Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Fantom.exe

windows7-x64

10

Fantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2023, 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>l2u167l8wuikN5AwBPk0LOIoHZvg0fw0Y4AeYTXrfhQ8clU2vhk2c6mQzOujmDhHnRN0n1NW4Wp9AC5URIkTgNwIHR5JnABMTGJeLY1zu+kcRZIwgo7muIkpNFrvmNVu8NNwHzPPS4vzd4Hzvk1fvyLPmmKil1dIWLhCNXrmzh3g/kxxfJ8RJZgN3HLmvKTVzIJks81lS4vt6xUOOK5/JK/4XbI0dHyMvzFDKp4hGxQPlSVEmxsh9H5ZRERm/IWLiXvLQPbITusMJzsYfvlaLMSo7nux6r9cFRMBLYY0LTtD36SbJvI8r1GnR6oEYdxq+osVlaNvEWvISuARzY/iJg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    ef8353c652929116efd6b0c89d4e5823

    SHA1

    0c14933a20cf64d52930f286a2a8bec4a28f6c37

    SHA256

    268a1d0e065c369a1e2c03530f331c87f0dd329ca7134627ea68c939fd521416

    SHA512

    5eed6a23ddd158223376ed7223fb8524ecf6f67eb32693a2e54f5ee33b3072f74e73684e93268e71e0b9da7baa594884636d825e6e4cc1efdf4d8f73eae3f6d9

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.fantom
    Filesize

    160B

    MD5

    25c147899815e02d07cbf586485288c9

    SHA1

    0606e1e6bca9d315709f1ff632c9be8e564088e3

    SHA256

    1b1771d74e290cea385c5b2dd62697fda911577e71bacf66c6cc4d908b9f5aaa

    SHA512

    c88021a27d1b1f6dadc82c15bbf4d0bdd2fb5720487ceda6f5da9c25caf26b74b6f766f812fd19c3ff856ced014fe7d247a782ec74946f3a1e99affe0e23707c

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.fantom
    Filesize

    12KB

    MD5

    c552dcfd6c5988e8032f06d575c9004a

    SHA1

    8c95d5fd73ce691e43cafd378c4983bc150164d5

    SHA256

    887bc2f20bd116373d79f287f12e1a7e1e5fdc7245a05a5db107391cb6e8b4e6

    SHA512

    9c0d0ccad81e6c153a312f19b1a0148db1196153b6c3880d13b9462c9acde9c805258bfeb1a01ebe3bfa2436a1be56441523d99c22ebb119d41f0b8554f831be

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    05b1ef0110ae9d80537b2b0dd3d73767

    SHA1

    e96cb583e124b50d1652a6862c4d8bb3c9c7f4e2

    SHA256

    40c5e2ca052204293a55f3bd2f9330fe2edea5ff4ee9e9ac2331a28f84a8925a

    SHA512

    c0d8c7568f5944e86e5288f63091d4eb6e3676ef7653aebf969e1c3c9a1bec2fe0cee9d74ff4d1c1291cd927f3d2c0cc40ae486a86684cfb17c7c77e3e779813

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    290282560d47e287e028953606c3de7c

    SHA1

    ce13abfa94431ab0896246a7968dc582722fa23a

    SHA256

    4ea6cb3b7b28f9e8e0b95bea432015e96de56b206c0ef7d969a507c65cf4de14

    SHA512

    251ceb6c133248ad453b2ae98f848a3b5eeb7fe41628e4f632e8a3ed2dabff122454d1b2604631651bb0b6f648dfb1143ee2c658364840c86acb59055fa72aa1

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    107KB

    MD5

    976d1fdb2169505e8e4653b7d4c7ebcd

    SHA1

    32479b0a817e340d4b68c5735513da5dc11762bd

    SHA256

    866e88e1fa5c2c71f708b9cdaa4745df13e1ab6e754f5189df064e77ae21ecf0

    SHA512

    83d512e5e48a3aa8f9f19e5e1ab4e26c7050269122cf29ac8c13a6d1b72f70c54539f78646dc20e81c89a91a5d4fd09a3370cc988a9149cd8d6d79d4e8462278

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt.fantom
    Filesize

    172KB

    MD5

    346092d1ee70e18077e4b5b021da9dd1

    SHA1

    af1b19acb9004ba278e25b8742aa55dd63b6edf5

    SHA256

    785b2dca444777412961ebf0ed86572369e9e41a90abdae2c2db8d3b8bb8cfe7

    SHA512

    fcd869f3a9880a67e613048d03ddb65b1149f93228cc7ee58b92bf6f5825fc99266767211aa0ee848faf355589f5e416605e0702f2d51fd6153baffc04a338ab

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.fantom
    Filesize

    160B

    MD5

    25c147899815e02d07cbf586485288c9

    SHA1

    0606e1e6bca9d315709f1ff632c9be8e564088e3

    SHA256

    1b1771d74e290cea385c5b2dd62697fda911577e71bacf66c6cc4d908b9f5aaa

    SHA512

    c88021a27d1b1f6dadc82c15bbf4d0bdd2fb5720487ceda6f5da9c25caf26b74b6f766f812fd19c3ff856ced014fe7d247a782ec74946f3a1e99affe0e23707c

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
    Filesize

    48B

    MD5

    a8e53c447e3216e292719dcd56688a31

    SHA1

    f5e590de67c78d627839f4a71547de9a308f2bc8

    SHA256

    634b642e896d341a6080485cba093aba450ee2a994532a154c547e659234cb29

    SHA512

    a380adbf27b2bf74a970c6c644170f0bdf12992a50dd5a148bf21dcf02d73a4d7af9d51199198c15e02e2804718a79c04982a9a2149fcbae8f2d182a631c0000

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/540-690-0x0000000001560000-0x0000000001570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/540-281-0x0000000001560000-0x0000000001570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/540-280-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4060-162-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-262-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-166-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-168-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-170-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-172-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-174-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-176-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-178-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-182-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-180-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-184-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-186-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-188-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-190-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-192-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-194-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-196-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-236-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-237-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-239-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-260-0x0000000004C30000-0x00000000051D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4060-261-0x0000000004B40000-0x0000000004BD2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4060-164-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-263-0x0000000002570000-0x0000000002571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4060-264-0x0000000005330000-0x000000000533A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4060-265-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-266-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-267-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-268-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-133-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-160-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-158-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-156-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-154-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-152-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-150-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-148-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-146-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-144-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-142-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-140-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-138-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-136-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4060-134-0x0000000002510000-0x000000000253B000-memory.dmp

    Filesize

    172KB

    Download