General

  • Target

    05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

  • Size

    142KB

  • Sample

    241121-chh89sxqdz

  • MD5

    9adde343f1b073cd9bbb22c33d31ec4a

  • SHA1

    913b9b095c37f2e17f472b8df92224560f60773e

  • SHA256

    05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9

  • SHA512

    99c5f1ea0e3c0c76c9d01e66aa235e33c1ab44f8792b1c4dbd61cd3fcc7e6fe03660dedaf1b8f1f83411be389f4f35caf241c9e4452c3bd4fb240e22ffad3bbc

  • SSDEEP

    3072:dW+oVroeQqaWrBLv+KuzxLO6qdJs4knXwehzNHF60N:FoqfqBHOZOjkBJdN

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 537E2FFA6B0624E6 We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Targets

    • Target

      05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

    • Size

      142KB

    • MD5

      9adde343f1b073cd9bbb22c33d31ec4a

    • SHA1

      913b9b095c37f2e17f472b8df92224560f60773e

    • SHA256

      05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9

    • SHA512

      99c5f1ea0e3c0c76c9d01e66aa235e33c1ab44f8792b1c4dbd61cd3fcc7e6fe03660dedaf1b8f1f83411be389f4f35caf241c9e4452c3bd4fb240e22ffad3bbc

    • SSDEEP

      3072:dW+oVroeQqaWrBLv+KuzxLO6qdJs4knXwehzNHF60N:FoqfqBHOZOjkBJdN

    • INC Ransomware

      INC Ransom is a ransomware that emerged in July 2023.

    • Inc_ransom family

    • Renames multiple (356) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks