inc_ransom | 0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42

General

Target

0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
Size

1.9MB
MD5

acfa0c2374d79ee81b52d83625bc0c51
SHA1

3a21939a08d8692f143489c70e30cb3e76401e3b
SHA256

0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42
SHA512

afc9e40309a8a56138597b2d2c18f0ef4ef380e1856549feb27d66d223fdfdd530baf859cb2ad298db6436f5ed0ac46574a3723ac025e7d02736c3b761a0efaa
SSDEEP

24576:RZ1xu7ZRX2iox4quwo63lUlWPpnx/YUP6BTOVEExGO5AgPxVERXBL61X8WdooBwv:aZAioEG1wUP6BTO2oGuJFqWykoAe6Xy

Score

10^/10

inc_ransom discovery ransomware

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note

Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: DE20CD82551F352E We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.

URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
ransomware inc_ransom
Inc_ransom family
inc_ransom
Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe

description	ioc	process
File opened (read-only)	\??\O:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\P:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\R:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\U:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\Y:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\M:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\I:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\K:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\N:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\X:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\H:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\B:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\L:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\Q:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\S:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\T:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\W:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\Z:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\A:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\E:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\G:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\J:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\V:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
File opened (read-only)	\??\F:	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe

C:\Users\Admin\AppData\Local\Temp\0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
"C:\Users\Admin\AppData\Local\Temp\0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\INC-README.html

Filesize
1KB

MD5
92297c55d11a2c811d1960b0adaba5bf

SHA1
5aeaa1ee84f0aabce1c16f32298fa5606e65fec5

SHA256
496106cec331f5ccd8592d4e518f065687313bce227fef40c62daf9a76e1a751

SHA512
f0b722e041dba2abd561ba29d87d4e81de383dc49c8ffb8f9a4c44a1fda37a535cccb55ee26cc68753c38a54c7049e43e9c1abe6da470e80571c50c514bec6a4

Download Submit
F:\INC-README.txt

Filesize
1KB

MD5
2228c0c702a21306a3dd8d4c0c44d05b

SHA1
de72904347c2a7da4fb1ad959ce0e70e89395121

SHA256
da660e1a9c981e2ec2f85eb6817d8033793833cdf3800cc579541a12621e4684

SHA512
b9e00d04ad906f3c122548990afc88b459ef71860b5eb5bbdfb31a97905cd939ea00b1163e94cc53e4e2620c4e2d9003bb557086c62c6f81e342f54b451dd8e5

Download Submit
memory/2644-102-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-98-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-49-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-46-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-0-0x0000000000210000-0x000000000030E000-memory.dmp

Filesize
1016KB

Download
memory/2644-85-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-84-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-99-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-1-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-34-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-82-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-81-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-76-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-57-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-67-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-42-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-2-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2644-766-0x0000000000210000-0x000000000030E000-memory.dmp

Filesize
1016KB

Download
memory/2644-2722-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing