Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Fantom.exe

windows7-x64

10

Fantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2023, 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>bh2oPp9hxGGVOfpAd+0g3JOB+s7xEp6rHLNdxfZsxCAujmdb9iJkOzWJI+3QIplRTdJ8pcDLEoW1J5GQbrjF76ckp4C1j/Rzr+b4+Ur8ojt2NUt3FZajGem4UqftOeiehwoiukmLWeWfR2mJDthvGL50Lu5VjJmPzunXyXLdYuDIBmDG0T/W81OKREcgwszFOHMbuOCEfIlfSVEvucxRmWmZl93qnEHZOvcIJgaRjmx62huLKQcyqtT8YXoGEAlkT06zlVt/W6NMe0+f6fjB/sSTz/DHl2CwNTmsJnNk29LMB3uMsTk52bMqLi8OUG++bSsGG8pvaPmkKdpC0IBbwQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1788
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:924
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x558
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:964

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
      Filesize

      1KB

      MD5

      9c522395d32abc963d313bb3740c5d9d

      SHA1

      605a3419625d2fc03e1cbf5ce6063e945c29b973

      SHA256

      45c71f96e2e53b153a04b7596674c24b6eacca3694d72ff46247fd4b9e58b19c

      SHA512

      56645214952485a6bb7c98470201764dc85b290ef47470eb4cc2be364e5c97eeb1ebf0e800db00272a9a39ab92f442febb2b73ab80215ffa9599f1aadba9b749

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
      Filesize

      160B

      MD5

      0e6005f1866ec6a441d2bda15cb3be65

      SHA1

      1a9c7a4e3be0fd2f0f0ccb16f65dae272e8c2ab4

      SHA256

      422d562a3a6e107916dbfd45e6f719906bc623c8cc626e8edc95e70bab13ad0e

      SHA512

      90b9609408268644605c004211cd8f0901b4963a4b77f7b016762927450746c013aed5974841e2dd517121668f17104fe7aadbdd1a56302c38708da93f174a2e

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
      Filesize

      12KB

      MD5

      3e3c075d3531686a90285048d11aacf4

      SHA1

      e533bafd230d6075df8846e13dcd7b10890db79d

      SHA256

      4d907752de7aee8d1f44e804f8879bc1b5c0afa93e7363f5920315c65fde1a6b

      SHA512

      c71edda0f06961d98db6ecfc34aadb614326b8035f71c73994cfe96ed9532980e4a7beff2f82c142bd28bd0fee5b1ed96b579820e9ecfcfe95ef1aa2b5fb035b

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
      Filesize

      8KB

      MD5

      8ab774dca6213961cf292e016b1cef42

      SHA1

      4743177258e8095214556563c8cc69f677935dc0

      SHA256

      f19d2f306fad18ccd76600525e194625b908b4b2945f567758e7cf03b6981dab

      SHA512

      f54af39213300238adf047672d1f195736e25a1c895e0940c870adef9f45d23a1670282a3fb93226b09fc06640f64feff88c3b48c0d0bedc4b1619009981c2d4

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      1a54ed06d413a1a5186d04a39ed56ddf

      SHA1

      d197b689cb84bf026b01f30dedc7a0348dbdd941

      SHA256

      a83958cab31c1047b4d8f50edb870183e42b57bc58d5fb694598fd30ecadced9

      SHA512

      f186752ffc9dd7f61425a6f738888ef7645e3dee685d1dd4ec26e40c2d5c604342af9a6eaea58338eb6ede85ce5572448b9236fdbbc4c46820b142fd66681e14

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      4c24e4eb5c7b9baf9b23ce2b2d1596b7

      SHA1

      1833e4ee970d9c8d40ab9e63e3ed4d76530e7cd3

      SHA256

      561b052b6b7e7a2847a431ce9c3f36ccddd2dc0bb70f8ce87288ab7fba5331c4

      SHA512

      b54a646c2475b0ea3b8842caecd05cd6ff6902400701c6d505373377db70d5e63d91fe66a6ddd9b91bac0e41af77da6fa81d12c8d1cf9b1ce72beaca2aa85243

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      172KB

      MD5

      82eab84af319ef0ab510e04ce786b274

      SHA1

      3ae401d4934c4127921698144122c2581bc5e0db

      SHA256

      083cfbcc6b68f3c6a272511646f427de45255d3d28931342bd4c6b12cf34cee9

      SHA512

      ca7f2ac659322dc1da930d622c2d97f46d75dec4f9485c76c738633a058af8cf6e59a3a71440dc18e403effaa663c747889818fad4d99ca9b9086d321b7885bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • memory/1104-77-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-117-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-75-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-79-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-54-0x0000000002090000-0x00000000020C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1104-81-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-85-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-83-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-89-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-87-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-91-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-95-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-93-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-97-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-99-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-103-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-105-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-101-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-109-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-107-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-111-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-115-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-113-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-71-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-119-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-122-0x00000000048C0000-0x0000000004900000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1104-124-0x00000000048C0000-0x0000000004900000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1104-182-0x0000000002250000-0x0000000002251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1104-183-0x00000000048C0000-0x0000000004900000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1104-184-0x0000000004850000-0x000000000485E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1104-73-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-69-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-65-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-55-0x0000000002220000-0x0000000002252000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1104-192-0x00000000048C0000-0x0000000004900000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1104-56-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-57-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-67-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-673-0x00000000048C0000-0x0000000004900000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1104-61-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-63-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1104-59-0x0000000002220000-0x000000000224B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1788-675-0x000000001B210000-0x000000001B290000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1788-194-0x000000001B210000-0x000000001B290000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1788-193-0x000000001B210000-0x000000001B290000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1788-191-0x0000000000A00000-0x0000000000A0C000-memory.dmp

      Filesize

      48KB

      Download