Overview

overview

10

Static

static

10

ransomware...3n.exe

windows7-x64

ransomware...3n.exe

windows10-2004-x64

ransomware...le.exe

windows7-x64

ransomware...le.exe

windows10-2004-x64

ransomware...it.exe

windows7-x64

10

ransomware...it.exe

windows10-2004-x64

10

ransomware...le.exe

windows10-2004-x64

10

ransomware... 5.exe

windows7-x64

10

ransomware... 5.exe

windows10-2004-x64

10

ransomware...de.exe

windows7-x64

10

ransomware...de.exe

windows10-2004-x64

10

ransomware...ck.exe

windows7-x64

7

ransomware...ck.exe

windows10-2004-x64

7

ransomware...ye.exe

windows7-x64

6

ransomware...ye.exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

6

ransomware...ap.exe

windows10-2004-x64

6

ransomware...ya.exe

windows7-x64

6

ransomware...ya.exe

windows10-2004-x64

6

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-03-2024 04:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/Fantom/Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>cEMvmbtz5IQ+qoxRFRsGSPwjOMo/s+x1B7TV8GLr2JviqHPSkSP7hPJiasy2BA0ZZy8XuNaUtgpUWyWD3Pbjz6kzF4xCAE8xxPril+PT/X8k2yM1SEVCJxj63fkB9b4fakcWc2Kzqv4v2Imi3Rf6PPGLRs3ddzWAqb6G6MpfRPNRYasEjtGd2On5giXgBNEISZexketEbHpkI8n8IAxt05YhdhxVAXxM0Aabe2PM4bxHpFh/iiF/25p1C93hF1t7oJouCS4h0dYWdTLUosgdNhPfg5kTdREkL5yPIzrU1NJiMNZ5LXgVjJlGyxicTiwL20lYGDiiOg2dxPNxPVTHPQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>
Emails

fantomd12@yandex.ru

fantom12@techemail.com

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1455) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    9f6e1dcca0384956bdb22e75943c1303

    SHA1

    f84a76790bf4bf3255f1c82eb65b702e3a15514e

    SHA256

    e95963f292edca6f1916c8218c76a23803633efbc87925ca217228321fb8063a

    SHA512

    9cfa8c9a391b5d329572e54274c43fb15c5526c409462ca18f11e822ba2ed07784b9bbd8c4d938c1d6723676d6ea2ca914a1f0a43b041fe5eebdfdbf5a9a511a

    Download Submit
  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    028a53d17b2485eab6f3469fc0a1b87d

    SHA1

    b50b33429a990d8bea3ddc5634b16ac07b892adc

    SHA256

    e648a336a51655100eb3c54891430b3127ed88fc25c9a4f752db35e954983bbb

    SHA512

    149d6de81bd47f64a9f6e5eab01512f3a90e98cc45b6da7372f77665ed98f880ef3bd799847462c430a19455e7c29d2c6773551b5b79329609a4b9f9312781bb

    Download Submit
  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    075d148188c9290e023d09cafa4fd60e

    SHA1

    13907a223659f406c283174259d788133573ceb8

    SHA256

    383fd9cee14a78d5de56098001b1112f578faa47145b170d083f1b7dd1f3b4dc

    SHA512

    a19b0057078ec35581846fc5c5d5b87ca1d4f7e1740e00ffeca7de3aeb8348b41d735af6717a99a9ef1666aeb3e2db020bf630d270c3a9c2e6188052a819402e

    Download Submit
  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    9d8d2da0d3b3d530be49802e05d94890

    SHA1

    51a269486151ec77882f447823fc4d1d690e42a7

    SHA256

    0d5f6f392e609f5752af7ad92806a1482f722ee674c8bd1d89364fb4576038fe

    SHA512

    a8a2d5ea79b3774b28a3576639a1d2a3ee393fff805cbea2927348832ae6903dcf39e745a2697d1fc35c80d527695c971443a5ab28b99a5207ca8b05568c2f45

    Download Submit
  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    2cabe8be57c18f63f5d4e7a3c0873cbb

    SHA1

    5af1522db3155301e412e7ff0a3b28899ccf7929

    SHA256

    fec078edfbbfeb9824e39293e2ee9e69b349d062996cb301f80f7e3523af2da9

    SHA512

    6e256cb1bcb15439d58084fcabd642d1c3f0a78650be8ac4d00b078803d6a083e69a5776a2df2726bfbb96288b9e913627df4ec76850feb8a6f3117673f9130a

    Download Submit
  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    7dae6e5c1dbb9f981eadf95a0ca62cf4

    SHA1

    2e6ac0a25dbddfe38953d54fff18baac38b2e5fd

    SHA256

    ffbd1dd8472ecc6063d2ede4c5f9aa185f9e0665daf4535ba22ae50d08feda2b

    SHA512

    74772d1f2c4eb69967b8766b4628fa6208646ade0e8ca800027a3ed8c8e092c1c586d3e51e80fd3cd6d5a9f25c65c1a0b0845a4e6fabf879954173f9503500f3

    Download Submit
  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    7d360174ec06c80a89cd6be463a8ab20

    SHA1

    483c58eaa95433b39aa0cc7fd8cc0616453726bf

    SHA256

    86c15db51284103c3c23f15c3c019a1ba4e7fc868e74bc29ad8b300cfea451db

    SHA512

    39d280fcd3df9fd8762fa99342df250d76f89b7e499e8b322d60c130808708b90de070360571194b8c7cfb4fc8c2b9d1075a5be7debecc4746b4a49507c52a2d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit
  • memory/1196-651-0x000000001B2D0000-0x000000001B350000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1196-650-0x000000001B2D0000-0x000000001B350000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1196-649-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1196-278-0x000000001B2D0000-0x000000001B350000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1196-244-0x000000001B2D0000-0x000000001B350000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1196-178-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1196-143-0x0000000001190000-0x000000000119C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1692-54-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-129-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1692-28-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-32-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-30-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-34-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-36-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-38-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-40-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-42-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-44-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-46-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-50-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-52-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-48-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-0-0x0000000074390000-0x0000000074A7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1692-56-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-60-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-58-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-62-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-64-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-68-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-66-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-24-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-130-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1692-131-0x0000000074390000-0x0000000074A7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1692-132-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1692-133-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1692-134-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1692-135-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1692-136-0x0000000004D00000-0x0000000004D0E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1692-26-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-22-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-20-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-16-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-18-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-14-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-12-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-10-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-8-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-6-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-5-0x0000000001FB0000-0x0000000001FDB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1692-4-0x0000000001FB0000-0x0000000001FE2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1692-3-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1692-2-0x0000000001F40000-0x0000000001F72000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1692-1-0x0000000001FE0000-0x0000000002020000-memory.dmp
    Filesize

    256KB

    Download