Overview

overview

10

Static

static

3

03769899.exe

windows7-x64

10

03769899.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2023 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03769899.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>YmUnUib/OE6JzT/JM0tun8eoVYNxKAhx2rg2UdmMtNJU1+fe9Y4PZVbzThx6vqrxv/GTWxPPPA7o2ETWHk10Qp+B5SRaVmQcxfxAMcW+qq/alkeyy7oXhf61lLH307RdhQ+EOgVD67yFTYFxEwqMzLOYDAV1FRzF6mvUfbsUbmJVp4BmhJLe1jicdZkxwGzneEbFqdEuVO9Zi9kTuF/CF5xQlTxv7q5h6/yzx9MRJx4y4NSg/xlGJ4gR+r103YHmkcM7OZZ4uygTQ3vQDM1H6bLkbbZakzuGOXmIycYdXGiGNmaPwuJJN+W7tOAkouhbfkWfamSdynoJiqSx43FpWA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1925) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03769899.exe
    "C:\Users\Admin\AppData\Local\Temp\03769899.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    e1fcb4f23c518403be96c6aa1d8b4a0b

    SHA1

    8846c3760b36cbfaa65c3b61af25e6ea7ea4f222

    SHA256

    e93f0591d2ef51145736ac9d56d4d8011dda9ec7f7dbb999fe76431e5963a522

    SHA512

    0a997fbb613f690f77ab05b964997b0461edf6c1bfdbccf8cc0af715ca9312f1dfffc8312198eaacfe42eed075c5ec1832b283af10e8f88d4798d7ef4bbc92fa

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    d6aa00eac21538ec622f982c92890ae4

    SHA1

    ea2ff4c92783e6adce63ca68123a912a4d37396e

    SHA256

    abeadd78046642e595737212bef1cb02f7bae8346475a5b5e0596645a7da5313

    SHA512

    ce5b3a2a37c3a0fc0b07db52ff385bfecd811ce9c863be80fe02c9dab8f1e457ca3c92dbe8ff103c0f19f1e355c8bc02ca50d7a97c9cdc4ad4479b111a0065ac

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    3ddc89a2b364b95539531fcc999fe516

    SHA1

    465f430a6bd8cb0254852c305e68e69b20720dbe

    SHA256

    223f445d74165ad994afb74d2c1dfdd2271f0a62de47a7387e3eb526a568604e

    SHA512

    482c9b54a0fc9ba2dd79b089ff64be8172a86aa1ab90923e1e506645fafa94ff5dd9ba523bb6c6e3a452f1ff8c17cbeb29c2e60bdf842fdfbdebc2e75d3fe8bc

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    972f85a7a476cd5f9b9486ec247ec973

    SHA1

    e00d37617f2c6df526806d82695c423b92074af4

    SHA256

    f935e8751237eac185b3304a6944fc5d82aa007ea96e11cd084a2f76a9d5e780

    SHA512

    c68d9314ba29348f8e380b21e28b0aa75618f500c0ed8f768953eb2ba8245ea6ca120e194ba5186980182027b51527b1905aba3eb7a66082add1c66aefb4e23c

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    37eb5afa980db774bf93cba52d144bf7

    SHA1

    ee607708e3825e0ba0303f4d9c526c9f28398e7c

    SHA256

    d7f99b378ff7c2c18ba744cc7ea48536171f8f0574f5b2d3f646942ebe17e763

    SHA512

    5d84bc0ebc87ef4707927dca4f272379d8118d2f05f76f0362376a6ddf14d96780ff15120ebba3109ebd337041d3692bdd22050747392201160483cdcc4795a8

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    107KB

    MD5

    45a3713f7118d508d80bf080f727097a

    SHA1

    afe9fc8a05f9d6f9efd0da4cc01be22495fdd17a

    SHA256

    00ed761701fdea612ef60bd59c8419847ec00840a3f70e63acba2c67de57976a

    SHA512

    b79c9c676b8b93fde8b3a444d07f643dbd6618755ceb6035c056a26675f1ac8af2cc81752d3c5a5878bc60b3c63a60cf2df988507ef38a435a1a71a5dd7b2ab4

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    b370959c9c029edd772e164a1c15e00e

    SHA1

    84cc8dccc64334eaceb771d329c822518316ed5f

    SHA256

    a9b08eaf7ff5aeb5abae0a635edec67f9338fbee51f7ff795bb7a6ebf943493f

    SHA512

    8673417d7e3030c2d3c18a5363eb9bb91f5e8d54a74e9e8f62533f10159852e42e0aeff886843ffad5bce3178eccaaa0405f7662430b502f67e098157ff425ab

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
    Filesize

    48B

    MD5

    2f0e51424e1c49678c4a96b825dc3564

    SHA1

    c1ad1438b01362913ee5fff39ee71778a6ec6132

    SHA256

    7f64a1ebd5ed5f09b1a930dac99e6eaba22d2e3918956ea834a77a722b2bd206

    SHA512

    712aaa26faafce2c3aa5177815fa96f350e9ff9f3997eb3fc24858026a4578e0ecfc37e5dbd601ca2ba66cf6748276ee58dd3b2525fad399195ec9f7b49774d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/1468-311-0x000000001B140000-0x000000001B150000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1468-280-0x0000000000530000-0x000000000053C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1468-676-0x000000001B140000-0x000000001B150000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-178-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-193-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-154-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-156-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-158-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-160-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-162-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-164-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-166-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-168-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-170-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-172-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-174-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-176-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-150-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-180-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-182-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-184-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-186-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-187-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-188-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-189-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-191-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-152-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-195-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-197-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-199-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-260-0x0000000004AE0000-0x0000000005084000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2828-261-0x0000000005100000-0x0000000005192000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2828-262-0x0000000005320000-0x000000000532A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2828-263-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-148-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-146-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-144-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-142-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-140-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-138-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-136-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-134-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-133-0x0000000004A80000-0x0000000004AAB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2828-264-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2828-265-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-266-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-267-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-268-0x00000000022C0000-0x00000000022D0000-memory.dmp

    Filesize

    64KB

    Download