fantom | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

General

Target

Fantom.exe
Size

261KB
MD5

7d80230df68ccba871815d68f016c282
SHA1

e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256

f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512

64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
SSDEEP

3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score

10^/10

fantom evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>D6z0DpkDzYABHIsVkuTKNTz40znY4qzfx4GQqL7o7msGU2aoKQDn9y7nOAwkpwtPEcn0+hmg3HbKiz/6lKqAdU+VZrVvRwhCY+hLe+t4DStxK4L+AbxyJMkxxQoL+TBmC4Slr1QiMUY6H++f3dtOwdwScaC5BKUuI5kC2WaatMONtwGwvLP8lczXXClodiwxUcdelxFQ2j7WzMmhlv+smY4mUgAJ/gzaUCom3pZdSV+iOPVD5NypcIElG3iQ/f0G5MR0mifM0VrU4vv/ef5LsltGm/Rae8ZUqQssY32fMwHtO8bx0e6Dc9dd9QT+tR7w01gH59jHwDhNd7CLsOjTBg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Fantom.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation Fantom.exe
Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

4756 WindowsUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Fantom.exe

pid	process
4756	WindowsUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

Fantom.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\BlockAdd.7z	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.deps.json	Fantom.exe
File opened for modification	C:\Program Files\InitializeSync.htm	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.runtimeconfig.json	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\msadc\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Fantom.exe

pid process

4376 Fantom.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Fantom.exe

description pid process

Token: SeDebugPrivilege 4376 Fantom.exe

pid	process
4376	Fantom.exe

description	pid	process
Token: SeDebugPrivilege	4376	Fantom.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Fantom.exe

description	pid	process	target process
PID 4376 wrote to memory of 4756	4376	Fantom.exe	WindowsUpdate.exe
PID 4376 wrote to memory of 4756	4376	Fantom.exe	WindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML
Filesize
1KB

MD5
5b815582a89d887ce4d6756171336e80

SHA1
8f46767c7867c613470d041aa7e5249018662781

SHA256
543989af2d34df456bed9813ea2f71b61fd2060efaed417bc93028bc6a1270a1

SHA512
b2b927d0c3182a71e64d8b324bd24edf3c2c19d4fe3ef0026008e7ede1113b541a580e5be924b5461bd52a37114fff9313f7c0c94e12da3f539dd665def6c4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
memory/4376-0-0x0000000002310000-0x0000000002342000-memory.dmp

Filesize
200KB

Download
memory/4376-1-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-2-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4376-3-0x0000000004A90000-0x0000000004AC2000-memory.dmp

Filesize
200KB

Download
memory/4376-4-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-5-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-7-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-9-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-11-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-13-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-15-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-17-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-19-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-21-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-23-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-25-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-27-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-29-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-31-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-33-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-35-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-37-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-39-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-41-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-43-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-45-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-47-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-49-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-51-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-53-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-55-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-57-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-59-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-61-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-63-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-65-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-67-0x0000000004A90000-0x0000000004ABB000-memory.dmp

Filesize
172KB

Download
memory/4376-128-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4376-129-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/4376-130-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/4376-131-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4376-132-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/4376-133-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-134-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4376-135-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4376-136-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4376-137-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4376-138-0x0000000006000000-0x000000000600E000-memory.dmp

Filesize
56KB

Download
memory/4756-150-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/4756-151-0x00007FFA6A7B0000-0x00007FFA6B271000-memory.dmp

Filesize
10.8MB

Download
memory/4756-152-0x000000001B590000-0x000000001B5A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing