fantom

General

Target

https://hypeddit.com/extremest/extremestdeadlyvirus
Sample

240920-dza5nawgnq

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: fVrkW2lpC9LtwpBRjn5tdM9fD28FHyWWt2JXzIE7TwingvHJnaIkuKxRDzVRbGV1dvtMAIYU9aWtRLl9umqrxRm4+ePVQkQ8IN/0uNKVsDQQj3GP4EJifMJnrX0pwUiey+2xGmx54/k75j9lznsdC+YNPfiL60nl5WYjenNhBgQKUGHwemCFkealWkXLzx/077SFx6fXe7BVDmv31T9fFIeGNDK6c4nxZoWYv/MR95/2g9/2HdJtcW8IKnvE15FpLrHGgYWp2Qa6xBWuQEtzg4o9EV/+c8kibJgdrdHLKDnLt5Q1bUEZA7/x6M8wqBZT9nEYQLK+jdMwBr6DcAqkag==ZW4tVVM=

Emails

[email protected]

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ink\fr-CA\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>HDajpO8wNyzTEPVNNnoDUozdwndSg8YOaT5x99Xxvtzi6RM3vrPPRV7z7WNewisfm+7t5t8SXC+YZBEyVyVI3+ptf4CWFZ8erjTnENJv8rCWDsQtyJcyhXclsG7PtvLBRYT/nQ1M1uqLN5vfpJXOdT8FOHuz6/bs0YpyKFfkk0vVWcOINB1hrtB+UehnhDO5b4xiVYXaOD4nh73rWC6odbt+sUoO2vbXukf6TeC3TLJDCwPutWc7enXFuo3q34pNul0tYn03g4CByeZu9RSaIV2z0/zKwTCXtIsO37tLJKupAJSUjCl+g0db75MDg4jCFETxZBEACQnTz85L38uI0g==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Targets

- Target
  
  https://hypeddit.com/extremest/extremestdeadlyvirus
Score

10^/10

fantom defense_evasion discovery evasion lateral_movement persistence privilege_escalation ransomware
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Renames multiple (616) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- Hide Artifacts: Hidden Users
  defense_evasion
behavioral1