Overview

overview

10

Static

static

3

0cb4e7d35e...42.exe

windows7-x64

10

0cb4e7d35e...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42

  • Size

    1.9MB

  • Sample

    241121-jfh9tazald

  • MD5

    acfa0c2374d79ee81b52d83625bc0c51

  • SHA1

    3a21939a08d8692f143489c70e30cb3e76401e3b

  • SHA256

    0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42

  • SHA512

    afc9e40309a8a56138597b2d2c18f0ef4ef380e1856549feb27d66d223fdfdd530baf859cb2ad298db6436f5ed0ac46574a3723ac025e7d02736c3b761a0efaa

  • SSDEEP

    24576:RZ1xu7ZRX2iox4quwo63lUlWPpnx/YUP6BTOVEExGO5AgPxVERXBL61X8WdooBwv:aZAioEG1wUP6BTO2oGuJFqWykoAe6Xy

Score
10/10
inc_ransomcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: DE20CD82551F352E We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Targets

    • Target

      0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42

    • Size

      1.9MB

    • MD5

      acfa0c2374d79ee81b52d83625bc0c51

    • SHA1

      3a21939a08d8692f143489c70e30cb3e76401e3b

    • SHA256

      0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42

    • SHA512

      afc9e40309a8a56138597b2d2c18f0ef4ef380e1856549feb27d66d223fdfdd530baf859cb2ad298db6436f5ed0ac46574a3723ac025e7d02736c3b761a0efaa

    • SSDEEP

      24576:RZ1xu7ZRX2iox4quwo63lUlWPpnx/YUP6BTOVEExGO5AgPxVERXBL61X8WdooBwv:aZAioEG1wUP6BTO2oGuJFqWykoAe6Xy

    Score
    10/10
    inc_ransomdiscoveryransomwarecredential_accessstealer

    • INC Ransomware

      INC Ransom is a ransomware that emerged in July 2023.

      ransomwareinc_ransom

    • Inc_ransom family

      inc_ransom

    • Renames multiple (178) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks