Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2025 03:35
Static task
static1
Behavioral task
behavioral1
Sample
NoMoreRansom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
NoMoreRansom.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
NoMoreRansom.exe
Resource
win11-20241007-en
General
-
Target
NoMoreRansom.exe
-
Size
1.4MB
-
MD5
63210f8f1dde6c40a7f3643ccf0ff313
-
SHA1
57edd72391d710d71bead504d44389d0462ccec9
-
SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
-
SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
SSDEEP
12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
Malware Config
Signatures
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" NoMoreRansom.exe -
resource yara_rule behavioral1/memory/4884-1-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-2-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-4-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-6-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-3-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-9-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-10-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-11-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-12-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-13-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-14-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-17-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-18-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-19-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-20-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-21-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-22-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-23-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-24-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/4884-25-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoMoreRansom.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4884 NoMoreRansom.exe 4884 NoMoreRansom.exe 4884 NoMoreRansom.exe 4884 NoMoreRansom.exe