inc_ransom | 0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e

General

Target

0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
Size

142KB
MD5

9e28725a40faab491e96a80d5c258c31
SHA1

2cc8ca797c6c731f0266a27176d71697e097824b
SHA256

0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e
SHA512

5448cdb27bc354091bb25a5cb3d17e71cad8ec2825069b177b3cddec8887e6118dc614eed41c24f948bd39751903f79e66939ae3081f175355cc2bb0d054ec29
SSDEEP

3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGVV:DojR/QY4CP434KrtOiJHFVV

Score

10^/10

inc_ransom credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\INC-README.txt

Family

inc_ransom

Ransom Note

Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 938BFE0F7AD109ED We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.

URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
ransomware inc_ransom
Inc_ransom family
inc_ransom
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\U:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\V:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\Y:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\F:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\A:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\M:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\J:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\L:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\P:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\S:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\W:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\E:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\G:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\H:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\Z:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\O:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\R:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\B:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\I:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\N:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\K:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\T:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened (read-only)	\??\X:	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPw32mmweij2i993ddkfxu537t.TMP	printfilterpipelinesvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File created	C:\Windows\system32\spool\PRINTERS\PP7tl2sx430dm9pun0jrue0niyc.TMP	printfilterpipelinesvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\spool\PRINTERS\00004.SPL	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg"	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	onenoteim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	onenoteim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	onenoteim.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	onenoteim.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.office.onenote_8wekyb3d8bbwe\Internet Settings\Cache	onenoteim.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.office.onenote_8wekyb3d8bbwe\Internet Settings	onenoteim.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.office.onenote_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	onenoteim.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5464	ONENOTE.EXE
5464	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE
2368	onenoteim.exe
5464	ONENOTE.EXE
5464	ONENOTE.EXE
5464	ONENOTE.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5152 wrote to memory of 5464	5152	printfilterpipelinesvc.exe	101
PID 5152 wrote to memory of 5464	5152	printfilterpipelinesvc.exe	101

C:\Users\Admin\AppData\Local\Temp\0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
"C:\Users\Admin\AppData\Local\Temp\0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6008

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5152
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4B0E5530-E24D-4E8D-9C10-7178F285BD3B}.xps" 133766901046240000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2844

C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\INC-README.html

Filesize
1KB

MD5
85b81261146c08f4d472d18edc33c3b6

SHA1
7eb932f20e9c03fc8d77007f2651cbf5aad888a4

SHA256
265a0f64e8f11bbb397f0f02d035ac172a5ef02e38fdb864913a540ad9ad60b3

SHA512
b8d76760065743b3ef754c6b630300e091282207048a91a2b57577d9ed6e110640946e3bc099e7777ddcefa463d718908a630e9468447c3ca1f2c57e213bdff3

Download Submit
C:\ProgramData\Adobe\INC-README.txt

Filesize
1KB

MD5
bcbfa1399779f0779b61dd8169d2393d

SHA1
424013a1f7830b13065817c5c865a2101709be92

SHA256
cad9dde04935dfe6517c61ea55a40365c5f65062c4305508989a10a5c90ac03d

SHA512
fd7d0721e44d0f2f5c983406b3d4b1705d2c99b44cd5fee4c46cc9950ff05fa7c985bcee882d3852038f2e3a815ed34739e66cd80418e06634e37074f8e4acdf

Download Submit
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

Filesize
64KB

MD5
4e526d0d4ecd4f2fe7e947aeee5d2408

SHA1
01e572690d95cf4087d62cdec52189ac07e9bc88

SHA256
d3a14643481aa327a85be39ed285cb3470a7f5aa2bc71563ab9b2b7df9cbb3d5

SHA512
4b2b05173d68dd5cc39ec1b5566650c6ffe76b7bfa25266e5dc6c93d5466d05b43a24c4e9a4c64922975f7a15f7b9007ff8e38219a903451da8bdc5a25d1cef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E032930F-F0B6-40D6-BD27-63E2971EC267}

Filesize
4KB

MD5
9ac5a15c15b1441b4fcb56d2de9e3966

SHA1
637f57b582cab29bb886df49418d6b5fd544c9b5

SHA256
2c91e3fbc7ef7deeef0f0ad40220a949480cf610d4604f7141ee0dfc039ab266

SHA512
78d998e61cecf645d140cfc4f3a828d3747b485f2702c3b9155341667a240ea3b5baa7e52fbf596a705ce92744475f728c25f6f78456ea15979c1a5d8ce4882a

Download Submit
memory/2844-1528-0x00000242BF1A0000-0x00000242BF1A1000-memory.dmp

Filesize
4KB

Download
memory/2844-1530-0x00000242BF230000-0x00000242BF231000-memory.dmp

Filesize
4KB

Download
memory/2844-1533-0x00000242BF240000-0x00000242BF241000-memory.dmp

Filesize
4KB

Download
memory/2844-1532-0x00000242BF240000-0x00000242BF241000-memory.dmp

Filesize
4KB

Download
memory/2844-1512-0x00000242B6590000-0x00000242B65A0000-memory.dmp

Filesize
64KB

Download
memory/2844-1516-0x00000242B6E60000-0x00000242B6E70000-memory.dmp

Filesize
64KB

Download
memory/2844-1523-0x00000242BF120000-0x00000242BF121000-memory.dmp

Filesize
4KB

Download
memory/2844-1531-0x00000242BF230000-0x00000242BF231000-memory.dmp

Filesize
4KB

Download
memory/2844-1526-0x00000242BF1A0000-0x00000242BF1A1000-memory.dmp

Filesize
4KB

Download
memory/5464-1525-0x00007FFA9B980000-0x00007FFA9B990000-memory.dmp

Filesize
64KB

Download
memory/5464-1509-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/5464-1529-0x00007FFA9B980000-0x00007FFA9B990000-memory.dmp

Filesize
64KB

Download
memory/5464-1508-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/5464-1511-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/5464-1510-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download
memory/5464-1507-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads