Overview

overview

10

Static

static

3

Fantom.exe

windows10-1703-x64

10

Fantom.exe

windows7-x64

10

Fantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    181s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-06-2023 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>mejjdU2fLo/lXwKn9i1OWw0IvipEQA8VGCXm9Lo4nA51uAcDGPwl8lpTsa1YF+spi4owaHb0Z8C/0w6jJT/0Wbjj8PEbeGQejnR99wUUInFWSReA9uRM5qLuTLMf6Y6LVa4r974ClRm95bQui+WP9cciSMkwtFq8hvEoTNV0Gt6siOtPiLprp/HvSWtpwdfE8bD2nR8QvzQDaFz6tDhMlZCNOKVSPH7bJMuoqNFzT1TmXx1EVw/iZHWOgz/3bAzNI4ClDJed7pd9kcYJ9N544U2zRaf/7GH/cWsDNuyDihVOw65xK80zDsPma/TK0x9CMVRJw6ZCz8xm6wYG1NJZ4w==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1925) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:4792
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3424

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
      Filesize

      1KB

      MD5

      71527de849faaf210bacf9d2ad2dc271

      SHA1

      f5b53143621910fbf076e1976fabdc2bf5eee197

      SHA256

      f2f9e1da83a94cacdac3f7bd1ada8dd5668596505525e6a7763526fd2244fe57

      SHA512

      1d638601961e6eda43a04b7ff0749bb31952ff9cb6d6316513885069c8946ee4fb238c1ed7eaf3192a74926d0669572ae27cad3188c4df54a1f6cfd2cc99e310

      Download Submit

    • C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
      Filesize

      160B

      MD5

      812125c306e9be575c21783edeca1bd2

      SHA1

      c6aa0168fb2c612b717ec6943fe3ff2d22cff000

      SHA256

      f4dfe6e99a91bf28c86b11511da328cbc4a0dcf2546d03b3e719419477489d64

      SHA512

      07b56e1859d376139f2ffbc6650b1e5fceda64fa4580c948897ef684ef671cabb7d3b31b09e160fb817eb8ac07887eae610a6722883633f8cdf17676ddc8b735

      Download Submit

    • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
      Filesize

      12KB

      MD5

      75ceab4531b5ea12d1a611678fbb2d2c

      SHA1

      842c5088b00b4b86f568ed1dc667781c323e27d0

      SHA256

      33ce1b31478c3ff3f2fa743f584154216dbde40424d4d5d3157917a4d559e067

      SHA512

      4522ee56ec8836f6ac4d436f5d05cd34d904e9b0d70cc3f66176eda17b1724f63146b260ba2c3b4bdc256602e35bb5e5135e129072e8b298fdaeb9cf7fa5d21e

      Download Submit

    • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
      Filesize

      8KB

      MD5

      14e6908ab549efb6ebd46043f166f011

      SHA1

      bfe11d7d1f9db31c44b9ad265c5e032c72a192a9

      SHA256

      d9cc9df22f20e0b6330d8072e36d1d63fb10178d78d0f43d0c9726d820a81cdd

      SHA512

      1cf17ddcb6694ff9f2e106c36d18628389f826ad8bb689fd19b9bfb41ca23789e2a043c54192275a575ae135c62c8543f19525ea6c7603d69b72d11e2696adba

      Download Submit

    • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      7e7eb3a10f35f4bb62b2216d8fdad563

      SHA1

      ea12f5038d78d95602e030cda7dc2547abbc774b

      SHA256

      2bac3e1d4d5d78cd4a9aabed42c3f8848f32246a7f177ab93d0034b3e899e547

      SHA512

      faaa9e015d09767c777367427dace07570418a08013a25fe291fb7eaee32ef044e1cd5d3642ccaa5cf439bba32978ce196c6ad4967d794841a4f8527035c27d2

      Download Submit

    • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      107KB

      MD5

      46828f7f1f2515c6038be53e18ea65eb

      SHA1

      986cded479b82e7195cd2ae735bab84597654220

      SHA256

      04927f15089800e75b60a983a66c2b070c35158c95e40d4da872d07805394dec

      SHA512

      19908d9b14abe8c794df7558cb17ae65265a083760f1101909caad7633e9d72e52c4bcacc08a0ec9d06f25dbb3423f8588a2723220b6d207f1f84866f0157d5c

      Download Submit

    • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt
      Filesize

      172KB

      MD5

      72d09d2f14eddc03db2d3c6919a78e2f

      SHA1

      3da1a6ed8ba021b19dfac7335e9755a7be172748

      SHA256

      02fdbcfb9e86be63bb67ce773f4f61058dd3fb0b132072161a4df9dfcf20183b

      SHA512

      c27616a5f0079c6c480923d75ac7521086b17099f63040e3a4ff1bdec827052a1fd58894bd4c49c58db18001ac060b8160b284d6c252a4106e514585413a605d

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
      Filesize

      48B

      MD5

      861cf0eeb0134431c3738c42fe426668

      SHA1

      5ef10fecb2a5775ab77371fc1e091b07bc1e0baf

      SHA256

      e7ef7694055ca08c017bdf594d51e4c08ce51b65903df85793af5973592e65e7

      SHA512

      611715fef562da63e9f4992d1f86bd992c622708c0ebbff871b3e9e55e8a42fca5d6cfb647ca0995bb823ac7484feac3c4cd16c79cbbf89dffe843f0818eeba6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      21KB

      MD5

      fec89e9d2784b4c015fed6f5ae558e08

      SHA1

      581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

      SHA256

      489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

      SHA512

      e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

      Download Submit

    • memory/3532-167-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-177-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-131-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-133-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-135-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-137-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-139-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-141-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-143-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-145-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-147-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-149-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-151-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-153-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-155-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-157-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-159-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-161-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-163-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-165-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-127-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-169-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-171-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-173-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-175-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-129-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-179-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-181-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-183-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-185-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-187-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-189-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-191-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-249-0x0000000004B60000-0x000000000505E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/3532-250-0x0000000005060000-0x00000000050F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3532-251-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-252-0x0000000002520000-0x0000000002521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3532-253-0x0000000005210000-0x000000000521A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3532-254-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-255-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-256-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-257-0x0000000004B50000-0x0000000004B60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-258-0x00000000055C0000-0x00000000055CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3532-120-0x00000000026E0000-0x0000000002712000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3532-125-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-123-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-122-0x0000000004A60000-0x0000000004A8B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3532-121-0x0000000004A60000-0x0000000004A92000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4792-264-0x0000000000990000-0x000000000099C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4792-275-0x000000001B410000-0x000000001B420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4792-660-0x000000001B410000-0x000000001B420000-memory.dmp

      Filesize

      64KB

      Download