Overview

overview

10

Static

static

3

f4234a501e...0b.exe

windows7-x64

10

f4234a501e...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>omJajWGQQ/ML0LJd2z0OfROUe3fcK9X70WbQA0gHHfk7KLGWxlOKuRb/gaKJ4iMuG7MY+ywjBr4qgRR9K5BcoIHcULjqBQYWERw8cXexsoH4yLn/nvtrrRjKAxbFIEFDxdu1xHhZtmVEd3FOVF27P/n9Kxw7XyjOhS+IlOCNrCYfrys1RHu4SclqS8Mv6+OdtcSi0UDZwnv6EBLHXS36XuSx/MhflUXyz80+BLE+pksX2gL5ejeNtoflK3JNA5SIBy5Rw5GmtwV6tpFYB2MYFTJtaC+sjY1QP3isp0FYeWoCEqxwtMlyMiadG7x/iD20nrl6qjMzaR/8nLtb0kPA+g==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1450) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe
    "C:\Users\Admin\AppData\Local\Temp\f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    ced18124cb19cc38db9c6bf56cd23068

    SHA1

    ae02f320bde1b3257715d26b4df0e94abcc8581b

    SHA256

    0659d1dda2f65b2ae890e625288bcb451c5cefbc5b2fa49cd0ebaff649e36333

    SHA512

    9db4edcdc108520fe674d1975211e776d5446cbca63aee64fc53fcf00c57e9aadc92b3794b081428a834acff12d388b5e6e6b761d498cb4f2ccb3b670c40517b

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    24b9bfdddbdec944709336de34fcfd0a

    SHA1

    b7a49cf0f27746866dca03023e89049c7b0202fc

    SHA256

    7352c4f3da7b381d424276c763955144875cf6a5efa2dfc251d5f314b76ee7fb

    SHA512

    a7cff7b98938830bdbd7d41dfaf76b763ed7539fc6ff5d7a4bdadccd7844862e6c6ac671855061b12c2e43d0778a6f5dfdc7271cb3185fe13bfe84e581c3cf7f

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    65e8cbd6d94d404da5c6bb56c9ffba30

    SHA1

    42c4559e8c69f7a0ab0971a6c560130327b87fdf

    SHA256

    89516532dfcb9af954fffa67eef669bdf4ded934acb31fca657f05341d698a4b

    SHA512

    24d6d9b90c84ffa60f4b1fd3b054eb2443b9b626b4faba1277d179afdf40e15b077132cf870ce7c85da230e383f4998e163bc4259d5e37a47b75bb8984292a32

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    55809d8cccf3ddea2d73e086a382c16a

    SHA1

    c194ec18a4f9dc5ec4f0a712470b130604d4af74

    SHA256

    118068a964808a3344971d49445e23d50fa125d579c59e16154a62959ced6eaa

    SHA512

    213ab4ed2e804178bb4e4c081fc01a2a4a179b65083a1fd8a029942635d6bc90f467b65766a30a8613524d9a7438d3d08fe113d907a5dfccdded23f5ec3c1451

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    073f906ca842a17e25dd359de4cb13e1

    SHA1

    cd76e0daa1ec6da7302aca25b0739fa18cfa3bff

    SHA256

    45fcd83fb3ba902591c6fd5042659a0229b4a55e744b3677606c69a7cd3512b7

    SHA512

    841f69285fe53117dd828d6c42c096d4a7db4787131531dd7e1313a241d72b3425c93562397c784b76af61d30d66ceaa7e5383b2223386c51cd7ad202303ba56

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    841f7a1dd9fc87c82e7d364289e71a12

    SHA1

    90bf844f860f1349ba034ed9f4559a1866a27129

    SHA256

    d315fc80f064c656921cd67ea4a714c9e072636219fe497b3789800d532bd369

    SHA512

    73923711d80c959f3a5cb45afa0dbc2fc68a76ce9daedc28dd7a919effa3342d85abef389773fa394564d060fab90929f5bc7fd2a7fdf3609d32ec9f23b99061

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    df37520793fd87e047fdc399b53b34c8

    SHA1

    5dfaba327b905ae8075abf99567a00be4e3f7488

    SHA256

    7121e2b323b32a99821d6f1b7c19ace5d3af1fecef809076cbb8af853a9c8ddf

    SHA512

    55a4aea6921837913c765f0b33f9c6a4de745c8bd21700823c2dfcdad0b002a12d1785d94832a507dc178f8a3c9393f28feddcf35002c417dabcd042affce7b1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/560-24-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-12-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-62-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-60-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-58-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-54-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-52-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-51-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-48-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-46-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-44-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-42-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-40-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-38-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-36-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-34-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-32-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-30-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-28-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-26-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-0-0x000000007477E000-0x000000007477F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/560-22-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-20-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-16-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-14-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-64-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-10-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-8-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-6-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-5-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-129-0x0000000074770000-0x0000000074E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/560-130-0x0000000074770000-0x0000000074E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/560-131-0x000000007477E000-0x000000007477F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/560-132-0x0000000074770000-0x0000000074E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/560-133-0x0000000004710000-0x000000000471E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/560-66-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-1-0x0000000001F10000-0x0000000001F42000-memory.dmp

    Filesize

    200KB

    Download

  • memory/560-2-0x0000000002030000-0x0000000002062000-memory.dmp

    Filesize

    200KB

    Download

  • memory/560-68-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-3-0x0000000074770000-0x0000000074E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/560-4-0x0000000074770000-0x0000000074E5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/560-18-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/560-56-0x0000000002030000-0x000000000205B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3064-636-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-635-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-622-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-283-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-232-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3064-141-0x0000000000870000-0x000000000087C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3064-140-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

    Filesize

    4KB

    Download