Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 15:39
Static task
static1
Behavioral task
behavioral1
Sample
win.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
win.exe
Resource
win10v2004-20241007-en
General
-
Target
win.exe
-
Size
161KB
-
MD5
e402c9df4aab1d1cff83ec8ba11a4bc7
-
SHA1
9b7e46195d23b5efcd9f176c278e7a873138f6f5
-
SHA256
7f104a3dfda3a7fbdd9b910d00b0169328c5d2facc10dc17b4378612ffa82d51
-
SHA512
86f0ecb80a8655f9e4d297ae0eb04644a61b2de210d0ceccd2dbf2498ce68e603f3e659621175785f533ac66d798cf6d947669cc5302c32898999f1241a42295
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvnaEkZSc5:bYjHiqrrTwWUc5
Malware Config
Extracted
F:\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
F:\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (291) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
win.exedescription ioc process File opened (read-only) \??\B: win.exe File opened (read-only) \??\G: win.exe File opened (read-only) \??\N: win.exe File opened (read-only) \??\S: win.exe File opened (read-only) \??\V: win.exe File opened (read-only) \??\W: win.exe File opened (read-only) \??\Z: win.exe File opened (read-only) \??\A: win.exe File opened (read-only) \??\H: win.exe File opened (read-only) \??\K: win.exe File opened (read-only) \??\P: win.exe File opened (read-only) \??\Q: win.exe File opened (read-only) \??\F: win.exe File opened (read-only) \??\I: win.exe File opened (read-only) \??\L: win.exe File opened (read-only) \??\R: win.exe File opened (read-only) \??\U: win.exe File opened (read-only) \??\E: win.exe File opened (read-only) \??\J: win.exe File opened (read-only) \??\M: win.exe File opened (read-only) \??\O: win.exe File opened (read-only) \??\T: win.exe File opened (read-only) \??\X: win.exe File opened (read-only) \??\Y: win.exe -
Drops file in System32 directory 3 IoCs
Processes:
win.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL win.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL win.exe File created C:\Windows\system32\spool\PRINTERS\PPed9f5_rab3dq9tcizt2iugiwc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
win.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
win.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ONENOTE.EXEpid process 6052 ONENOTE.EXE 6052 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
win.exedescription pid process Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe Token: SeTakeOwnershipPrivilege 4668 win.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE 6052 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
printfilterpipelinesvc.exedescription pid process target process PID 6092 wrote to memory of 6052 6092 printfilterpipelinesvc.exe ONENOTE.EXE PID 6092 wrote to memory of 6052 6092 printfilterpipelinesvc.exe ONENOTE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\win.exe"C:\Users\Admin\AppData\Local\Temp\win.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5888
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:6092 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3C0028EC-B914-462A-A3C1-79F71F5BDB2B}.xps" 1337659077021000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD5faf33246e4b7e249be099284ae6a7131
SHA16deb62ee884c392e8afc36e4c55d1bf7d8ad6d64
SHA256e2928a0cfd086923584b268b728cea39302e54bcd7b804b4f017099b3034ac82
SHA512d4b4a2789107876b0e57cbd29997db78111045c4e71d7dd10eea4460d21814c27536789b545db30e8a82d6665e435761418020fbf887ee00fbfcfab723f7a3af
-
Filesize
4KB
MD5345b4d2debfd8dce3166e3910ffb6e6d
SHA1e1354ac052160398cae0ba471eed65f2d426adcf
SHA25688ac9fdb562c0897bcf959f05c95cfd38dfe7885a88351bf7756d617333a1543
SHA5123c7fb1f882de93abb0b418a73e847685ea5c550e26399c44a86ddd28b30afe980a9de1010ae1b3c636fcc5a358ec30c9a00edd9174cafeb229b0e8c60b6216bb
-
Filesize
8KB
MD54096dbdbbff573fdf472e3c6d70c1daf
SHA1e70f1260b7e1b8eca895cb96ba7410061f94c92c
SHA2564d256d894148797dd3f60f1f73cdc08a25b61e93735e86ffab23ed3c3e151263
SHA512e76bd7be11d6f5085f48052df10591b3ccc49521360acdde0c46f10f3affffeebdbfb98af6021f34eb55457c841face34302511d9604c69c75f865ed620f7285
-
Filesize
3KB
MD5622ffd191512c6f11b45ee104564af47
SHA13b69fd2d7eca66b77dce132c6aa87088434f1024
SHA256d7dd8f79b36aedfe2d0be9f6e95d094d7e71aaba33c09ee914df8b438fc080d2
SHA5122bc5d84d1fe5585407bb3d55643364aaf670737813d182e63a880454a4806dcc01ba70c994a6cc40c5fb50f8d4ab29775d5302b954e50893bdfa452208f0996d