Overview

overview

10

Static

static

10

ransomware...3n.exe

windows7-x64

ransomware...3n.exe

windows10-2004-x64

ransomware...le.exe

windows7-x64

ransomware...le.exe

windows10-2004-x64

ransomware...it.exe

windows7-x64

10

ransomware...it.exe

windows10-2004-x64

10

ransomware...le.exe

windows10-2004-x64

10

ransomware... 5.exe

windows7-x64

10

ransomware... 5.exe

windows10-2004-x64

10

ransomware...de.exe

windows7-x64

10

ransomware...de.exe

windows10-2004-x64

10

ransomware...ck.exe

windows7-x64

7

ransomware...ck.exe

windows10-2004-x64

7

ransomware...ye.exe

windows7-x64

6

ransomware...ye.exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

6

ransomware...ap.exe

windows10-2004-x64

6

ransomware...ya.exe

windows7-x64

1

ransomware...ya.exe

windows10-2004-x64

3

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

Analysis

  • max time kernel
    179s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/Fantom/Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>WdR7m3kx+e715b5elU5/wv2ER2lBxOuVRkB0abOjjQWcTX8KA0WxGsSi3QodTAanuTn+iwZYHDb/+4jw+54yjRfAn4N8VRJJepdleo+9+KTW2WHh0LOss+P6Rbghf97mDvqs8DUHTmZ9PJM/0C4U8KKUdd56GUVh+kyhWLp6+skBps3A8TTzCnhzgmjUhUhkSSCQmO4zIp9W3AaSAyyxyk0iRkkiG3fgvyTDs55KEI+CjpClDDKMlRXpRozwY+/lxWN84EmZAguw205zOTeflAB/sst4btLCOO5USPt2RsivvON5mfjlee8MYwEZeKhZy2nLSlef08uIcqWAdCFvTA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1615) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    85c814e1aa1a1e29cf5edd6fb4d217b7

    SHA1

    86606a7496145dd76572e317a98460a0ad1190eb

    SHA256

    1e3c0d8dd7f253f9cd8ea4d21fbd3281361909a8773e441c4dcc71384f830720

    SHA512

    77c19631b8f283fb08170404bf193a2efa20942246762da199f2da22aed35589dd4b3e496b9fe5affe6080359b2eac4a71cc9e957319590d577936dbd5917ee9

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    9fc20dff9ce286b4a6c9a80eeaac7e94

    SHA1

    bce0321f33279b30b5a83db389561b1b4f7d7352

    SHA256

    0735d85902ac47ec8e1abf4521dadb63815b14f75e71b2a163b5326c419c32ba

    SHA512

    866b74318861886757101d90efadacdbc27aae22f769ddbf232c08f1434bcb5ea246f0ab75bde475af40b167906e6ff519da7f9d51a1217712cf515b42844789

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    b4c2e423b3dd7756d69c7eec216fc377

    SHA1

    5d7b1c463b642e96d856657562e5940a58aef879

    SHA256

    a592883e659380d868ca283dbe50a00c18f2b9e11761438ddd2ac7c47d21054b

    SHA512

    bd341849770df5056c6627811a9c6fe64c0002e4a6849a340a7b81d6a1531b54884584aa6ce5237550ba683ac1c3cc09dad561d25729cf94238339b145dac744

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    2KB

    MD5

    418d79ee46233cdb3856ab8338239798

    SHA1

    0928519d2502e0e6ac56b4a5c2ac6a2ef4632a9f

    SHA256

    d79daeaeee51bdd165b10a97ea8c78160c2c2812979aab52bee194eaf3414e87

    SHA512

    f478b4e56cc83c293fde30ef264f3f9845b1a5715868422c506fe07d174eb10fd307e6497ab670160ffe325adb8fd272b68a9d2b27dfe47172dac31e8940c2f1

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    bfdec23dc6050b9fa479c1d66a2f1ad5

    SHA1

    3fbfb2e3a3847555ce7e89f8d5b689ec5b3b9643

    SHA256

    04280efaf3dc47ca12a12a6bec6bdc10a69f6271e8bb279f57bdff5ea807188b

    SHA512

    8e6d5075350f50a16bd98d1255bc30e792ce9eba662363f0ef26695b936a43387fd32751b8d640711d23afdb435a68302f3214985bde25ce1fe632d84d675670

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    9b2fe45cf534890e2c938010e879ed06

    SHA1

    332fc3a0d35110c0097c99e676f2ef2f48cc98fc

    SHA256

    1289c4b9d1c86690799b645745c3d8ad67dfe2d028f710e7a5b7d90ab601cfb6

    SHA512

    c0b38c9a8b37331fb7e87fcc798c1a6a622eee08f0674711e5cd046e028307b70c1a31f04c1b69371ed00d5bc199a7526d5e2bd17877b2553ee1619bfcf33d7a

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    716334644a4fc4e02a2a46c336f5ad4a

    SHA1

    5f75ea4448fa3a3827213e709c452bc6864f394b

    SHA256

    e8fe656dc4999d29ccf986c005932c4cd345c5c6b1bd3ad84ac16f0ca6011500

    SHA512

    a15040dcd5aea4d2c8c288f008c7005f28530f91115e91078146ec470173919322913ae9b0a9d2d93421e14f21fb7aa6a41c06ab94aa72242c204e3fb071d8a0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/2644-50-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-60-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-14-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-16-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-18-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-20-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-22-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-24-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-26-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-28-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-30-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-32-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-34-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-36-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-38-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-42-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-40-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-44-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-46-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-48-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-0-0x0000000074640000-0x0000000074D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-52-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-54-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-56-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-58-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-12-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-62-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-64-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-66-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-68-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-129-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-130-0x00000000020E0000-0x00000000020E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-131-0x0000000074640000-0x0000000074D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-132-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-133-0x0000000004810000-0x000000000481E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2644-10-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-1-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-2-0x00000000004D0000-0x0000000000502000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2644-3-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-4-0x0000000004690000-0x00000000046C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2644-8-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-5-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-6-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3064-660-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-659-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-658-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-179-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-166-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-141-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-140-0x0000000000B00000-0x0000000000B0C000-memory.dmp

    Filesize

    48KB

    Download