Overview

overview

10

Static

static

1

Fantom.exe

windows7-x64

10

Fantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2023 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>HFrkfUwEftv8ugkrF9qAuTaCXfZpkXKPliVLN6iZlqU+Zuci/tzQg1G6JD6OKTOH1ZMEMKcPpwkeJATQbDuM0D0VY0wvwZuM767ftY4Yo1xXCGF0shA+HniI6fGP54pVSq3vhONul/S0ulO/ahN+YZuFmeq1f6xf9mNhdalag60oGeYMMThs5+iJWc9MZxc7VHt2O4+MZCx9Xu4TGxrbuOQAiPSN1MIYLw83I6+j3VcrfakbANctmKzWhgqOrvzzNaLGQVmxjkHjoB42/jxbK3EwmYfxh4awFDESrzoHWo4rBnuQ+XYhtq0YnSWrZlZghqIiKSw6djkE5v0xYp/Nyw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1340
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1092
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1084
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2e8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1176

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
      Filesize

      1KB

      MD5

      27dacf39373d85893b9e16d78112b4ff

      SHA1

      76374b6fcb0777561df3a9eaa7ed772d94d6b545

      SHA256

      56e3a74ddbe9949881abc681c1f0ae261412f767a20e628c29c99d9c7916f0f8

      SHA512

      484f2a44de1bd261dde563d9213f6e2478875ee34f34f539db18ddfe8b8b7e97f31717d0f9d22c1db2bebe825e5e58628afbe0d9797f69976f7d2a7b3a1bd1a2

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
      Filesize

      160B

      MD5

      5bec6a433801a289e217d7c2241d677a

      SHA1

      ae88ca957dd66094f24f2b611731ae07ab5cc9f1

      SHA256

      60d422ddfdd3a8d6bf3692cfc4e9e5cb9803f87653bdc0e60f374cef0011315d

      SHA512

      a2832731d2dad06d1b5d6e5fd69294ef8974a9459ed8114f978baaadd8521c16b5ed8b83736c0f2c749a5f499b284533b5de82199932f6df045e977481305461

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
      Filesize

      12KB

      MD5

      eb8795d16f9be5b53b8138450afb4208

      SHA1

      525ed4e9a81873745827ea657249d1b966504d4e

      SHA256

      faf58ac760bb2ac156d06e3c0b823438bb2fa6068daa64162a19c28cdd6c6f5b

      SHA512

      a6afa49a344467f2bf86e4ef6c8aeee4509f92b923a1b9cb5dffa32882517ad9ad1857e876768d9bf1c45447a00dc04b45a569983d4404f15185480c34c52f9f

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
      Filesize

      8KB

      MD5

      78f33ac0d4f09a5a5e979c9d9a2c46c4

      SHA1

      4d2c0872f5b065e168e77b8fa5bd009dd1c5c0ba

      SHA256

      8ec772e21407990955a1b5b655daeaa3964d9406c5dfaaba2673437a22c84954

      SHA512

      09ec1203da06131c46adda305c7a28761300b0f81cf7f72ab12dae6c09ef3c5293f852b52c6e05304ff90cf3991112c41152442a182f767e4613247c6f725289

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      8cdc704e09a564cebbe46eaf99881bd6

      SHA1

      a74f7d8793d94b7779998a839e0fbe3ae9871a9a

      SHA256

      d97b32fc35f3c485558ef1e1904b3c0541c30d9bf0a19aea33d5a60ebb16765f

      SHA512

      822fb56fe310daf58542342a76eddee7f1b63c1cbb4788545a7dc0dd157c6b8d2a0ee0d1034d426b2270b1afd6e99d62af31732119daa9380cee2b8c4e91b44a

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      1a8f6baba8c6ba8c05f6aeac3d2c13d4

      SHA1

      f06df4dd6b8ff368a610de52cac546963c927fe5

      SHA256

      1edd48e162cad0205efa8ff97d1cdfa6243340900471f0cbbfff0a9b9f78ea2f

      SHA512

      debf3e07f002c95e16a44a4a81edcf422aeab79819ea87ea1a38e5c07b8c3158e0d7607effc40144c4c93a3021eb8a46e5a5778cfe3f73b7580aebc324850c1f

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      172KB

      MD5

      f048cfff991c036af5963208beceb252

      SHA1

      6e6799d046bcad438fa814bbe178d0f4e097e962

      SHA256

      bf4c18d75bc1a78d8fd33ad4c69b084a7d01e8238ffd5f906e1962035e009c83

      SHA512

      8a661cec90954a811997d1bb1df6b09bfe8ca79cda0805daf9f5e04af7c349b78d9c6dd1ed745005ff8ea99f9bdaddca5a4a1fd9ddc6b323398309b48359d064

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • memory/1060-101-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-115-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-71-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-73-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-75-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-77-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-79-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-81-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-83-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-85-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-87-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-91-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-89-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-93-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-92-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-95-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-97-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-99-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-67-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-103-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-105-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-107-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-109-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-111-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-113-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-69-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-119-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-117-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-121-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-182-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-183-0x0000000004760000-0x0000000004761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1060-186-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-187-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-189-0x0000000004C40000-0x0000000004C4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1060-65-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-54-0x0000000004640000-0x0000000004672000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1060-55-0x0000000004670000-0x00000000046A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1060-56-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-57-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-197-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-59-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-63-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1060-660-0x0000000004820000-0x0000000004860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1060-61-0x0000000004670000-0x000000000469B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/1092-188-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1092-185-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1092-184-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1340-198-0x000000001B510000-0x000000001B590000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1340-196-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

      Filesize

      48KB

      Download