General
-
Target
https://github.com/enginestein/Virus-Collection/blob/main/Windows/Binaries/Ransomware/NoMoreRansom.exe
-
Sample
240823-afzgcsxejm
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>CrU6bqziXcEGQ7BRu8sz1Qr4j63zE+xHKa22vxCQ1CLkC8HZwelt06i6VlFwEbbXcfpZRaj/aQbNko5KV4+zu1AjbOShR04ynmwzPj4rjDFE4UHCTxMLt2ZVO78M7/zoip2hat8tQyHHiYxFFBIbrPgD8AlexdWu5B0wwVJhGKeigjF61CT4sWQn85phpZKD5C1a/zttvZCeRR8ZXiuv8tffrPqRcQTUWTo5PKWz5Onl3+G+rHBR8Mq6koaGSye8c6mj6egHTEVaKcjnT30t5gyqNOCyQ5L2ragJOJL+0CsoRVmnch4yGwWnTqzTSvMAV/ro/dcLTugAeuaHdU4G1Q==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>SZaPeZUkIlxKise/OPyjKFh+X1pjs+sOVvol1LBuZImWMj/Zd3GzWHhdaX6y7FAGcMVKTEyMu1+bKEQK3vVJu9Jx8RWAhh1ug7qMDIpwp0jV2rhWmHp15Q6EjddaP6LH51RWCPxC6PyT2815EaVYA86irUWXyvU8vQV81IcuI0WI5ejdxRCORDDBE9kiyJeu2kSjSGvW9ETmqLbAHQ2woGvX/drEw/DtbOyRqQUj28QJ9pZ+mHywceVPZoC83FXtLW/JvSXdiJMT0FM0hGRP/H9dKTNCQdi84xi9ruUMP4OtkFD2i5ODhvKgh8WITniQ8ED/M0dI+Zf39IaSguksZA==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>IJlhF2hzoTZL9sO0GAm9OWXyA1oZALrK2roT6vm89Fm3hIdrtgMY/VMheozw8CKdpnHXOMfUr6pG4PpxuD2RBojz9i3quPQEnQ8rsbQ7JFMJQbFKvgyby9m1J5ILpnJG4K8PqTDDgHuh0NojxoW2KX1aRXzqDVCpYB7fsc+Nge6gwwFlffdbjB2fbgn9dDLJdbrZ/x1VGpE9Pr+ZqDU7AkNWgCRqOjG/1V8imlluZrpjdWr8DBEn7HClQ16zzYjCDkRK5lhnROpDm5Ru5/fgSx1+XEFyyKBSjfDM1HwrqqLpCiMSw3Tyt8iEx2ZysUIHfyBehDupN+2MbSSHk5Sfbg==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>R+JaHdrHwMG3jsdTbgug8q3fPHUyT35z05ZkDmECUZggCut1MxXkWe6UQQWNkvpoEXnzQodz4894syEUbFzuhBF59B74qYWXT5nNSrCkBD1OL8iOD9/vwkrAbBr+yKOQoxb6p2WMeeioJsTx0F8rnCwIeQOegGpapNsrWDoMgdqQ8Cao7WlHJ4uWdFYiPjv1k/w9f0UGlhuu4UzFVk51B+5iE7LkzbiT7+NpGCp0aUo7fD1WzQRFdE/PkqJ3zQHdSpTqUYm7s1hWdHm4BlPfvnitE4MRK8p2Xn7ciTIABsKKTrimoc8OjGykavab+w39jaPS9tzslcoJQ0zJ7ebuuw==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>jrReGKADLdVu/YGm1Yw+jifEtlS1Suvo483jJQc6DfSdJXqmIY9g469b/JoQL/a+4WygRVC3ePgPtP7xgn1YxRJvtDXWUdDHc7LhJ12/zXeXa6xOhVOZS+7e0rQejvM66xU+mCWe/LRZ85NiV6D0NGvXPAzkNPb0NzNziSS3GsbmG7vsaYLB2z8CBDNWbTkflAGGAldxU2CwHzmllQF2ji6KMUiXqWVQhQXH2VGPmRPqq34t1ohSrbrGImyyNsE99Ti6S+2WUBUw4GaY1OKkU1M/sZbFCsr+GSnPZBK8X/4pbbm6YkAspss82QVf87QK/+O5g7j7C/sd41ndsvUB1w==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>G8oKiq5qX1XMg6ri43ZAagsPXFuzwHtWZneHcJX7SFtUoNGJrhVpJLh3IkaIgIIhjsSFVsmw+PX8CTXRnfllIVWK/EMgshTgooAtabxJkPz/CjbQsjBY79jr5NOQdSp0LteuONI63mave7DuTYzmdWzkjrXEQ66lqZJ/GULKQ5UqCVGSIo2zt0pIpyvdHRUsJbgXzuEZUUD/gIRS81lktx98Fm8jXLdFkT8l9x21lo+MIWH24c7IckYwDOFH6PUq7QkeV/4NpIAFS11HHx7Z3lwHQmT6JAy+yPfCMsWUyZG6KQZAkdJ0VvR71HnmQT6FqaMecBvWrj9JzyIaNMXpdg==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Extracted
Path
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>BznGsZleBybtIJECFT166o4eWr4AZcudD78lC7pDOK0LQgpwDxPXGqMz4IQ+lAyNMdlyi0U3RmPmjXP6v1B8INDZbq3XUrw+SjvORayQ2DW9uCoiWBHzpzNQyyWMYpvLFDIr1jNuK50JL3gxXEA5kGpY/wA49eYN25utCCVigU3RSMMQrjXIMpj5fRT+a7jVafSd6z/rzcJDJnL0aYG9C94ibDwE9qU0fxkS5vMuQT6Av3lUGCekTYVRmGllyjxL6agrdUQiHzyfzHHhu6UTZNR+gXWsqybuKvnv0IiD8qHo/OK3ePCo6yZbga7KuGRAlAtkVB44Fqrs4O49lZLfRg==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Targets
-
-
Target
https://github.com/enginestein/Virus-Collection/blob/main/Windows/Binaries/Ransomware/NoMoreRansom.exe
Score10/10-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Modifies visibility of file extensions in Explorer
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass
-
Renames multiple (1024) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1