9ccba9179e1e36fc5571738fb046617955e9d145116b2aa028e335e5d7153b99

General

Target

Cincoo.exe
Size

423KB
MD5

7976be9650ff52c6d9900a10999b1aa3
SHA1

fe28575b83718ac91e2e4dea643d0e897ef80b59
SHA256

9ccba9179e1e36fc5571738fb046617955e9d145116b2aa028e335e5d7153b99
SHA512

b9eb73fa9a32d23329dca575359ef1ecb896cd41cff92272ded1de9c7983eecfb263675d2aee54fad9acaec31436df10b5d598d90e5a07c60680a003ab108b55

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Cincoo.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ReadOpen.png_enc	Cincoo.exe
File created	C:\Users\Admin\Pictures\RepairEdit.tif_enc	Cincoo.exe
File created	C:\Users\Admin\Pictures\SkipBlock.tiff_enc	Cincoo.exe

Drops startup file 2 IoCs

Processes:

Cincoo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini_enc	Cincoo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	Cincoo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

Cincoo.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\THMBNAIL.PNG_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\README.txt	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS_enc	Cincoo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar_enc	Cincoo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js_enc	Cincoo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF_enc	Cincoo.exe
File created	C:\Program Files\7-Zip\Lang\az.txt_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\Maple.gif_enc	Cincoo.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF_enc	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png_enc	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\UmOutlookStrings.dll_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll_enc	Cincoo.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll_enc	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png_enc	Cincoo.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd_enc	Cincoo.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPDSINTL.DLL_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\README.txt	Cincoo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.INF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PIXEL.INF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp_enc	Cincoo.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\README.txt	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\README.txt	Cincoo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\README.txt	Cincoo.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\README.txt	Cincoo.exe
File created	C:\Program Files\7-Zip\7-zip.chm_enc	Cincoo.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML_enc	Cincoo.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1916 NOTEPAD.EXE

pid	process
1916	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Cincoo.exe
"C:\Users\Admin\AppData\Local\Temp\Cincoo.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
PID:812

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1916

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\README.txt
MD5
b8ece6bef34abe9feabb67e36b651a09

SHA1
5413c77856af4bb7e66f8a414e2aa96bc371abb1

SHA256
9f80c38a442feaf5a8bae62ec50caedf52fc818446e675d8fcc9b458b54e3785

SHA512
3c6f02ac2b7ba602511dc5ba5886da4dbb4db4e2a2942eafc3f24c4c596cddfb78ef812e52ee306f8b76b7b9977707df99de3b5b1a9c93ca0b461642ecefee1f

Download Submit
memory/268-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads