Overview
overview
10Static
static
10ransomware...3n.exe
windows7-x64
ransomware...3n.exe
windows10-2004-x64
ransomware...le.exe
windows7-x64
ransomware...le.exe
windows10-2004-x64
ransomware...it.exe
windows7-x64
10ransomware...it.exe
windows10-2004-x64
10ransomware...le.exe
windows10-2004-x64
10ransomware... 5.exe
windows7-x64
10ransomware... 5.exe
windows10-2004-x64
10ransomware...de.exe
windows7-x64
10ransomware...de.exe
windows10-2004-x64
10ransomware...ck.exe
windows7-x64
7ransomware...ck.exe
windows10-2004-x64
7ransomware...ye.exe
windows7-x64
6ransomware...ye.exe
windows10-2004-x64
6ransomware...ap.exe
windows7-x64
6ransomware...ap.exe
windows10-2004-x64
6ransomware...ya.exe
windows7-x64
6ransomware...ya.exe
windows10-2004-x64
6ransomware...om.exe
windows7-x64
10ransomware...om.exe
windows10-2004-x64
10ransomware...ab.exe
windows7-x64
10ransomware...ab.exe
windows10-2004-x64
10ransomware...ye.exe
windows7-x64
10ransomware...ye.exe
windows10-2004-x64
10ransomware...ni.exe
windows7-x64
10ransomware...ni.exe
windows10-2004-x64
10ransomware...pt.exe
windows7-x64
10ransomware...pt.exe
windows10-2004-x64
10ransomware...ya.exe
windows7-x64
7ransomware...ya.exe
windows10-2004-x64
7ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
ransomwares/Birele/Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
ransomwares/Darkside/Darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
ransomwares/Darkside/Darkside.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240215-en
Behavioral task
behavioral15
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win7-20231129-en
Behavioral task
behavioral17
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
ransomwares/Fantom/Fantom.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
ransomwares/Fantom/Fantom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win7-20240215-en
Behavioral task
behavioral25
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral32
Sample
ransomwares/Krotten/Krotten.exe
Resource
win7-20240220-en
General
-
Target
ransomwares/Fantom/Fantom.exe
-
Size
261KB
-
MD5
7d80230df68ccba871815d68f016c282
-
SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6
-
SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
-
SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
SSDEEP
3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
Signatures
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Renames multiple (1455) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1196 WindowsUpdate.exe -
Loads dropped DLL 1 IoCs
pid Process 1692 Fantom.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png Fantom.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar Fantom.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml Fantom.exe File created C:\Program Files\VideoLAN\VLC\locale\id\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js Fantom.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml Fantom.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml Fantom.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html Fantom.exe File created C:\Program Files\Microsoft Games\Chess\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml Fantom.exe File created C:\Program Files\Microsoft Games\More Games\es-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html Fantom.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar Fantom.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar Fantom.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar Fantom.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar Fantom.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar Fantom.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png Fantom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1692 Fantom.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1692 Fantom.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1196 1692 Fantom.exe 30 PID 1692 wrote to memory of 1196 1692 Fantom.exe 30 PID 1692 wrote to memory of 1196 1692 Fantom.exe 30 PID 1692 wrote to memory of 1196 1692 Fantom.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\ransomwares\Fantom\Fantom.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
- Executes dropped EXE
PID:1196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59f6e1dcca0384956bdb22e75943c1303
SHA1f84a76790bf4bf3255f1c82eb65b702e3a15514e
SHA256e95963f292edca6f1916c8218c76a23803633efbc87925ca217228321fb8063a
SHA5129cfa8c9a391b5d329572e54274c43fb15c5526c409462ca18f11e822ba2ed07784b9bbd8c4d938c1d6723676d6ea2ca914a1f0a43b041fe5eebdfdbf5a9a511a
-
Filesize
160B
MD5028a53d17b2485eab6f3469fc0a1b87d
SHA1b50b33429a990d8bea3ddc5634b16ac07b892adc
SHA256e648a336a51655100eb3c54891430b3127ed88fc25c9a4f752db35e954983bbb
SHA512149d6de81bd47f64a9f6e5eab01512f3a90e98cc45b6da7372f77665ed98f880ef3bd799847462c430a19455e7c29d2c6773551b5b79329609a4b9f9312781bb
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD5075d148188c9290e023d09cafa4fd60e
SHA113907a223659f406c283174259d788133573ceb8
SHA256383fd9cee14a78d5de56098001b1112f578faa47145b170d083f1b7dd1f3b4dc
SHA512a19b0057078ec35581846fc5c5d5b87ca1d4f7e1740e00ffeca7de3aeb8348b41d735af6717a99a9ef1666aeb3e2db020bf630d270c3a9c2e6188052a819402e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD59d8d2da0d3b3d530be49802e05d94890
SHA151a269486151ec77882f447823fc4d1d690e42a7
SHA2560d5f6f392e609f5752af7ad92806a1482f722ee674c8bd1d89364fb4576038fe
SHA512a8a2d5ea79b3774b28a3576639a1d2a3ee393fff805cbea2927348832ae6903dcf39e745a2697d1fc35c80d527695c971443a5ab28b99a5207ca8b05568c2f45
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD52cabe8be57c18f63f5d4e7a3c0873cbb
SHA15af1522db3155301e412e7ff0a3b28899ccf7929
SHA256fec078edfbbfeb9824e39293e2ee9e69b349d062996cb301f80f7e3523af2da9
SHA5126e256cb1bcb15439d58084fcabd642d1c3f0a78650be8ac4d00b078803d6a083e69a5776a2df2726bfbb96288b9e913627df4ec76850feb8a6f3117673f9130a
-
Filesize
109KB
MD57dae6e5c1dbb9f981eadf95a0ca62cf4
SHA12e6ac0a25dbddfe38953d54fff18baac38b2e5fd
SHA256ffbd1dd8472ecc6063d2ede4c5f9aa185f9e0665daf4535ba22ae50d08feda2b
SHA51274772d1f2c4eb69967b8766b4628fa6208646ade0e8ca800027a3ed8c8e092c1c586d3e51e80fd3cd6d5a9f25c65c1a0b0845a4e6fabf879954173f9503500f3
-
Filesize
172KB
MD57d360174ec06c80a89cd6be463a8ab20
SHA1483c58eaa95433b39aa0cc7fd8cc0616453726bf
SHA25686c15db51284103c3c23f15c3c019a1ba4e7fc868e74bc29ad8b300cfea451db
SHA51239d280fcd3df9fd8762fa99342df250d76f89b7e499e8b322d60c130808708b90de070360571194b8c7cfb4fc8c2b9d1075a5be7debecc4746b4a49507c52a2d
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24