Overview

overview

10

Static

static

3

Fantom.exe

windows10-2004-x64

10

Resubmissions

01-03-2024 01:41

240301-b4azcaab57 10

01-03-2024 01:37

240301-b1xc6sab23 10

Analysis

  • max time kernel
    55s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>D6z0DpkDzYABHIsVkuTKNTz40znY4qzfx4GQqL7o7msGU2aoKQDn9y7nOAwkpwtPEcn0+hmg3HbKiz/6lKqAdU+VZrVvRwhCY+hLe+t4DStxK4L+AbxyJMkxxQoL+TBmC4Slr1QiMUY6H++f3dtOwdwScaC5BKUuI5kC2WaatMONtwGwvLP8lczXXClodiwxUcdelxFQ2j7WzMmhlv+smY4mUgAJ/gzaUCom3pZdSV+iOPVD5NypcIElG3iQ/f0G5MR0mifM0VrU4vv/ef5LsltGm/Rae8ZUqQssY32fMwHtO8bx0e6Dc9dd9QT+tR7w01gH59jHwDhNd7CLsOjTBg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (152) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:4756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    5b815582a89d887ce4d6756171336e80

    SHA1

    8f46767c7867c613470d041aa7e5249018662781

    SHA256

    543989af2d34df456bed9813ea2f71b61fd2060efaed417bc93028bc6a1270a1

    SHA512

    b2b927d0c3182a71e64d8b324bd24edf3c2c19d4fe3ef0026008e7ede1113b541a580e5be924b5461bd52a37114fff9313f7c0c94e12da3f539dd665def6c4f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/4376-0-0x0000000002310000-0x0000000002342000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4376-1-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4376-2-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-3-0x0000000004A90000-0x0000000004AC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4376-4-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-5-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-7-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-9-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-11-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-13-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-15-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-17-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-19-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-21-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-23-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-25-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-27-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-29-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-31-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-33-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-35-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-37-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-39-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-41-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-43-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-45-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-47-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-49-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-51-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-53-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-55-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-57-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-59-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-61-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-63-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-65-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-67-0x0000000004A90000-0x0000000004ABB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4376-128-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-129-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4376-130-0x0000000004C00000-0x00000000051A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4376-131-0x00000000051B0000-0x0000000005242000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4376-132-0x0000000005280000-0x000000000528A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4376-133-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4376-134-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-135-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-136-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-137-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4376-138-0x0000000006000000-0x000000000600E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4756-150-0x00000000007E0000-0x00000000007EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4756-151-0x00007FFA6A7B0000-0x00007FFA6B271000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4756-152-0x000000001B590000-0x000000001B5A0000-memory.dmp

    Filesize

    64KB

    Download