9ccba9179e1e36fc5571738fb046617955e9d145116b2aa028e335e5d7153b99

Analysis

max time kernel
196s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
27/12/2021, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cincoo.exe
Size

423KB
MD5

7976be9650ff52c6d9900a10999b1aa3
SHA1

fe28575b83718ac91e2e4dea643d0e897ef80b59
SHA256

9ccba9179e1e36fc5571738fb046617955e9d145116b2aa028e335e5d7153b99
SHA512

b9eb73fa9a32d23329dca575359ef1ecb896cd41cff92272ded1de9c7983eecfb263675d2aee54fad9acaec31436df10b5d598d90e5a07c60680a003ab108b55

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ReadOpen.png_enc	Cincoo.exe
File created	C:\Users\Admin\Pictures\RepairEdit.tif_enc	Cincoo.exe
File created	C:\Users\Admin\Pictures\SkipBlock.tiff_enc	Cincoo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini_enc	Cincoo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	Cincoo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\THMBNAIL.PNG_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\README.txt	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS_enc	Cincoo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar_enc	Cincoo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js_enc	Cincoo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF_enc	Cincoo.exe
File created	C:\Program Files\7-Zip\Lang\az.txt_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\Maple.gif_enc	Cincoo.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF_enc	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png_enc	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\UmOutlookStrings.dll_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll_enc	Cincoo.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll_enc	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png_enc	Cincoo.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd_enc	Cincoo.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPDSINTL.DLL_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\README.txt	Cincoo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\README.txt	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.INF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PIXEL.INF_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp_enc	Cincoo.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\README.txt	Cincoo.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\README.txt	Cincoo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\README.txt	Cincoo.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\README.txt	Cincoo.exe
File created	C:\Program Files\7-Zip\7-zip.chm_enc	Cincoo.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif_enc	Cincoo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML_enc	Cincoo.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1916	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Cincoo.exe
"C:\Users\Admin\AppData\Local\Temp\Cincoo.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
PID:812

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download