Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe
Resource
win10v2004-20241007-en
General
-
Target
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe
-
Size
161KB
-
MD5
c58fff066a855f59e77780d926cbe727
-
SHA1
201c3f3d7339346b8554558f2252b6ba895c8f89
-
SHA256
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a
-
SHA512
0daba8618e7afa1485ea4b655565d7ea814cd192327807d54254b7e67ad93113a2d281914153bdfebe0a005177a4300fb4c1545b0fd643cd49107aee4074cb92
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvgaEkZSc5:bYjHiqrrT/WUc5
Malware Config
Extracted
C:\ProgramData\Adobe\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
C:\ProgramData\Adobe\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exedescription ioc Process File opened (read-only) \??\V: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\W: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\A: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\K: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\O: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\R: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\U: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\X: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\Z: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\F: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\L: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\N: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\Q: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\T: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\B: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\G: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\H: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\I: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\S: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\E: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\J: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\M: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\P: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File opened (read-only) \??\Y: a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe -
Drops file in System32 directory 3 IoCs
Processes:
printfilterpipelinesvc.exea5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPb4qv9nysvjsmzqmkn0opytp0.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ONENOTE.EXEpid Process 3412 ONENOTE.EXE 3412 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exedescription pid Process Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe Token: SeTakeOwnershipPrivilege 3064 a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE 3412 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
printfilterpipelinesvc.exedescription pid Process procid_target PID 5324 wrote to memory of 3412 5324 printfilterpipelinesvc.exe 93 PID 5324 wrote to memory of 3412 5324 printfilterpipelinesvc.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe"C:\Users\Admin\AppData\Local\Temp\a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5136
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5324 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{1D540B3A-A3C6-4A13-BA48-5FA7307DCCCE}.xps" 1337657534989800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD56693cc0ae44733a41afbce4e9bc3a77f
SHA128bf2f9b7fcc458d88e14c3a14fc5365031d59d6
SHA25601c2801f9e62aafdb0961f01b169ffa20755f50a9f5faa1a042c325540b1e849
SHA512b24583c77f14e5674535fca556c7cfc833473bdae1e3d7c5c98d3650063a45f5765aac95823bdeb69a5157167a82a7334ede38609c743885625f3eb731d6b70c
-
Filesize
3KB
MD584ff254aa61432ce17f99bca481d7036
SHA107bce877cda84b42ccd0702e6a8c2009f2b42ba2
SHA256890f0867556f6aa6738e913d226f9f752f06a935ac60ea2709effc82135ed367
SHA512c3ebe187f39f9b61e616c934d08c6a0c5d7127d0798354adbfac8c37959a745129e6a28414edb2c6f6fe4faaf6c45caa2c8be2bdf6da147da04498d711debe9d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD5cebf014b56726a50ad84368516e35119
SHA12271e861075add32b1200c7147b009bf67d62376
SHA2560c814f04e764052a04149a566f3439bbe7fb99599632eb9944f5362b65b0d2be
SHA5123b74fbac8e7f7a0652933e2a67ddedb9b541d2baa8973b065467a863553b6309b40679469b84b58ca816bac58c2cb56df2fb235ece790c28055cdd4dbf4f6e21