e35_10.0.19041.746_none_55af03e86cb19d55\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SquareTile310x150.scale-200.png	Fantom.exe
File created	C:\Windows\WinSxS\amd64_netfx4-default_win32manifest_b03f5f7f11d50a3a_4.0.15805.0_none_55d69a0e6567fb99\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..nts-mdac-rds-ce-dll_31bf3856ad364e35_10.0.19041.1_none_2236ac69157d782c\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\diagnostics\system\Audio\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.19041.746_none_f4142d9bba162d05\r\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..-accountscontrolexp_31bf3856ad364e35_10.0.19041.746_none_cd308443e000e16d\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..d-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_c228a4e007597006\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_1366x768.jpg	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ndlers-quickactions_31bf3856ad364e35_10.0.19041.746_none_20e5b8e1a1fb9583\f\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_ddores.resources_31bf3856ad364e35_10.0.19041.1_es-es_12285c3310686489\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-recovery-remotewipe_31bf3856ad364e35_10.0.19041.1_none_8ef85e0ca7182884\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..sql-netlibs-winsock_31bf3856ad364e35_10.0.19041.1_none_59b60282102898c1\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation.resources\v4.0_4.0.0.0_es_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	Fantom.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	Fantom.exe
4980	Fantom.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	Fantom.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1696	4980	Fantom.exe	97
PID 4980 wrote to memory of 1696	4980	Fantom.exe	97
PID 4980 wrote to memory of 2808	4980	Fantom.exe	110
PID 4980 wrote to memory of 2808	4980	Fantom.exe	110
PID 4980 wrote to memory of 2808	4980	Fantom.exe	110
PID 4980 wrote to memory of 2488	4980	Fantom.exe	112
PID 4980 wrote to memory of 2488	4980	Fantom.exe	112
PID 4980 wrote to memory of 2488	4980	Fantom.exe	112
PID 4980 wrote to memory of 4248	4980	Fantom.exe	113
PID 4980 wrote to memory of 4248	4980	Fantom.exe	113
PID 4980 wrote to memory of 4248	4980	Fantom.exe	113

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update0.bat" "
  2⤵
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
71B

MD5
b132f4472ca04d3aa18bb37aaa230630

SHA1
fe549c6c96c7d9341fd13e12fc24d3551b0c1f67

SHA256
75ffe7befe62da3753a0c83c65e269ad159a6083ae893acf2651557f9f1a3c2c

SHA512
c11ea34e3c696dffd66acf2353cbe12796fef417bccacdeaede500a3222fac4b8efc18747d8c726212623cf8cf99046527978686ebd329e40592837688f54605

Download Submit
C:\Users\Admin\AppData\Local\Temp\update0.bat

Filesize
78B

MD5
397dc7373e23f1980ecf849a29708041

SHA1
6c91608ebe57a3d9375f646ff287e46a9f18c861

SHA256
3ffedf213b18d61561cdbdf3de6946284c7b0541a69a89ebda74add1aff7fd5a

SHA512
9c8cf8355cde0402b71fb4e713d14ed12a1031c3120b4a1af6e10ce02dd5828b8d27345ef28f40c34da329e47b36f4f0da74c7cd4cf3d3964d004a16e72096fb

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
35B

MD5
d41ac96c53b4fe0dfbe1b080649141c1

SHA1
b4d75213c61646b5bd48eadf723542fa9aef8b00

SHA256
325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238

SHA512
a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563

Download Submit
memory/1696-138-0x00007FF91F9E0000-0x00007FF9204A1000-memory.dmp

Filesize
10.8MB

Download
memory/1696-136-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1696-137-0x00007FF91F9E0000-0x00007FF9204A1000-memory.dmp

Filesize
10.8MB

Download
memory/1696-141-0x00007FF91F9E0000-0x00007FF9204A1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-130-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/4980-132-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/4980-131-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download