Overview

overview

10

Static

static

3

d147b202e9...c6.exe

windows7-x64

10

d147b202e9...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe

  • Size

    161KB

  • MD5

    267bec0f845b4f49610cfe695b63c5f6

  • SHA1

    65717fff01fafc65e5d7d412168df8f818a0bff9

  • SHA256

    d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6

  • SHA512

    68b3513c60cd6dc6a7bff5451232661dc612724d4152c10d6ac0ff5c778eb3f08717c4bbdac4b24bd145fbd397f0b33c001bac19bf7d2a09b9378e9f457c1d01

  • SSDEEP

    3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvlaEkZSc5:bYjHiqrrTuWUc5

Score
10/10
inc_ransomcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note
~~~~ INC Ransom ~~~~ -----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/ http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly restore your systems and make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world. Tor Browser Link for chat: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/ Your personal ID: 662cb73c7cc626fa13c9d88c -----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files! -----> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files. This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI won't protect you from repeated attacks. -----> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M. If you approached us directly without intermediaries you would pay several times less. -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack your company again in the future.
URLs

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

http://incapt.su/

https://twitter.com/hashtag/incransom?f=live

http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Extracted

Path

F:\INC-README.html

Ransom Note
<html> <head> <title>INC Ransom</title> </head> <body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"> <div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">662cb73c7cc626fa13c9d88c</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span> <span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span> <span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span> <span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span> <span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span> <span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span> </div> </div> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span> <span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span> <span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span> <span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span> <span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span> <span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span> <span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span> <span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span> <span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span> </div> </div> </div> </body> </html>
URLs

https://twitter.com/hashtag/incransom?f=live</span>

Signatures

  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

    ransomwareinc_ransom
  • Inc_ransom family
    inc_ransom
  • Renames multiple (301) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 16 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe
    "C:\Users\Admin\AppData\Local\Temp\d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1156
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5408
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5604
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5FC9AFC8-5947-4461-BE67-66AFAD85AC9C}.xps" 133766518269440000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:5872
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:5968
    • C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
      "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs
      Filesize

      64KB

      MD5

      fcd6bcb56c1689fcef28b57c22475bad

      SHA1

      1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

      SHA256

      de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

      SHA512

      73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{133D934A-9BCA-4E6E-BBF0-966C1BF3E471}
      Filesize

      4KB

      MD5

      f5b3d5fc5ebb187f22259c4a4777a2ac

      SHA1

      777a3b7f2e9f0aa7d01970959963ec7162c54dfa

      SHA256

      4f35299e5be33fe25a64a4ec572d8a0512dda3ca9166c24d31002e93fb1942fa

      SHA512

      ae3b05a1f1a03458c2207293d0bef7bef695d31457e85077b190ebb45d670a0331a0a908034510611d70ded9a5b90031e1b696790c2533565291d3f274a808a3

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      1fbacdf1d7f3545e6cea058ac3276cc1

      SHA1

      061530162b681fed4ada2b0c5d86beda5d636198

      SHA256

      f2e87e813383e0f186cddb2756bacf650ee0f3537177849cce1e088a9fe70c1b

      SHA512

      26346653ad88e953ce6c69a9bfeb9bcab8edabe86fe09724eba40b5281a0f1de049bb58dddc5f3b7c1b1061903c4423e930d2a413a8dbc39a34b636bd087828d

      Download Submit

    • F:\INC-README.html
      Filesize

      8KB

      MD5

      e4b361f59f748d20b15e0d5508c2dc33

      SHA1

      4249544063935272917970c4233f57a7de887b53

      SHA256

      06bc0bce8c8790e33546ea84fe4cb9d08375501a5cd594ffc77646725bd1979f

      SHA512

      c4131a48d2dc3c26282309e1f7c1fc6f8865f1db0ebd1360cc33f3cb039b2d43d9ff117144e1697556545621259d34d5e394f2381a459ce877257b299d37b424

      Download Submit

    • F:\INC-README.txt
      Filesize

      3KB

      MD5

      4047372b2c516b72b514ed81cc94026f

      SHA1

      0e039cffb138020435b076eefc8885eefed0250c

      SHA256

      6fe80757787cd41cf28b2b65ba65ad4103c934ee8be90289409cf75152afda9b

      SHA512

      d0fc67d28a5d14bfa87ad45ef04010967add1f17701dd1a115b9a292031b075a9c193c775d840cbb2dad132181ea37b731de29479c5272c9e208c679358a9e8f

      Download Submit

    • memory/5872-1463-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5872-1465-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5872-1466-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5872-1464-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5872-1467-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5872-1487-0x00007FFD0AEA0000-0x00007FFD0AEB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5872-1490-0x00007FFD0AEA0000-0x00007FFD0AEB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5968-1472-0x00000119181A0000-0x00000119181B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5968-1485-0x0000011920580000-0x0000011920581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1484-0x0000011920580000-0x0000011920581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1486-0x0000011920590000-0x0000011920591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1483-0x00000119204F0000-0x00000119204F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1488-0x0000011920590000-0x0000011920591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1481-0x00000119204F0000-0x00000119204F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1479-0x0000011920470000-0x0000011920471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5968-1468-0x0000011918160000-0x0000011918170000-memory.dmp

      Filesize

      64KB

      Download