Overview

overview

10

Static

static

7

Ransomware...er.exe

windows7-x64

8

Ransomware...er.exe

windows10-2004-x64

8

Ransomware/7ev3n.exe

windows7-x64

Ransomware/7ev3n.exe

windows10-2004-x64

Ransomware...le.exe

windows7-x64

Ransomware...le.exe

windows10-2004-x64

Ransomware...it.exe

windows7-x64

10

Ransomware...it.exe

windows10-2004-x64

10

Ransomware/Birele.exe

windows10-2004-x64

10

Ransomware...r5.exe

windows7-x64

10

Ransomware...r5.exe

windows10-2004-x64

10

Ransomware...us.exe

windows7-x64

10

Ransomware...us.exe

windows10-2004-x64

10

Ransomware...er.exe

windows7-x64

10

Ransomware...er.exe

windows10-2004-x64

10

Ransomware...ll.exe

windows7-x64

9

Ransomware...ll.exe

windows10-2004-x64

7

Ransomware...ck.exe

windows7-x64

7

Ransomware...ck.exe

windows10-2004-x64

7

Ransomware/Dharma.exe

windows7-x64

9

Ransomware/Dharma.exe

windows10-2004-x64

9

Ransomware/Fantom.exe

windows7-x64

10

Ransomware/Fantom.exe

windows10-2004-x64

10

Ransomware...ab.exe

windows7-x64

10

Ransomware...ab.exe

windows10-2004-x64

10

Ransomware...ye.exe

windows7-x64

10

Ransomware...ye.exe

windows10-2004-x64

10

Ransomware...Eye.js

windows7-x64

10

Ransomware...Eye.js

windows10-2004-x64

10

Ransomware...pt.exe

windows7-x64

10

Ransomware...pt.exe

windows10-2004-x64

10

Ransomware...en.exe

windows7-x64

8

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-03-2024 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>h24rlga3vA6Ays+5Fa8SXO5zpX2riynFqeUssXin8eW5WEk4tPpQ2G44UuVsIVcnLRrPkxQJuitzwcd7MYDxhRsBgVdQWW7ITc0FbvhId1N1selCUM2BWr/qLBIjHuH6Yx9ix+/mAh3qTHQIuwqaUdpHCbZlQAw/nc8+jYu72n3PbpvJeZhpluQb+Jr2B9MxuMTDNsWhtoNZQj64Fm01grqlmgCDugLStQioJryLgvaAAmzXFihJVFrmc58f2H5GKhc07646HKm7HTLwAY+14VOjLH/fi6HQBjemcw0YQ+EjPrLudq6EFP8j50V94cLI9mJBKfTD3x5KSdVsC3g5lg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1698) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    dbe8a3d32dec988ef1658bf95935cd11

    SHA1

    e37682e77d3dc925ab8f5e4be99c1fcc4d956223

    SHA256

    f74610120be4d99a8f9b92fab6f27de2627055c2054162923d8fa531a537a890

    SHA512

    11d297639f73df8765eea80732f774b08bfa62c7cf8d63f01140eca348de9b22b33947a1ee59fd6176fc99078f9c097918b7b3e0e13ca9aec8f30c195796c7d2

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    2cb2b105c5a70eb05bd188db2649f912

    SHA1

    73a524dd7c1bd70a57e2ed34d24bc49198065ab2

    SHA256

    d91029216110b7d1f924db2834fbeb4b8e4098e76e6e5b43d36cfbacb3808b72

    SHA512

    fac880bcfc621c3c69365cd28d8937c3e903a0259ecc29e72e6c39181c807c60d017b9262ca69205d78cfff8ad66bd13e2a92c601b8c4c9ebfffa2816c84e530

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    ceed9a2c10cc32c1325b8341c4db7762

    SHA1

    929c06eaf93109c27478234d4639077f0e7a7442

    SHA256

    92c121631f7d6fbc308887b2c656712fcf10f911de9ab33cb43ae9e8b311b65b

    SHA512

    c33c3ba0b282f6ab95d0c265820c393801bb559ec68425f0223dad3914a7bf2ecc415b4568121dc39f19ac0939e89477b333d517bd6705f326725ca880afa55f

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    d1578a39a097da8c93b43dbaab7ef32f

    SHA1

    c6cfe54ebbb97b130c8b2387546a2afb1071fa4f

    SHA256

    1c6cd6578a59aaa1d9e10724bd32a204abb7ff04918ac66c399a4140fc1c2399

    SHA512

    1b25458e4d74ec1f80f10992d905af3474287092e2c6078fd31c78f0ea1afd325eaff5c298be078b330968bfce7c7bdc52efff68dfdcf1e3aa4cff5d2cf5c9ca

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.fantom
    Filesize

    11KB

    MD5

    5770c23f6fc071b499ad39b552169456

    SHA1

    481af57cd54a79f4301178e533c2e48eee1415c1

    SHA256

    9b59ab3be87599c243945b63ba25f99c54cdd471c35c4b3cbc7af3eb8ec3efb0

    SHA512

    81f03bca3856d59be1ab27deb544a25a5bd921c6ec82fb0ac95ec07617161128249f646413409fb9dbf844842b482eccdb849cb95e2f0d51e62e5cf43123e6e3

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    58aaa95dabbf80004fe5558be11d216e

    SHA1

    c35702c19315634be92afa584b45535110c0f63d

    SHA256

    710d2d6a326e1c3c49d76b7d2eeebbc0c8c042f7ae52ed1be91797465178c904

    SHA512

    a17f0c79eb15f25790e8172695c56dac7443d5828cb775b130dcd9f5a00e55e7c2193e2eff4f9878e4643770e6321590267831af1c3071c523c8b29ee78387db

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    bf5f1647a9b9b76cc346330e299c1a00

    SHA1

    73c4e52c09cbef94a3f5810dd43861a277a619b7

    SHA256

    76850a34778f2005791505adb85f9fe4a3fdc06339368c4e8f9e2385626c13ef

    SHA512

    da5547aa8be4380b4f7b217a825470d514be558fbadbc4991fc3ecdc5b99410c57e8ec2225882869a0536b2e32c0cc965dfe869fcb81476517e39925b4237fbe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/2376-171-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2376-150-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2376-145-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2376-691-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2376-653-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2376-652-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2376-144-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3024-61-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-27-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-29-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-33-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-37-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-41-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-47-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-49-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-53-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-57-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-59-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-65-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-69-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-67-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-63-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-19-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-55-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-51-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-45-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-43-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-39-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-35-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-31-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-25-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-23-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-21-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-17-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-13-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-9-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-130-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-131-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-132-0x0000000074830000-0x0000000074F1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3024-15-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-11-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-7-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-6-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3024-5-0x0000000002030000-0x0000000002062000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3024-4-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-3-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-2-0x0000000001F80000-0x0000000001FB2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3024-1-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-0-0x0000000074830000-0x0000000074F1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3024-133-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-134-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-135-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-136-0x0000000002120000-0x0000000002160000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-137-0x0000000002100000-0x000000000210E000-memory.dmp

    Filesize

    56KB

    Download