Overview

overview

10

Static

static

3

Fantom.exe

windows7-x64

10

Fantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fantom.exe

  • Size

    261KB

  • MD5

    7d80230df68ccba871815d68f016c282

  • SHA1

    e10874c6108a26ceedfc84f50881824462b5b6b6

  • SHA256

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

  • SHA512

    64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

  • SSDEEP

    3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi

Score
10/10
fantomdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>IpGUWjrYoD6TvA1sfGgzd8xWFTRcoDnKKA1OQrYf/lgJfSfwni9joeWonPqTvhacAB/7Oi3OhwEh7iyttopp/S2UBAwQ/kqHOTK/RVFKfz5AUkcBH+lF6O3ql8RacZ9TtgHNs2pJuzOtEG1A0XsIxlh2PXNv29I1BTpQ/Xsp6kTT76rjrmsTHxPcHxnEHZyul5oQSnmFg05B1zES0Ns0l7A9MPzfiUubU5x4zM9P3PMtxLt2OQHpJcdS+r3O/4xfrza/lsRVZN5CYce1Y+I9aS5jpfBQ5SJd66POaXCEikMuRs48txczyCd52mEddkhxQvyy96UIR087GIx/YiX5xA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Signatures

  • Fantom

    Ransomware which hides encryption process behind fake Windows Update screen.

    ransomwarefantom
  • Renames multiple (1450) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      PID:428
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
    Filesize

    1KB

    MD5

    19698850d302b96b284d2dc8f03a4bdc

    SHA1

    d944c14ab7cb64e7ea700406de8bd94473d79d32

    SHA256

    9790c4b9827f9308c1d45c4c7d95ca8b24fc630a3f184de4a8e55426124eb913

    SHA512

    37c2e19ba2a9fcf8801d58af262780dd9f6632eaf9405e0a40a4a2a4cde61d09b38842add3650d0b2422f8177cfd7390fbf69fbce032e7f75fbb2950df968537

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
    Filesize

    160B

    MD5

    87da56637c3bffe4955e0a704c940a8f

    SHA1

    17d281f571ec4f54ba9926cacd65d913e914c801

    SHA256

    043e26d1b195cf71a445c0833a63eb733562cc6c574145b05efd0ffff93b1f60

    SHA512

    33a20bdf9b2d0dc13650e091b7c3a01f8bf5f1a29046fbe0b7d6cf35a0c3c738bd415d6febc924a7003e0e540b1ec9703bfd04f375d882a8e7fe0993a08a73bb

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    12KB

    MD5

    89eeb4fa2a2ad70892f66cc116725761

    SHA1

    0e910c497a6055c2cbcdba881d41288bdcf55b3e

    SHA256

    778211ac93f6fdff379f0ff5b9048ff6203a42721bb4b58808963eb150620428

    SHA512

    0a21d1c3602c5c7f772b7bd80124fdbe10e81c1a0c50dc1ccfca1b84d4af8667366e0870646737d70ac5b07fe0396488f853514d71a9eceee8a1d9a80a736342

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    8KB

    MD5

    87414338adf58d9385107f4e1dea0420

    SHA1

    8d4c158890095d42487572a9b8c6e7222984a8cc

    SHA256

    1a2fe2438c99f3335f79ca8def99167847453e4e090f78c093d2fda7afead3e8

    SHA512

    61690a4faf98274dd2f3945acbf5216b472aca20c4cf05ffb1d3ddef492c8f59057ab9bf62e97c1120864a3c1aa303fea48495ae7f1411ead44673cb0e37eb56

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    3cde1264ffdba18d9026c32457a579b2

    SHA1

    2ead64f1d4d46968473b81a6499bd51a05094a23

    SHA256

    0e54fd6357a5026f045632b80d9a461c8181182f1ae147fd0e9f908d2b8bea4b

    SHA512

    e0c15952dd8a76f8d81dd62d9c740f95efda0075ef35b9c07f5a42716ecb3502e781ded9d97407db8cf6398b9f09261a25c6e2237a766791fd8e5e6a243c8e08

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    4409d874e7b7408bdf5d79f3e9ad1f82

    SHA1

    da664c55d3ad738a486cb9d89b6f4badb99ac86c

    SHA256

    9801107ea5b18a0794536f341732fe38aa99672ad208bfd66238b1c4a4862521

    SHA512

    fbc5d7bdbdceaa2fcb0126efc61b60b8ae63dbf22e6a9ddf3573287576af7f470d94fcb2bc1c34b520067f3117abb1c46dd37a14dcbd6cba795ea0da1010efd4

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    172KB

    MD5

    94ee7ccd30c12be3b05927b6f1aa688f

    SHA1

    1a5395c01b9c7ffccfb73a60780671795f075518

    SHA256

    a329e0c9138c3de550f2babb7ce9ba6fd67e827a954e1b7f4bc4a86d11b7aa62

    SHA512

    3d32b1d6a9327ec00471153533a9be67d2b6fbed4f54a9ae2e315a07aaecfd0c2917614eaaf7241a3388d620e77b6c2a18b5c4a2f2e9f0031e02d3a81ef2fb07

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    Filesize

    21KB

    MD5

    fec89e9d2784b4c015fed6f5ae558e08

    SHA1

    581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

    SHA256

    489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

    SHA512

    e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

    Download Submit

  • memory/428-143-0x0000000000800000-0x000000000080C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2148-56-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-42-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-5-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-8-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-16-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-14-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-12-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-10-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-50-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-38-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-18-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-20-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-22-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-68-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-66-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-64-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-62-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-60-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-58-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-6-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-54-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-52-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-48-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-46-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-44-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-26-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-40-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-36-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-34-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-32-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-30-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-28-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-24-0x0000000001F30000-0x0000000001F5B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-129-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2148-130-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2148-131-0x000000007419E000-0x000000007419F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2148-132-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2148-136-0x0000000004DE0000-0x0000000004DEE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2148-0-0x000000007419E000-0x000000007419F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2148-1-0x0000000001F00000-0x0000000001F32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2148-2-0x0000000001F30000-0x0000000001F62000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2148-4-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2148-3-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2960-135-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2960-134-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2960-133-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2960-272-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2960-3411-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2960-3418-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download