Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 04:57

General

  • Target

    463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe

  • Size

    202KB

  • MD5

    da293a6e68ade7fd2258cc4485a619f5

  • SHA1

    4c8c82e3741caff63cafc993e59d767f3a0f6519

  • SHA256

    463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3

  • SHA512

    707d6eadce38befeb5eb0a91ab694b29e39681173e6c73fdea52165e272f84e5380c8b51f3982e2179077ced6589f66492cd2f92493a166cc5f08de91b056b8a

  • SSDEEP

    3072:sr85CXRRjHRvsfdO3Q+rSBPJasYIeuvUaEkZSc5vduKWQ:k9rjHiqrrTzWUc5EC

Malware Config

Extracted

Path

F:\INC-README.html

Ransom Note
<html> <head> <title>INC Ransom</title> </head> <body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"> <div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">66b92ced4b308506090cc38f</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span> <span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span> <span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span> <span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span> <span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span> <span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span> </div> </div> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span> <span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span> <span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span> <span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span> <span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span> <span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span> <span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span> <span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span> <span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span> </div> </div> </div> </body> </html>
URLs

https://twitter.com/hashtag/incransom?f=live</span>

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note
~~~~ INC Ransom ~~~~ -----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/ http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly restore your systems and make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world. Tor Browser Link for chat: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/ Your personal ID: 66b92ced4b308506090cc38f -----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files! -----> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files. This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI won't protect you from repeated attacks. -----> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M. If you approached us directly without intermediaries you would pay several times less. -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack your company again in the future.
URLs

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

http://incapt.su/

https://twitter.com/hashtag/incransom?f=live

http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Signatures

  • Detect Neshta payload 4 IoCs
  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

  • Inc_ransom family
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Renames multiple (384) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe
    "C:\Users\Admin\AppData\Local\Temp\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\3582-490\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

  • F:\INC-README.html

    Filesize

    8KB

    MD5

    bc7b54e804ba2d052146e9f5b2999f90

    SHA1

    720f020a595a1c238d813033241a4e2e06cb2390

    SHA256

    bcad856842ff5fecf7e009cbab191f8b3dcedf14abf0dded801fe33160c4e31e

    SHA512

    6b4947fec5548e31b4ebde18bacf04c085745ad80d505c4263f21b18274ddc86fcb691f2f26189dbd41202ef51a536fdde006230cc48f15e2905827600cf3e99

  • F:\INC-README.txt

    Filesize

    3KB

    MD5

    5a6172f2b871ef4696625d381732302e

    SHA1

    dffc38dbd49a451f7f064d1836458280e5d5cc00

    SHA256

    616e24f1fc0ff31ddbe26321f6dba1b665652f017a966afa3dd16d630ce1d201

    SHA512

    d4e9ab8322371a19577d845a6540a8875232282586dbd785cf06730d2d94f57dc18cfe821e5e91fd6f86ab8d1da3f5b4ff763ce22d700de2215e9041b5a39ab4

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\463075274e328bd47d8092f4901e67f7fff6c5d972b5ffcf821d3c988797e8e3.exe

    Filesize

    161KB

    MD5

    d1df32e403d1424daa322e21dd1e4d19

    SHA1

    6d3db4569fde0a3ee6e65828ebc7a638b22dc001

    SHA256

    5a8883ad96a944593103f2f7f3a692ea3cde1ede71cf3de6750eb7a044a61486

    SHA512

    b758651295081b33299691bf337af4b57f6feb86796a628ac154c0ddbb9d1172c0eb4ce398618060a340e06079e28b3924c5f737be42016a82b0f6f8d4efa9cc

  • memory/2408-655-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2408-1710-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2408-1712-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB