inc_ransom | 05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9

General

Target

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
Size

142KB
MD5

9adde343f1b073cd9bbb22c33d31ec4a
SHA1

913b9b095c37f2e17f472b8df92224560f60773e
SHA256

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9
SHA512

99c5f1ea0e3c0c76c9d01e66aa235e33c1ab44f8792b1c4dbd61cd3fcc7e6fe03660dedaf1b8f1f83411be389f4f35caf241c9e4452c3bd4fb240e22ffad3bbc
SSDEEP

3072:dW+oVroeQqaWrBLv+KuzxLO6qdJs4knXwehzNHF60N:FoqfqBHOZOjkBJdN

Score

10^/10

inc_ransom credential_access discovery ransomware stealer

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note

Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 537E2FFA6B0624E6 We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.

URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
ransomware inc_ransom
Inc_ransom family
inc_ransom
Renames multiple (339) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

description	ioc	process
File opened (read-only)	\??\U:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\Y:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\B:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\H:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\I:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\J:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\P:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\S:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\X:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\E:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\G:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\M:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\O:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\T:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\V:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\A:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\K:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\Q:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\R:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\F:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\L:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\N:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\W:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File opened (read-only)	\??\Z:	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

Drops file in System32 directory 16 IoCs

Processes:

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exeprintfilterpipelinesvc.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File created	C:\Windows\system32\spool\PRINTERS\PPvmsoqdex1ar62la0jgey72_g.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File created	C:\Windows\system32\spool\PRINTERS\00004.SPL	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
File created	C:\Windows\system32\spool\PRINTERS\PPypcgo7ni2kd2de7jl7cblk8td.TMP	printfilterpipelinesvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg"	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

onenoteim.exeONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	onenoteim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	onenoteim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	onenoteim.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies registry class 4 IoCs

Processes:

onenoteim.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	onenoteim.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.office.onenote_8wekyb3d8bbwe\Internet Settings\Cache	onenoteim.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.office.onenote_8wekyb3d8bbwe\Internet Settings	onenoteim.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.office.onenote_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	onenoteim.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ONENOTE.EXE

pid process

5644 ONENOTE.EXE
5644 ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXEonenoteim.exe

pid	process
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE
220	onenoteim.exe
5644	ONENOTE.EXE
5644	ONENOTE.EXE
5644	ONENOTE.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

printfilterpipelinesvc.exe

description	pid	process	target process
PID 5300 wrote to memory of 5644	5300	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 5300 wrote to memory of 5644	5300	printfilterpipelinesvc.exe	ONENOTE.EXE

C:\Users\Admin\AppData\Local\Temp\05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe
"C:\Users\Admin\AppData\Local\Temp\05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6100

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5300
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D9E7102B-7CEF-482E-8D56-9C0C7B71B558}.xps" 133766288416350000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2724

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D817C0A6-DFFC-4A14-9E9D-B3E0620AB4C7}

Filesize
4KB

MD5
e09ac0db0a2bddf896bb6125b184ef29

SHA1
41fe77021ad9e2c56614ca8587171310da292b64

SHA256
2015bc47240087ff5f2b94d1f4eda2e1ecf2fb1a3c5e98799ada48076abcf1ff

SHA512
e810cef20b6f4789313d3e3ddefcb69e7d4bddf8f599b1aa96c0f61f22931131991915c2de206eab44d239c9a7ac8a1bdaf3881d53101142101f9ec752487682

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
37ee81b7d89c4ad01eeb3c953d5bd09a

SHA1
21872386a73a57b3a3abd3a3ad10fedc41ba7e7d

SHA256
13598b221445493218e614cc4275f6f3d3ed536acc8ced772866590b559914fb

SHA512
a0c9f0fd9e49132ca435f7b26fdc89040fad2afe63377dc76cf29b9d551efe48e1464583502629d0a9966db1f4e9323816cd8f04ec98d4ea6665d0f8d158c1dd

Download Submit
F:\INC-README.html

Filesize
1KB

MD5
0640fafac8235fe530fc42dd317edd42

SHA1
f861c9e32901257f02cc41198321cdeb69fc319c

SHA256
f61cac9032dbe99e80498bf21c354abedd2798f165a14727b14d8da1704f46a4

SHA512
730be1a0d64ce46bdf3f01c20ab22f30d27c5042733338a30ee015acc7181b93d9ce44c87c2c4dd386f775f922a2ece841ef4afe01bdae7a84e2690859f9c262

Download Submit
F:\INC-README.txt

Filesize
1KB

MD5
fd8c238a1d73369fe56c62f384b40a79

SHA1
b9cda829afb4b8543058e4b7e157aa87491a2dfc

SHA256
8c106e05f74d11f853c8ace91e83945513514487a37ad8f8d194bfd1b719f4c0

SHA512
8c17f6c959aa9f1276d1043d46612274dc7d5ee9ff997aecfbdb3cfa10823a354593c16794dc7ddc1d0932f65909e6fd0b68aa7dd595e0e828c0a92f68bfa3d3

Download Submit
memory/2724-1599-0x000001CFC3610000-0x000001CFC3611000-memory.dmp

Filesize
4KB

Download
memory/2724-1596-0x000001CFC3610000-0x000001CFC3611000-memory.dmp

Filesize
4KB

Download
memory/2724-1603-0x000001CFC36B0000-0x000001CFC36B1000-memory.dmp

Filesize
4KB

Download
memory/2724-1586-0x000001CFBB2A0000-0x000001CFBB2B0000-memory.dmp

Filesize
64KB

Download
memory/2724-1582-0x000001CFBB260000-0x000001CFBB270000-memory.dmp

Filesize
64KB

Download
memory/2724-1602-0x000001CFC36B0000-0x000001CFC36B1000-memory.dmp

Filesize
4KB

Download
memory/2724-1594-0x000001CFC3590000-0x000001CFC3591000-memory.dmp

Filesize
4KB

Download
memory/2724-1600-0x000001CFC36A0000-0x000001CFC36A1000-memory.dmp

Filesize
4KB

Download
memory/2724-1601-0x000001CFC36A0000-0x000001CFC36A1000-memory.dmp

Filesize
4KB

Download
memory/5644-1579-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

Filesize
64KB

Download
memory/5644-1598-0x00007FF7CF520000-0x00007FF7CF530000-memory.dmp

Filesize
64KB

Download
memory/5644-1580-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

Filesize
64KB

Download
memory/5644-1590-0x00007FF7CF520000-0x00007FF7CF530000-memory.dmp

Filesize
64KB

Download
memory/5644-1581-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

Filesize
64KB

Download
memory/5644-1578-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

Filesize
64KB

Download
memory/5644-1577-0x00007FF7D1B70000-0x00007FF7D1B80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads