General

  • Target

    NoMoreRansom.exe

  • Size

    1.4MB

  • Sample

    240827-fd8vxavgkp

  • MD5

    63210f8f1dde6c40a7f3643ccf0ff313

  • SHA1

    57edd72391d710d71bead504d44389d0462ccec9

  • SHA256

    2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

  • SHA512

    87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Malware Config

Targets

    • Target

      NoMoreRansom.exe

    • Size

      1.4MB

    • MD5

      63210f8f1dde6c40a7f3643ccf0ff313

    • SHA1

      57edd72391d710d71bead504d44389d0462ccec9

    • SHA256

      2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

    • SHA512

      87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

    • SSDEEP

      12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (439) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks