Overview

overview

10

Static

static

3

05e4f234a0...a9.exe

windows7-x64

10

05e4f234a0...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

  • Size

    142KB

  • MD5

    9adde343f1b073cd9bbb22c33d31ec4a

  • SHA1

    913b9b095c37f2e17f472b8df92224560f60773e

  • SHA256

    05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9

  • SHA512

    99c5f1ea0e3c0c76c9d01e66aa235e33c1ab44f8792b1c4dbd61cd3fcc7e6fe03660dedaf1b8f1f83411be389f4f35caf241c9e4452c3bd4fb240e22ffad3bbc

  • SSDEEP

    3072:dW+oVroeQqaWrBLv+KuzxLO6qdJs4knXwehzNHF60N:FoqfqBHOZOjkBJdN

Score
10/10
inc_ransomcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 537E2FFA6B0624E6 We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

    ransomwareinc_ransom
  • Inc_ransom family
    inc_ransom
  • Renames multiple (320) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
    "C:\Users\Admin\AppData\Local\Temp\05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    PID:3152
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5312
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5640
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7B3B88D3-A4D2-480A-9E1E-497784FAF565}.xps" 133765755321510000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\INC-README.html
      Filesize

      1KB

      MD5

      0640fafac8235fe530fc42dd317edd42

      SHA1

      f861c9e32901257f02cc41198321cdeb69fc319c

      SHA256

      f61cac9032dbe99e80498bf21c354abedd2798f165a14727b14d8da1704f46a4

      SHA512

      730be1a0d64ce46bdf3f01c20ab22f30d27c5042733338a30ee015acc7181b93d9ce44c87c2c4dd386f775f922a2ece841ef4afe01bdae7a84e2690859f9c262

      Download Submit

    • C:\ProgramData\Adobe\INC-README.txt
      Filesize

      1KB

      MD5

      fd8c238a1d73369fe56c62f384b40a79

      SHA1

      b9cda829afb4b8543058e4b7e157aa87491a2dfc

      SHA256

      8c106e05f74d11f853c8ace91e83945513514487a37ad8f8d194bfd1b719f4c0

      SHA512

      8c17f6c959aa9f1276d1043d46612274dc7d5ee9ff997aecfbdb3cfa10823a354593c16794dc7ddc1d0932f65909e6fd0b68aa7dd595e0e828c0a92f68bfa3d3

      Download Submit

    • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs
      Filesize

      64KB

      MD5

      fcd6bcb56c1689fcef28b57c22475bad

      SHA1

      1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

      SHA256

      de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

      SHA512

      73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

      Download Submit

    • memory/1372-1511-0x00007FF834450000-0x00007FF834460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-1513-0x00007FF834450000-0x00007FF834460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-1512-0x00007FF834450000-0x00007FF834460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-1514-0x00007FF834450000-0x00007FF834460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-1515-0x00007FF834450000-0x00007FF834460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-1516-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-1517-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

      Filesize

      64KB

      Download