inc_ransom | 11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd

General

Target

11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
Size

142KB
MD5

092d39b97288886203fa681bb354cca3
SHA1

baa44b68d92836d9005c6829d6d4891d39e1471d
SHA256

11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd
SHA512

7b77a63b635477bf88934983fabf4103d94aefc95986f4c66df3a74ede2349a6d8c9442f38417dcd5518231ed42104c33273229b3d99c92250cacfd6623c5b47
SSDEEP

3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGV:DojR/QY4CP434KrtOiJHFV

Score

10^/10

inc_ransom credential_access discovery ransomware stealer

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note

Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 938BFE0F7AD109ED We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.

URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
ransomware inc_ransom
Inc_ransom family
inc_ransom
Renames multiple (298) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\I:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\J:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\K:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\R:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\W:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\V:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\F:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\A:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\E:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\G:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\L:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\O:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\U:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\H:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\N:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\P:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\Q:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\T:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\Z:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\M:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\S:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\X:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File opened (read-only)	\??\Y:	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
File created	C:\Windows\system32\spool\PRINTERS\PPwdmwmx3hjn8v97gwa_mo6skub.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg"	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5736	ONENOTE.EXE
5736	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE
5736	ONENOTE.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5488 wrote to memory of 5736	5488	printfilterpipelinesvc.exe	101
PID 5488 wrote to memory of 5736	5488	printfilterpipelinesvc.exe	101

C:\Users\Admin\AppData\Local\Temp\11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe
"C:\Users\Admin\AppData\Local\Temp\11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5368

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5488
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A3CB5D19-C242-4940-AD7B-ADD93DC0C55C}.xps" 133766310315840000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\INC-README.html

Filesize
1KB

MD5
85b81261146c08f4d472d18edc33c3b6

SHA1
7eb932f20e9c03fc8d77007f2651cbf5aad888a4

SHA256
265a0f64e8f11bbb397f0f02d035ac172a5ef02e38fdb864913a540ad9ad60b3

SHA512
b8d76760065743b3ef754c6b630300e091282207048a91a2b57577d9ed6e110640946e3bc099e7777ddcefa463d718908a630e9468447c3ca1f2c57e213bdff3

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C2C71AE3-921D-4B8B-8064-F278F5C3A1BE}

Filesize
4KB

MD5
975ce39faa5c3c5b43d2a215d69ee6b4

SHA1
8880323ffa4a0e054de8bf01562af7d7d005d2d6

SHA256
569b3377412beddf6736dfd8762e660f5d08d3f09e964e09bd6d96973f216889

SHA512
2fe1d54096243841598674115befdae8760ce93c4abaf974bbfa4c91c1faadfbd3b4edc4d4cb0699f020c91b7968b8dd951f505f860e6b9b04a5888b6e4d7cc5

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
9951828817ff52b5e8541448171e88b7

SHA1
ae3732657de294ad6ee2453b33a93131511b9106

SHA256
f28c6d72dfad2c3fa84c36c98cdbc1a15d7286f0032b6e6822314ae6155bf129

SHA512
eb80ad4bf1abc3b9c086f390aee731b1a253b56f99502434a69914eacd58004bab5ada2bb6235ef8e1b618cd5f88b1385a2a971f34a3748e6c3d6e68dac81209

Download Submit
F:\INC-README.txt

Filesize
1KB

MD5
bcbfa1399779f0779b61dd8169d2393d

SHA1
424013a1f7830b13065817c5c865a2101709be92

SHA256
cad9dde04935dfe6517c61ea55a40365c5f65062c4305508989a10a5c90ac03d

SHA512
fd7d0721e44d0f2f5c983406b3d4b1705d2c99b44cd5fee4c46cc9950ff05fa7c985bcee882d3852038f2e3a815ed34739e66cd80418e06634e37074f8e4acdf

Download Submit
memory/5736-1441-0x00007FFF241D0000-0x00007FFF241E0000-memory.dmp

Filesize
64KB

Download
memory/5736-1444-0x00007FFF241D0000-0x00007FFF241E0000-memory.dmp

Filesize
64KB

Download
memory/5736-1445-0x00007FFF241D0000-0x00007FFF241E0000-memory.dmp

Filesize
64KB

Download
memory/5736-1446-0x00007FFF21870000-0x00007FFF21880000-memory.dmp

Filesize
64KB

Download
memory/5736-1447-0x00007FFF21870000-0x00007FFF21880000-memory.dmp

Filesize
64KB

Download
memory/5736-1442-0x00007FFF241D0000-0x00007FFF241E0000-memory.dmp

Filesize
64KB

Download
memory/5736-1443-0x00007FFF241D0000-0x00007FFF241E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads