General
-
Target
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
-
Sample
211116-xd97eafac2
Static task
static1
URLScan task
urlscan1
Sample
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
Resource
win10-en-20211104
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-