Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe
Resource
win10v2004-20241007-en
General
-
Target
1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe
-
Size
161KB
-
MD5
5ebad3f068d50dbe65d541908ab1a087
-
SHA1
e757fd61ea7c462d69581a5ba3b4d7764fe1f2b8
-
SHA256
1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a
-
SHA512
509cdcc594a82a95f4a476b6171517ea527b030aed3d9bd2054f183fab2918d693af6dc7e6a0c3922a47ca3cb19c6b1694c85ae574b9b03acf12ded91bd24e6f
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvUaEkZSc5:bYjHiqrrTLWUc5
Malware Config
Extracted
F:\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
C:\ProgramData\Adobe\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\H: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\N: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\R: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\T: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\A: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\J: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\P: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\S: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\U: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\G: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\I: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\K: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\L: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\Z: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\W: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\X: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\F: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\B: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\M: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\O: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\Q: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\V: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File opened (read-only) \??\Y: 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe File created C:\Windows\system32\spool\PRINTERS\PP094y8x_2767f8rhx4pbp89i9b.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5396 ONENOTE.EXE 5396 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe Token: SeTakeOwnershipPrivilege 1348 1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE 5396 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 6004 wrote to memory of 5396 6004 printfilterpipelinesvc.exe 102 PID 6004 wrote to memory of 5396 6004 printfilterpipelinesvc.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe"C:\Users\Admin\AppData\Local\Temp\1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5796
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:6004 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{65099ECB-F718-49B7-9C11-86A2AD139DB7}.xps" 1337663303634900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD53d1d522b4e9a785d56049e53a6d89b05
SHA1908c95acee3102315bc70f5bd516fb033f8ca5d2
SHA2566c725e64aa7502f0348947a845f30f8b7ab3e8147fe66dda906a0b9a1a1c1926
SHA512f6949a7843c7c9ddc7958efa62578cb7dfcd8fe23f094e19c3dbd382880080d6352f76f310447eb484d2bff97461c66570d08f9bfbbfc854e0cb8cfc38a0e432
-
Filesize
64KB
MD5aa3a6f947fbb639e5ec3e16cc9e3916a
SHA15f76b687bd4f7f6d15781c38dcd2e448e17bb390
SHA256243a743393379724f61dfb442a0a7dd3f424fd402a3fa782f7ef4a20df0528c0
SHA5124f4f4df65bfb097a99d83458053b3016b93f0c26917f03fa0bb1afdd09d78a21648bd4cf55f1d2e25b05033cc61f6078964407c188b10255184a68eb3bf1f21e
-
Filesize
4KB
MD53a0ea07f89eaaf6c40c7ca324a44c4de
SHA18d295398977e3324139bc1842a82d74eecbcb08c
SHA256097be9408ef6ef98535e5102b8b3fdc61adbd903f9439cbaadbd45814c1e34bd
SHA512e76d5efbf7bbb4eb60baf32c009a154230b0802829a573b150dfa790cb5fa8b1a31ba6845d1fa71d734d695a3f2e84cf1786eb512cd246ad332a970359a57c0d
-
Filesize
3KB
MD5b5e1a43759ef29b429bde65e4b5b77aa
SHA1ba3a40948c4515c75d5b67a0408a619fe53911ca
SHA256570796fd80f4c30b21750581b28b7de7561381850b408924d05cfb47a1d2cfa4
SHA512bc9635d6b749c9cd66a6403b30e4c429b07c4ef5e7259ba33cf5fa84e35f94e3294b8e7ff1c5d268036e890b3e2e54f44cd0def18de439ce97f67df201c13675