Overview

overview

10

Static

static

1

Fantom.exe

windows7-x64

10

Analysis

  • max time kernel
    221s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20221111-es
  • resource tags

    arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    07-02-2023 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>kWUgMathYTJ4OFexuO5+Adw9gAgSEogiEjWosP9Z6nVIgMZj0qGuG/nsm2A76LP+MNrnOMSFnRzMqQUSMCDheXNKYYa1GbZ1C/6ZHn/5IQWy9Q/7CbmdQs3SWyxqprse2jiLtXGDvEgBrXIo3eqhPY13zOKBqhqNr/Mtojc6PppUcg60lMqPQEiudji6XBefr7tctVPDnqgSPPsUXDvVXr3z11n0fo9Qh76D0lulUE/c6jw71Re/S6oYSqg+0nBXV8R5siyAoGtc/RrV2vM4bWTRlgXW9jKN0fcM+TFFv523zyils2/8VDbkm0d5T0LEW4qMJS4b5DX75hPryEkEaA==ZXMtRVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 15 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Drops startup file
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1192
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/948-55-0x00000000020A0000-0x00000000020D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/948-56-0x0000000075161000-0x0000000075163000-memory.dmp

    Filesize

    8KB

    Download

  • memory/948-68-0x00000000047AA000-0x00000000047BB000-memory.dmp

    Filesize

    68KB

    Download

  • memory/948-66-0x00000000047AA000-0x00000000047BB000-memory.dmp

    Filesize

    68KB

    Download

  • memory/948-59-0x0000000004790000-0x000000000479E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/948-54-0x0000000001EA0000-0x0000000001ED2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1192-64-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1192-67-0x000000001B0E6000-0x000000001B105000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1760-58-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1760-57-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

    Filesize

    8KB

    Download