Overview

overview

10

Static

static

3

03769899.exe

windows7-x64

10

03769899.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2023 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03769899.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>bDpxesejS3wfmXsBzLlWFygyxjZau0RfVewe/o00+XlYHJt2DVlIjIfWoNicQ92toG9Mv2aUzadVya243X4pMgKZI3zgnp7xA+m37pwg7ZFFD85uuy9LzxlbfYGvj7et15yroP+VvQJV/OOf6CNb3h0RYysV3QGkqIsmrsSevFgwN7xmbnzrKiof9bjvKM4BlNvSjxD23TqXyTEkgbgYzVgGw6Wy1QQs2Us6b6MrmENpowgSV9k7euGOuCmkN6+gjIko+b2Q3Mu4jO4YNm6WTna0Pf5KJqXzFOlyPlCyUCVELb4cL0TWB2Ep4V81Mxp9N8XQNQugBA6fvZ7PdA68lQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1926) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03769899.exe
    "C:\Users\Admin\AppData\Local\Temp\03769899.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    74ea39e862c8e54d3590fba9353bac41

    SHA1

    ad89637bc864c3cd550ccf60ff8a3e191433850d

    SHA256

    81c66371390457afa282490deab040ecd8cb61b460ebd84ee0346bdeef24054a

    SHA512

    506ba4a50ff16cfc58033c0f357798ad65f7aafc4a2881782e68eea8e44e7b4ce83c7ba343d891e0f7d7aa095a9dbe2ca2b764383559e19f5da196474df1015a

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    d357b7d0b2d27cd62874c87e70265a2c

    SHA1

    6e940a2418eb410d7f62418cbf40ad9d4723c6c9

    SHA256

    065bc98a8fbcecf98fe1709db5bc6e5b1f81f383d7e1f24f929be7a5b7073d20

    SHA512

    af9c60493b9a7e68ef6ab3ae978413df246f8d4f62cd7afaaf28b738e9783e1b950985a6ff2da8e385aed8cb023c228326af711497d62ae460b5395862cc4ee9

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    0c83eeaaa2e5dd91b7715508696d24d5

    SHA1

    35ce154cdf01448dfc9799ef53930d7645091357

    SHA256

    eaa01e333f1fe99a3fc0c55ec5ce125a0d7fb5b1a35a6af359c56c977089ddf3

    SHA512

    245e8704e582ce31b4eecd2e67234c933052105e038dd124e5db8e9b77a37391cde4fc87378da717a9e03c8db77bb45229fd5f8174dd8746afd31ea74685ac4e

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    d860a7cbca2fb2038265f1bcc2f95f0e

    SHA1

    857122b17229ad49a79e6f073b9862ec2f9d0627

    SHA256

    6ecfcaac8b5b1c17818b6df160dbe433d9600db4b091cf6413335285e39909b0

    SHA512

    6ba9489b2ca85881a557c95eb329dcd93a2d1f30cb5bf55bbac5c76d8f57ce11cd78243f8d29975afc12e949ea8c6b3d6d0d974913721f318bf64d36147e22bc

    Download Submit

  • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.fantom
    Filesize

    11KB

    MD5

    a8db1a6a2bc710c010afcce364664be8

    SHA1

    fcaaccb63556e79b403fb7af66816ec4833674a3

    SHA256

    01510c8bd19636e322c5fb0823dbf87bd3dfd69f0fddd2c66504fa0c6141bc64

    SHA512

    0cb06fec04dc8c0f309c6bc1e3568d56730aeb5c6716c393de47201ab33caa82f9aa4a2e1ef4685f7616d4e848db701493084d029981534457608f8b43bc2be7

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt.fantom
    Filesize

    107KB

    MD5

    626a00d227fa47876041bdef8505f16f

    SHA1

    f01c75db9c25f0d07cfd31cbf28d701628d0b216

    SHA256

    eb97d15cda3a7b5623e5efb2123a28fdebaabf30785ea790788d933c91990ae6

    SHA512

    a7443f7f7dae3169de0566006c434b132e0782612122f6807706cf971778c445daa878daee4bfca0cab7364100df26ab6ba491faa46e1fafb77d8076de695820

    Download Submit

  • C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    c18f9ef88f38c38045daeede3bc02273

    SHA1

    7bbe2e8f8ac50d867783e883540b669b54272e97

    SHA256

    e436b1097b12a1b6ca69db568569aab9e8700e00faae50baa56880913c7da103

    SHA512

    7c3eb591df742ecafb24af032a77297eaa4ed8ef559d0f17adc64c69e09c09be8caf57e66f0befd771d1b3cdeba4c4642b138f60a5560dc239f2d504e0310cca

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
    Filesize

    48B

    MD5

    6111dfd680780b720d88649d618a8847

    SHA1

    1be2ef4cc6eac7273cf9fdd744c42c0036c9dc51

    SHA256

    3894ed1893bdb2f0cb8fdf22f3e58f8947baa7faf82466aec61b5051935d511f

    SHA512

    67b3f5c5134749a6b5d418d1f74abd5b3a401a7fd3bac77081d72952f7ea2912695b33ecd08549ce1ebb0b39516bb4e43f3ba65d0a4af655558c33eea17ef53a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/1280-177-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-187-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-148-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-150-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-152-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-154-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-156-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-158-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-160-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-162-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-164-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-166-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-168-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-170-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-172-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-176-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-174-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-144-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-180-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-179-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-183-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-182-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-185-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-146-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-189-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-191-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-193-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-195-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-197-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-199-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-260-0x0000000004C30000-0x00000000051D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1280-261-0x0000000004B40000-0x0000000004BD2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1280-262-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-263-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-264-0x0000000005340000-0x000000000534A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1280-265-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-266-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-267-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-268-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1280-133-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-134-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-142-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-140-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-138-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1280-136-0x0000000004A60000-0x0000000004A8B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1512-325-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1512-280-0x0000000000870000-0x000000000087C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1512-678-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

    Filesize

    64KB

    Download