Overview

overview

10

Static

static

3

Fantom.exe

windows7-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>V3O2YpfTuiRYLLzoQl2LCGpZviK/KFxAb3dskR1Vp5N772cQearzTah1s4fm7+J4V2b0Dbug2EGBfWDCND3HrMOnTHTWVD/ektr1aGqig9O3v+Rb/td9wnf2LwPPmaF8h4qgakbCtjMKVtblK3tbQUytqWRqwV/IbOAZdnfQZglHFOrR/BxAFwYAPh4ojIZF0fuh8+Sic7SBtnt8MnFJB7UAN84zoGADGYZsgSZIw8E44KNJrLQL1xU3RhXC4XXQwn/96c6nPQ80gMSl2FCyE4HSTye8DuvAMHL24/fAXO+cyMV1a/Bgj11ecqHaOGjCuPGzNUVzPVuMWuQtD2p0gg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (950) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:1184
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RevokeUninstall.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1324
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
        Filesize

        1KB

        MD5

        b9833c58bf7fc3d591e33eb58cf6b73a

        SHA1

        cda3335e7a1d2ceb6f92bff54506d331ccbb6e45

        SHA256

        f89a3b64e24e179e76b0834396078b22793300bb4eaebbd6b0d190ce59ed7815

        SHA512

        928f9b75696e686c46e07de2b030caec407c9441d411bc11ac26c9d803fb65051dad1ec6b048b88ecd06900ece60894085332c7fcd023c411a02f036fff5b469

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
        Filesize

        160B

        MD5

        6c679d9e08a3f88241e555123cc68c29

        SHA1

        5d5035b17a46d5df78004b4a62a5ca9a1e2b8fc9

        SHA256

        78c582db6b82405a65b86efc3f24b195b83d3932e230e1a3a9fdf374d0007ed4

        SHA512

        fe4beb375b131b3671ed4a6b2336d633c583e8611951d4c6b0436e2a74e8a6b6e16a5233aede27acdf9851c649c41ad10b78104ba4dd32f2ddced39d4772437c

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
        Filesize

        12KB

        MD5

        40bb4b89bd10a48c2a87f8c1a5b6e4c3

        SHA1

        2a065e4b0778f95c3de83f848de520bb1531b13b

        SHA256

        e1d960572f46318b5218eadb1badb37c69f11f0ba03f569d9f5a22a4170bf52c

        SHA512

        007e77ad68acd337c8d0143a27085584641b676ad2265d82c3e6b899f8cf0922b7a19f38bf3bcfac24d3a9fe833862342e44fb8d9234f2c29d3f22cc0d0b5953

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
        Filesize

        8KB

        MD5

        30a360e06303434703a27cf9c91cb826

        SHA1

        9acc749336a39ad36e29c0e974eaadc0a5bd5d17

        SHA256

        4eaf97928f321f21f5ba42779104d16dbb29a9a51fbb007ef366ed86393f8dd9

        SHA512

        fa7c1f8857636abcf7487785e4e3cdc102d1a0de666b65cb40058b5279a5ba08f754e31ef6ae1953e07d963c74ac51f1fdfd74260f299e7fbf8c6b57ea1e9b8d

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
        Filesize

        11KB

        MD5

        8d45c551ce5d9b402103d11a501dc176

        SHA1

        c25e9da0d39163cfb851e49a939682490de595a8

        SHA256

        b339c5aaac5e2d0bfa8e9d4ad8ae5d4b4267d8c68b3385732602d6160d448327

        SHA512

        0508d2326075bb982bb9aa3b9294bb635d97f7c3e756e9932e8e0b212f00d833d55ca9cbe2d8f97aa199f40772db079d5e798139f0a24649463738924c57bb19

        Download Submit

      • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        Filesize

        21KB

        MD5

        fec89e9d2784b4c015fed6f5ae558e08

        SHA1

        581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

        SHA256

        489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

        SHA512

        e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

        Download Submit

      • memory/1184-161-0x0000000000B60000-0x0000000000B6C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2052-131-0x000000002FFD1000-0x000000002FFD2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2052-153-0x000000006CECD000-0x000000006CED8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2052-133-0x000000006CECD000-0x000000006CED8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2692-43-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-33-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-6-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-67-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-69-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-51-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-65-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-63-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-61-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-59-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-57-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-55-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-53-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-49-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-47-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-45-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2692-41-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-39-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-37-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-35-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-19-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-29-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-31-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-27-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-25-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-23-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-21-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-17-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-130-0x0000000073EB0000-0x000000007459E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2692-8-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-9-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-151-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2692-152-0x0000000073EB0000-0x000000007459E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2692-11-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-154-0x0000000005020000-0x000000000502E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2692-13-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-15-0x0000000001F70000-0x0000000001F9B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2692-5-0x0000000073EB0000-0x000000007459E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2692-4-0x0000000073EB0000-0x000000007459E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2692-3-0x0000000073EB0000-0x000000007459E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2692-2-0x0000000001F70000-0x0000000001FA2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2692-1-0x00000000005A0000-0x00000000005D2000-memory.dmp

        Filesize

        200KB

        Download