Overview

overview

10

Static

static

3

0e3f849e35...3e.exe

windows7-x64

10

0e3f849e35...3e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

  • Size

    142KB

  • Sample

    241121-xxzvsazkap

  • MD5

    9e28725a40faab491e96a80d5c258c31

  • SHA1

    2cc8ca797c6c731f0266a27176d71697e097824b

  • SHA256

    0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e

  • SHA512

    5448cdb27bc354091bb25a5cb3d17e71cad8ec2825069b177b3cddec8887e6118dc614eed41c24f948bd39751903f79e66939ae3081f175355cc2bb0d054ec29

  • SSDEEP

    3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGVV:DojR/QY4CP434KrtOiJHFVV

Score
10/10
inc_ransomcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 938BFE0F7AD109ED We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Targets

    • Target

      0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

    • Size

      142KB

    • MD5

      9e28725a40faab491e96a80d5c258c31

    • SHA1

      2cc8ca797c6c731f0266a27176d71697e097824b

    • SHA256

      0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e

    • SHA512

      5448cdb27bc354091bb25a5cb3d17e71cad8ec2825069b177b3cddec8887e6118dc614eed41c24f948bd39751903f79e66939ae3081f175355cc2bb0d054ec29

    • SSDEEP

      3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGVV:DojR/QY4CP434KrtOiJHFVV

    Score
    10/10
    inc_ransomdiscoveryransomwarecredential_accessstealer

    • INC Ransomware

      INC Ransom is a ransomware that emerged in July 2023.

      ransomwareinc_ransom

    • Inc_ransom family

      inc_ransom

    • Renames multiple (383) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks