Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 15:39
Static task
static1
Behavioral task
behavioral1
Sample
win.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
win.exe
Resource
win10v2004-20241007-en
General
-
Target
win.exe
-
Size
161KB
-
MD5
d18ef5a6c2bd443864132e5c7feb0c2f
-
SHA1
4a34764809f4a95d87e98abb834721be41060a6b
-
SHA256
02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461
-
SHA512
dd1b3cee1145ef4332ef8c217f3d4cb3b7e74ac7a3033a467b6553e00a918940ff6c4db4c61ebd2686bc0d2424e9f2b0a207937e9b0a5b642c26a13e6a056dec
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvGaEkZSc5:bYjHiqrrT1WUc5
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (363) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
win.exedescription ioc process File opened (read-only) \??\F: win.exe File opened (read-only) \??\A: win.exe File opened (read-only) \??\G: win.exe File opened (read-only) \??\H: win.exe File opened (read-only) \??\N: win.exe File opened (read-only) \??\O: win.exe File opened (read-only) \??\U: win.exe File opened (read-only) \??\K: win.exe File opened (read-only) \??\L: win.exe File opened (read-only) \??\W: win.exe File opened (read-only) \??\E: win.exe File opened (read-only) \??\I: win.exe File opened (read-only) \??\J: win.exe File opened (read-only) \??\P: win.exe File opened (read-only) \??\Q: win.exe File opened (read-only) \??\R: win.exe File opened (read-only) \??\X: win.exe File opened (read-only) \??\B: win.exe File opened (read-only) \??\M: win.exe File opened (read-only) \??\S: win.exe File opened (read-only) \??\T: win.exe File opened (read-only) \??\V: win.exe File opened (read-only) \??\Y: win.exe File opened (read-only) \??\Z: win.exe -
Drops file in System32 directory 1 IoCs
Processes:
win.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL win.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
win.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
win.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
win.exedescription pid process Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe Token: SeTakeOwnershipPrivilege 1720 win.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5fe75098393bf7204cb97b2efdc2b3125
SHA1dd77bc4c4cf68ed563eb2c9858aecd5a6b7361e9
SHA256cbae2cba2f77cddee022999f1b1c7932999eb8695201aa8c6655d2752af89aae
SHA512cee45654469f9c375f408ebfa68162fded19ef7254da57f0970da6e4c3cc771dfa89fdb28a4d26a98b7823810459761aeb0dbf0811bee0860f3404d3e23f61a9
-
Filesize
3KB
MD58cd444fe4738cd48735de6d254de4080
SHA101ee9698aca64c48ececaaf843783ab1fe756ccc
SHA256b0a13a45d517990ebf23ce1f8b947abe96da6a643274df8c8a038c7b95c624ec
SHA51236de1a2aabb67bb5631f16ddc4a1e6dc8d59897139874228520dac56ad24a1be6be35a80da2fd4d4720069a2883658be31138ee3cd83b39f6129c921778c3d4f