Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 11:21
Static task
static1
Behavioral task
behavioral1
Sample
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe
Resource
win10v2004-20241007-en
General
-
Target
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe
-
Size
161KB
-
MD5
d1dcd52a3679608250fee82e27051cbb
-
SHA1
c4cd0bdbf16c8eb471565f5adf20af7d5408d9b1
-
SHA256
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7
-
SHA512
c7bd37dfd86d20800cec05f8b1f9b50017afc51dd3cb8f445a6109b227648a9d2673b442a3a6971eebdaf355c09e848913aa3445e27ef44251ec0fb7d303db87
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvRaEkZSc5:bYjHiqrrT6WUc5
Malware Config
Extracted
F:\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
F:\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exedescription ioc process File opened (read-only) \??\A: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\I: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\N: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\S: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\U: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\Y: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\H: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\K: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\P: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\R: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\T: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\W: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\X: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\E: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\L: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\O: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\Q: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\V: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\Z: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\F: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\B: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\G: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\J: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File opened (read-only) \??\M: 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe -
Drops file in System32 directory 3 IoCs
Processes:
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe File created C:\Windows\system32\spool\PRINTERS\PPejvv43xg0prt1wkk51g894qxc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ONENOTE.EXEpid process 5428 ONENOTE.EXE 5428 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exedescription pid process Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe Token: SeTakeOwnershipPrivilege 676 63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE 5428 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
printfilterpipelinesvc.exedescription pid process target process PID 5228 wrote to memory of 5428 5228 printfilterpipelinesvc.exe ONENOTE.EXE PID 5228 wrote to memory of 5428 5228 printfilterpipelinesvc.exe ONENOTE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe"C:\Users\Admin\AppData\Local\Temp\63c0a44479dc9f91647a9c10caba43fa73709a88540a2493fd68031905036ef7.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:6100
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5228 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D6E3B15B-8DB1-4BBB-9855-06FFEF667D07}.xps" 1337657528663400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD5626318cd4d03ecf11a9ee331cd1a57d9
SHA1012bc0ea3a09e0b1937637d6f4f6ddd2324ff79e
SHA25666efc2e43e81d36c6e29152162e63dc56e7bc58a9d05a3ca3777393536cbf4bd
SHA512647413aa2fdba4263e766ce5cb064ecd978212bcd67fe59b2e4ebce0c64ebbcc70298f12977e6dbc222dc4c66902b8fa89c7f46f425f1385f67b80347e02a665
-
Filesize
8KB
MD51ea3bdba3f83c671f92362f973347221
SHA1b7c2cd689a22338712aa8c01aa646c4ff62ce9c2
SHA25624d7784a22514777040b49e02788b34c4940687804f352e993c866a7f44d11e1
SHA5129c015710810745ec107eb92a09013391606530f583dc7abfbbb475d0e2eede07b698211bc80bde6a714ff420a7f3cf607297463f35b82462eb7f19a946721765
-
Filesize
3KB
MD591f117a2d49ad8601f8c1f71f0b430af
SHA1064a0c20827c2e1d579f2e9caff346911d14e0ac
SHA25657f39b9fb0fcf51661a7f3fbb4de2f004280414d811a69a7a6aacd3972ce0f49
SHA512b3c094cdbf5c607f5dfda05447be30b86d6cc844f37da4a9e556634794278c9d990be1115c6288782b6767029bb5f2d30102fdade60a5c4d116664a491bac712