Overview

overview

10

Static

static

3

0cb4e7d35e...42.exe

windows7-x64

10

0cb4e7d35e...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe

  • Size

    1.9MB

  • MD5

    acfa0c2374d79ee81b52d83625bc0c51

  • SHA1

    3a21939a08d8692f143489c70e30cb3e76401e3b

  • SHA256

    0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42

  • SHA512

    afc9e40309a8a56138597b2d2c18f0ef4ef380e1856549feb27d66d223fdfdd530baf859cb2ad298db6436f5ed0ac46574a3723ac025e7d02736c3b761a0efaa

  • SSDEEP

    24576:RZ1xu7ZRX2iox4quwo63lUlWPpnx/YUP6BTOVEExGO5AgPxVERXBL61X8WdooBwv:aZAioEG1wUP6BTO2oGuJFqWykoAe6Xy

Score
10/10
inc_ransomcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: DE20CD82551F352E We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

    ransomwareinc_ransom
  • Inc_ransom family
    inc_ransom
  • Renames multiple (308) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    PID:1608
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5792
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:6000
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{58D31FF5-F474-43E3-8B7A-1865AAA44807}.xps" 133766483127690000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\Setup\INC-README.html
      Filesize

      1KB

      MD5

      92297c55d11a2c811d1960b0adaba5bf

      SHA1

      5aeaa1ee84f0aabce1c16f32298fa5606e65fec5

      SHA256

      496106cec331f5ccd8592d4e518f065687313bce227fef40c62daf9a76e1a751

      SHA512

      f0b722e041dba2abd561ba29d87d4e81de383dc49c8ffb8f9a4c44a1fda37a535cccb55ee26cc68753c38a54c7049e43e9c1abe6da470e80571c50c514bec6a4

      Download Submit

    • C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs
      Filesize

      64KB

      MD5

      fcd6bcb56c1689fcef28b57c22475bad

      SHA1

      1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

      SHA256

      de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

      SHA512

      73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{64EE6C5C-C6F8-42B8-962A-AF9D7660E986}
      Filesize

      4KB

      MD5

      920736d59ce8ad0893ff09cab78584a2

      SHA1

      40c0f78cd157daa714997000bba7db422cd1d387

      SHA256

      ecdd13d292605cbbd45ac865a55e5b4d29f62371c1ee8667ae4c5834c6bd6389

      SHA512

      c8ab1cb44a4a587b4314fb94e86b61f7e5462bfa9f4725b0573cc002cc9adc38bbd907243042588e981efc0ee0b632512406bf7f1e7114c4c007603ffe60d73f

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      44d3d0899f97873ff281c0a544f91cd4

      SHA1

      45134f5d2097ae7c53399a269e00702f892426fd

      SHA256

      4011f7a65d09618181deda0159b8ce7030f026f2a33421f7476c795d26e0e7ff

      SHA512

      cb44f297503c2ea28990d522f9976b1c638baeba436c0ddb3f9b43b051faf855710401e7b5b76a4d1e8cb40ccc4f4c65cca26d499eee05311d8dfb131abdac0e

      Download Submit

    • F:\INC-README.txt
      Filesize

      1KB

      MD5

      2228c0c702a21306a3dd8d4c0c44d05b

      SHA1

      de72904347c2a7da4fb1ad959ce0e70e89395121

      SHA256

      da660e1a9c981e2ec2f85eb6817d8033793833cdf3800cc579541a12621e4684

      SHA512

      b9e00d04ad906f3c122548990afc88b459ef71860b5eb5bbdfb31a97905cd939ea00b1163e94cc53e4e2620c4e2d9003bb557086c62c6f81e342f54b451dd8e5

      Download Submit

    • memory/1608-47-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-41-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-53-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-61-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-70-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-87-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-0-0x0000000000770000-0x000000000086E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/1608-1089-0x0000000000770000-0x000000000086E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/1608-2422-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-34-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-2-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1608-1-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

      Download