Overview

overview

10

Static

static

10

463075274e...e3.exe

windows7-x64

10

463075274e...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe

  • Size

    202KB

  • MD5

    da293a6e68ade7fd2258cc4485a619f5

  • SHA1

    4c8c82e3741caff63cafc993e59d767f3a0f6519

  • SHA256

    463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3

  • SHA512

    707d6eadce38befeb5eb0a91ab694b29e39681173e6c73fdea52165e272f84e5380c8b51f3982e2179077ced6589f66492cd2f92493a166cc5f08de91b056b8a

  • SSDEEP

    3072:sr85CXRRjHRvsfdO3Q+rSBPJasYIeuvUaEkZSc5vduKWQ:k9rjHiqrrTzWUc5EC

Score
10/10
inc_ransomneshtadiscoverypersistenceransomwarespyware

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note
~~~~ INC Ransom ~~~~ -----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/ http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly restore your systems and make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world. Tor Browser Link for chat: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/ Your personal ID: 66b92ced4b308506090cc38f -----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files! -----> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files. This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI won't protect you from repeated attacks. -----> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M. If you approached us directly without intermediaries you would pay several times less. -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack your company again in the future.
URLs

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

http://incapt.su/

https://twitter.com/hashtag/incransom?f=live

http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Extracted

Path

F:\INC-README.html

Ransom Note
<html> <head> <title>INC Ransom</title> </head> <body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"> <div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">66b92ced4b308506090cc38f</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span> <span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span> <span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span> <span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span> <span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span> <span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span> </div> </div> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span> <span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span> <span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span> <span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span> <span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span> <span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span> <span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span> <span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span> <span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span> </div> </div> </div> </body> </html>
URLs

https://twitter.com/hashtag/incransom?f=live</span>

Signatures

  • Detect Neshta payload 5 IoCs
  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

    ransomwareinc_ransom
  • Inc_ransom family
    inc_ransom
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe
    "C:\Users\Admin\AppData\Local\Temp\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\3582-490\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe"
      2⤵
        PID:2776
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:5548
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
          PID:5672
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A3F065A4-6B8D-4A0E-BF75-63A6C210D548}.xps" 133766379479850000
            2⤵
              PID:5744

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
            Filesize

            86KB

            MD5

            3b73078a714bf61d1c19ebc3afc0e454

            SHA1

            9abeabd74613a2f533e2244c9ee6f967188e4e7e

            SHA256

            ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

            SHA512

            75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

            Download Submit

          • C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            Download Submit

          • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs
            Filesize

            64KB

            MD5

            210d82c22c46a636e3f73f57220bcb37

            SHA1

            897f9616d69be7c5759e38159d3c64b81da3d883

            SHA256

            a3345c3b7c4b7a9409d30a3d24abd19275c5ff76dc7f0ffeba0c522dd9f93485

            SHA512

            bdd6c5227c196dd25f5aa12b6403861ab7f23c8bb155ff61a01d385d2ac50224acecd108a6a276458aad593114df0e0d0b36fef83a57ccbf6827d358d3e77f2d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3582-490\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe
            Filesize

            161KB

            MD5

            d1df32e403d1424daa322e21dd1e4d19

            SHA1

            6d3db4569fde0a3ee6e65828ebc7a638b22dc001

            SHA256

            5a8883ad96a944593103f2f7f3a692ea3cde1ede71cf3de6750eb7a044a61486

            SHA512

            b758651295081b33299691bf337af4b57f6feb86796a628ac154c0ddbb9d1172c0eb4ce398618060a340e06079e28b3924c5f737be42016a82b0f6f8d4efa9cc

            Download Submit

          • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
            Filesize

            4KB

            MD5

            cb4345c348b4ca4b9bf28c8f65387484

            SHA1

            5ff30797d33fdecfdd2aaaa2fda002a296d4e002

            SHA256

            ba318d04816e867d431d2352d67dca9d2010c0ae25301ec158586be951e997a1

            SHA512

            2cfd79b552da9f1e8bfdba4c9648b848452770d14331a55089edf12828a19683e5636fbc0f3691dec5364de6a9207fb7bdb2434cce33b6c4a625f9911531a6db

            Download Submit

          • F:\INC-README.html
            Filesize

            8KB

            MD5

            bc7b54e804ba2d052146e9f5b2999f90

            SHA1

            720f020a595a1c238d813033241a4e2e06cb2390

            SHA256

            bcad856842ff5fecf7e009cbab191f8b3dcedf14abf0dded801fe33160c4e31e

            SHA512

            6b4947fec5548e31b4ebde18bacf04c085745ad80d505c4263f21b18274ddc86fcb691f2f26189dbd41202ef51a536fdde006230cc48f15e2905827600cf3e99

            Download Submit

          • F:\INC-README.txt
            Filesize

            3KB

            MD5

            5a6172f2b871ef4696625d381732302e

            SHA1

            dffc38dbd49a451f7f064d1836458280e5d5cc00

            SHA256

            616e24f1fc0ff31ddbe26321f6dba1b665652f017a966afa3dd16d630ce1d201

            SHA512

            d4e9ab8322371a19577d845a6540a8875232282586dbd785cf06730d2d94f57dc18cfe821e5e91fd6f86ab8d1da3f5b4ff763ce22d700de2215e9041b5a39ab4

            Download Submit

          • memory/1800-697-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1800-1453-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1800-1482-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/1800-1477-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/5744-1452-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5744-1455-0x00007FFC4A400000-0x00007FFC4A410000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5744-1449-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5744-1448-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5744-1450-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5744-1454-0x00007FFC4A400000-0x00007FFC4A410000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5744-1451-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

            Filesize

            64KB

            Download