Overview

overview

10

Static

static

1

Fantom.exe

windows7-x64

10

Fantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2023 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>IsJwSrn4ZWc3jJa1qIHr6NoxzO3kXNDOv960DbcFgYkIjj5xmiBBiADd0USAoQOm8fMOFFNr0w/yU5QQ+r4xtcF+wPxrvZQbO6tXkX4ZgwgjKkmRJs2TfEZfbuWm+qpWiPMz38kkcwFunv/xxcIHxhZv+sfGuBGevn/mOF9thudx2eHOBfiFhxMT6jIwQiWbSQ3BcEf2eCiL8kCQjKQvVv/LwLkVc+loKk0rhvHWCO2QUmFkltKBhwD0OV+YZsQ76g911mpta3gfrmgEYS9FsCoFd+Q0/zPUItkeB/RWGpOY2Dtb67AFyYIRWgoigZ865+tcAMk1zjgzHpFK2zMTKg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    73d06157fc3d0009c376a09beb59fb5a

    SHA1

    1cd641acace18b22c9e0d53f48f7b415a042f07a

    SHA256

    62568be20a0a8a5395982e13e28868b30721bd5065f8e915e0ae21b5e8145a78

    SHA512

    a0094d5f0b357b2158b0efca24fe3a65f282874299206b62b5d20d9fbd4f841d47df824c10fab512571c4429574dade1591b82453b05d52fa567b830face73bf

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    09943b2b7b8ece09ec296048308a4d68

    SHA1

    2d2ce3d155a9b6dea695fb4012e33553d21ba584

    SHA256

    ddb6e810b97ab3085259a3a3d8542fda403dbfdf4da520ae6295a73674534057

    SHA512

    dd55ae58a06e14ff77a94033f436634ae05c050a3a95a44b022d5db1031e8525e8e5f3fd2da13bc743f40dea38782e1858d29ab9bf752870622a9707cdba67af

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    17179997cd6b9df9cfe53760bc8cb994

    SHA1

    4b8bbe4bdce8738598c57355e7681743cd5cbf8a

    SHA256

    5c95abdacc4e65b5947e0eddc02886c0812bd3c418f804619eb939842ed0f1f3

    SHA512

    05b54dc022309d4b645957133ce1b33ea07a8701b4b0e967d4bb96cb5fe55ba3e8b8b5daed2d55decbcc29988110a138150204f98357d8df5fe4a3e881b8d9ea

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    671b55b65d67f65d1050eca085543a04

    SHA1

    2f7346b934e39a8d186f284443bce9ec5d0ccea9

    SHA256

    7526a8f99799c026163749dfab94f9931ca132559aa88f3702f73f5dee28acc3

    SHA512

    55944218f299f3bba92b4a2f928f1e0620ea1747424b5eb28b60f6b1bb3cb0d28b3b4696f884b0437beb6afa87fd5ce8361d0477210c32e2e719e264e7be8e37

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    faac6ea9b0fb31336534edfdee8ed40d

    SHA1

    fa0b3662dacd04421c335fb4255b90c65f6cc12e

    SHA256

    a0ece531bfe7bc0948c5feb1afe0a5ce17ce4483b0e410189184f111ba1c2adb

    SHA512

    d1072dc4774890df9e0d081349fe741ab85f894edc54f5121a4b7da15cb60ab756eb681cf62ab188b3313cc74f878effc6c41db7e095b517af9d3d869b1c6113

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    107KB

    MD5

    602ac248e91425d90128163ded78a1c1

    SHA1

    b5401ccf35eeaf97230a594ddecd06aa307b483b

    SHA256

    8d67a7ae33a9ebf8ff1af68bb85ac4fba4d657fc3fbb3d276996f5c1116d6bcc

    SHA512

    c3f1893d24b93e38ae926681ee012047479104f053d5f5c0a06b68d8f1087a635d08b8aeb33b2c415a1b47d9354b91a429dff436570e5bad4878e3b41f18396b

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    f9282cf74845562eb473cc47025b820b

    SHA1

    5829c7afdd38f8e10454b41fa15bfaeb2f1b35ef

    SHA256

    9bc983d9a9dbf7835217b3a51f337dc1873b22f6628c8c7808060ce26a67bda6

    SHA512

    13e8ccce950aff85013369a9c2f42ad5f3cd61f95db5d07b816c2e994e6e979c1fe2b72ead82ce21264c4ec9a8b4422066f72b124ae0f75cb0888106b78decd1

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
    Filesize

    48B

    MD5

    88c08b8a6947a4e0ae2fb161c4b227a0

    SHA1

    493ef1da7cdd097c8cc25b69334f7860964e9e0c

    SHA256

    002777a7511d14728965ae4e14427316ea0e82bd2b7e6be86dd97bb2d2d26d11

    SHA512

    a0ef4986c299fe45e0662539eeed2b6e3e64844546dfa2c2d292efc5c9d5cbbde5a6c82b04fcd75581c08c29345538e0989921f024c0305ee0e0db7482647e81

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/1784-656-0x000000001B380000-0x000000001B390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-307-0x000000001B380000-0x000000001B390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-278-0x00000000007E0000-0x00000000007EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1980-192-0x00000000023F0000-0x0000000002400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-199-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-164-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-166-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-168-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-170-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-172-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-174-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-176-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-178-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-180-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-182-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-184-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-186-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-133-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-191-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-188-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-190-0x00000000023F0000-0x0000000002400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-193-0x00000000023F0000-0x0000000002400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-195-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-197-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-162-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-260-0x0000000004AE0000-0x0000000005084000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1980-261-0x00000000023F0000-0x0000000002400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-263-0x0000000005100000-0x0000000005192000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1980-262-0x0000000002680000-0x0000000002681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1980-264-0x0000000005320000-0x000000000532A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1980-265-0x00000000023F0000-0x0000000002400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-266-0x00000000023F0000-0x0000000002400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1980-160-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-158-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-156-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-154-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-152-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-150-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-148-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-146-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-144-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-142-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-140-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-138-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-136-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1980-134-0x0000000002650000-0x000000000267B000-memory.dmp

    Filesize

    172KB

    Download