Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

1

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/criticalupdate01.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>FaFiDegDFaAnOeXKzjekwCifOveufgcIoW08KT0bwFccjcanI7Atg+KkYxJyd4ZYbQERrmVtgVZpDyXA5Phphl22+D+8QPqfzT/0V7YGOFezBBThxgivZ/hZlUTxmKcGsBttIhR6X7hn7c2QOasictngefPfm+zutrziDoOgH1ClDOqJS6k4BeHeuEcPt4KfSrlP9crPbZqnFKew8tcjVrlQQNUqp8xm5+8DfvIl64VpSjo1t5WUP+MwIrZR4+4Sl+Il4MMRwVcl8dYp+ryNDwa0My+Zcp41GPBnf9/XiI/pChvqf5PHro5dGMFsFiBizE198ql7Wmsm7/hu1RsTiQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1453) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\criticalupdate01.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\criticalupdate01.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    8bbeb13e9466890c451fedc9cf929603

    SHA1

    1a63dd9c9885d5cb669a6c91eab4b52e9f451965

    SHA256

    95de27c7ef8790f61c898a3f3648b95df1907eef35fc32a21adde35925b3357a

    SHA512

    39f650ca2ff2eb164c198d286fe69cc427dd64b37489768d7b1cecc4f907d9b0d6b80cf655f28a7708c103e7bd34bcca6e47a881db287de79f49f399913d8030

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    68bf1424109a1ae70137e127c1356d41

    SHA1

    c211fb4a159a05b8bcdbbd57401055529f387cc1

    SHA256

    39bdf668e743e4ed308c015e76a89662658a07b8e28bf681eb79d4e2c28fed59

    SHA512

    a6e8c5e864bccdc9a26facb182d22df75bb01bbf9e1b981672614f78d077c30bacebe692f13616a57303cb993756ea6b792e19edb15bba5db2b7097b75fd3a3e

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    35a11b0aedd81b3ce3b5151d143b08ef

    SHA1

    3e9fe0fd88875715cd31dc7356f452c5fe088bd0

    SHA256

    a3d04d1ee7b63adfab66bcac712f3e550c91bf0de23a73ff27740e8dccaaf3e6

    SHA512

    24e90a87f2f7c7444851a7ffad13087e5466f5acf6672e7c25f208c4f5bd478cd1cc62abc45407715d3a8ba8cba995a451a9102d7a277cef21b1080921fcc7a9

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    e30024024ea4f43e69f645988b23105b

    SHA1

    2234afd858ecc553739b4e05b3778b0c2c289420

    SHA256

    065486ea4decac09dcc041691b40d3d987a27eee6e0e1d7c6fe8298a550a2e23

    SHA512

    a0a175527c48aa80845dd622b6d76ee66e8bce3a3857f897389a7ca202c6594d3d27ba1a3c39680e3bca4e0f32c7d1a9dfe8a7a027709ac87029b8653c38609e

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    2a93c5ffb71544c193e95f1ba13de96c

    SHA1

    179fc60c581744d687137602596c07dca4f5f9de

    SHA256

    e2dbba9c060aac43f56941e88262ffd7832c79af86983596a0aeb835fbe93150

    SHA512

    13aed5ae6cf5f1a147c6725b7a27adcbe259d333bbd8a305b524c949f2fe2652d4959f84b14590408e1b9937f300154e0103fe4d4eff368c82a1c4865aacd8d3

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    8cd7424cc53ffb8052d6c26d3a4a1948

    SHA1

    c6e0b2a8a25f099d7911839f3227a6ff2d7dedd2

    SHA256

    8544a4b7e8647847dea5234a2316c4bc51fe0ef7f0ad4db87ca4dccce8790d7d

    SHA512

    c5af091ae58a0e093e2b5d7b2d401bb7824baf69cd07753b6c18e59059505494dc57bafd51124b8e9056314730592e814f12e199f97631a1e5499777d6467918

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    089ff7666bc8bcf19efc56425c9e7af2

    SHA1

    8fdeb40e9b33d21d4450b5badb55b58e7d3798c8

    SHA256

    a915060f7e34c897440a8a7830e24df832605ca8c25a0ed920d4e71e2bd54158

    SHA512

    285f41fcb27a263c8dd214e300f7768a4bbbee0e5045fc65780c14af62601aed6a7a210cb96369b9c7ee93148d97dd8083efd7776dfd858717dfaad92cd13bbc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/956-644-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/956-614-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/956-613-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/956-143-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/956-142-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/956-141-0x00000000002E0000-0x00000000002EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/956-140-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-129-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2804-14-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-55-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-52-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-50-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-49-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-46-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-42-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-40-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-38-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-37-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-34-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-30-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-0-0x000000007420E000-0x000000007420F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-28-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-26-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-24-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-130-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2804-22-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-18-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-16-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-56-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-13-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-10-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-8-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-131-0x000000007420E000-0x000000007420F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-132-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2804-133-0x00000000020F0000-0x00000000020FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2804-60-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-62-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-64-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-66-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-69-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-20-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-32-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-58-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-44-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-6-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-5-0x0000000001FC0000-0x0000000001FEB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2804-4-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2804-3-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2804-2-0x0000000001FC0000-0x0000000001FF2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2804-1-0x0000000000570000-0x00000000005A2000-memory.dmp

    Filesize

    200KB

    Download