Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ransomware...3n.exe

windows7-x64

ransomware...3n.exe

windows10-2004-x64

ransomware...le.exe

windows7-x64

ransomware...le.exe

windows10-2004-x64

ransomware...it.exe

windows7-x64

10

ransomware...it.exe

windows10-2004-x64

10

ransomware...le.exe

windows10-2004-x64

10

ransomware... 5.exe

windows7-x64

10

ransomware... 5.exe

windows10-2004-x64

10

ransomware...de.exe

windows7-x64

10

ransomware...de.exe

windows10-2004-x64

10

ransomware...ck.exe

windows7-x64

7

ransomware...ck.exe

windows10-2004-x64

7

ransomware...ye.exe

windows7-x64

6

ransomware...ye.exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

6

ransomware...ap.exe

windows10-2004-x64

6

ransomware...ya.exe

windows7-x64

1

ransomware...ya.exe

windows10-2004-x64

3

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

Resubmissions

05/02/2025, 08:52 UTC

250205-ksw7wa1kap 10

15/03/2024, 21:38 UTC

240315-1hdksabg4x 10

Analysis

  • max time kernel
    179s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 21:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/Fantom/Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>WdR7m3kx+e715b5elU5/wv2ER2lBxOuVRkB0abOjjQWcTX8KA0WxGsSi3QodTAanuTn+iwZYHDb/+4jw+54yjRfAn4N8VRJJepdleo+9+KTW2WHh0LOss+P6Rbghf97mDvqs8DUHTmZ9PJM/0C4U8KKUdd56GUVh+kyhWLp6+skBps3A8TTzCnhzgmjUhUhkSSCQmO4zIp9W3AaSAyyxyk0iRkkiG3fgvyTDs55KEI+CjpClDDKMlRXpRozwY+/lxWN84EmZAguw205zOTeflAB/sst4btLCOO5USPt2RsivvON5mfjlee8MYwEZeKhZy2nLSlef08uIcqWAdCFvTA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>
Emails

fantomd12@yandex.ru

fantom12@techemail.com

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1615) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:3064

Network

  • flag-us
    DNS
    powertoolsforyou.com
    Fantom.exe
    Remote address:
    8.8.8.8:53
    Request
    powertoolsforyou.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    powertoolsforyou.com
    dns
    Fantom.exe
    66 B
     139 B
     1
    1

    DNS Request

    powertoolsforyou.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    85c814e1aa1a1e29cf5edd6fb4d217b7

    SHA1

    86606a7496145dd76572e317a98460a0ad1190eb

    SHA256

    1e3c0d8dd7f253f9cd8ea4d21fbd3281361909a8773e441c4dcc71384f830720

    SHA512

    77c19631b8f283fb08170404bf193a2efa20942246762da199f2da22aed35589dd4b3e496b9fe5affe6080359b2eac4a71cc9e957319590d577936dbd5917ee9

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    9fc20dff9ce286b4a6c9a80eeaac7e94

    SHA1

    bce0321f33279b30b5a83db389561b1b4f7d7352

    SHA256

    0735d85902ac47ec8e1abf4521dadb63815b14f75e71b2a163b5326c419c32ba

    SHA512

    866b74318861886757101d90efadacdbc27aae22f769ddbf232c08f1434bcb5ea246f0ab75bde475af40b167906e6ff519da7f9d51a1217712cf515b42844789

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    b4c2e423b3dd7756d69c7eec216fc377

    SHA1

    5d7b1c463b642e96d856657562e5940a58aef879

    SHA256

    a592883e659380d868ca283dbe50a00c18f2b9e11761438ddd2ac7c47d21054b

    SHA512

    bd341849770df5056c6627811a9c6fe64c0002e4a6849a340a7b81d6a1531b54884584aa6ce5237550ba683ac1c3cc09dad561d25729cf94238339b145dac744

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    2KB

    MD5

    418d79ee46233cdb3856ab8338239798

    SHA1

    0928519d2502e0e6ac56b4a5c2ac6a2ef4632a9f

    SHA256

    d79daeaeee51bdd165b10a97ea8c78160c2c2812979aab52bee194eaf3414e87

    SHA512

    f478b4e56cc83c293fde30ef264f3f9845b1a5715868422c506fe07d174eb10fd307e6497ab670160ffe325adb8fd272b68a9d2b27dfe47172dac31e8940c2f1

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    bfdec23dc6050b9fa479c1d66a2f1ad5

    SHA1

    3fbfb2e3a3847555ce7e89f8d5b689ec5b3b9643

    SHA256

    04280efaf3dc47ca12a12a6bec6bdc10a69f6271e8bb279f57bdff5ea807188b

    SHA512

    8e6d5075350f50a16bd98d1255bc30e792ce9eba662363f0ef26695b936a43387fd32751b8d640711d23afdb435a68302f3214985bde25ce1fe632d84d675670

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    9b2fe45cf534890e2c938010e879ed06

    SHA1

    332fc3a0d35110c0097c99e676f2ef2f48cc98fc

    SHA256

    1289c4b9d1c86690799b645745c3d8ad67dfe2d028f710e7a5b7d90ab601cfb6

    SHA512

    c0b38c9a8b37331fb7e87fcc798c1a6a622eee08f0674711e5cd046e028307b70c1a31f04c1b69371ed00d5bc199a7526d5e2bd17877b2553ee1619bfcf33d7a

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    716334644a4fc4e02a2a46c336f5ad4a

    SHA1

    5f75ea4448fa3a3827213e709c452bc6864f394b

    SHA256

    e8fe656dc4999d29ccf986c005932c4cd345c5c6b1bd3ad84ac16f0ca6011500

    SHA512

    a15040dcd5aea4d2c8c288f008c7005f28530f91115e91078146ec470173919322913ae9b0a9d2d93421e14f21fb7aa6a41c06ab94aa72242c204e3fb071d8a0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/2644-50-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-60-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-14-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-16-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-18-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-20-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-22-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-24-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-26-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-28-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-30-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-32-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-34-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-36-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-38-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-42-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-40-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-44-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-46-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-48-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-0-0x0000000074640000-0x0000000074D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-52-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-54-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-56-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-58-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-12-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-62-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-64-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-66-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-68-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-129-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-130-0x00000000020E0000-0x00000000020E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-131-0x0000000074640000-0x0000000074D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-132-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-133-0x0000000004810000-0x000000000481E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2644-10-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-1-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-2-0x00000000004D0000-0x0000000000502000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2644-3-0x0000000004830000-0x0000000004870000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-4-0x0000000004690000-0x00000000046C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2644-8-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-5-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2644-6-0x0000000004690000-0x00000000046BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3064-660-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-659-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-658-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-179-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-166-0x000000001B290000-0x000000001B310000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3064-141-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-140-0x0000000000B00000-0x0000000000B0C000-memory.dmp

    Filesize

    48KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.