Overview

overview

10

Static

static

3

0e3f849e35...3e.exe

windows7-x64

10

0e3f849e35...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe

  • Size

    142KB

  • MD5

    9e28725a40faab491e96a80d5c258c31

  • SHA1

    2cc8ca797c6c731f0266a27176d71697e097824b

  • SHA256

    0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e

  • SHA512

    5448cdb27bc354091bb25a5cb3d17e71cad8ec2825069b177b3cddec8887e6118dc614eed41c24f948bd39751903f79e66939ae3081f175355cc2bb0d054ec29

  • SSDEEP

    3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGVV:DojR/QY4CP434KrtOiJHFVV

Score
10/10
inc_ransomcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 938BFE0F7AD109ED We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

    ransomwareinc_ransom
  • Inc_ransom family
    inc_ransom
  • Renames multiple (317) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 16 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe
    "C:\Users\Admin\AppData\Local\Temp\0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    PID:3100
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:6008
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5152
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4B0E5530-E24D-4E8D-9C10-7178F285BD3B}.xps" 133766901046240000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:5464
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:2844
    • C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe
      "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\INC-README.html
      Filesize

      1KB

      MD5

      85b81261146c08f4d472d18edc33c3b6

      SHA1

      7eb932f20e9c03fc8d77007f2651cbf5aad888a4

      SHA256

      265a0f64e8f11bbb397f0f02d035ac172a5ef02e38fdb864913a540ad9ad60b3

      SHA512

      b8d76760065743b3ef754c6b630300e091282207048a91a2b57577d9ed6e110640946e3bc099e7777ddcefa463d718908a630e9468447c3ca1f2c57e213bdff3

      Download Submit

    • C:\ProgramData\Adobe\INC-README.txt
      Filesize

      1KB

      MD5

      bcbfa1399779f0779b61dd8169d2393d

      SHA1

      424013a1f7830b13065817c5c865a2101709be92

      SHA256

      cad9dde04935dfe6517c61ea55a40365c5f65062c4305508989a10a5c90ac03d

      SHA512

      fd7d0721e44d0f2f5c983406b3d4b1705d2c99b44cd5fee4c46cc9950ff05fa7c985bcee882d3852038f2e3a815ed34739e66cd80418e06634e37074f8e4acdf

      Download Submit

    • C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs
      Filesize

      64KB

      MD5

      4e526d0d4ecd4f2fe7e947aeee5d2408

      SHA1

      01e572690d95cf4087d62cdec52189ac07e9bc88

      SHA256

      d3a14643481aa327a85be39ed285cb3470a7f5aa2bc71563ab9b2b7df9cbb3d5

      SHA512

      4b2b05173d68dd5cc39ec1b5566650c6ffe76b7bfa25266e5dc6c93d5466d05b43a24c4e9a4c64922975f7a15f7b9007ff8e38219a903451da8bdc5a25d1cef8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{E032930F-F0B6-40D6-BD27-63E2971EC267}
      Filesize

      4KB

      MD5

      9ac5a15c15b1441b4fcb56d2de9e3966

      SHA1

      637f57b582cab29bb886df49418d6b5fd544c9b5

      SHA256

      2c91e3fbc7ef7deeef0f0ad40220a949480cf610d4604f7141ee0dfc039ab266

      SHA512

      78d998e61cecf645d140cfc4f3a828d3747b485f2702c3b9155341667a240ea3b5baa7e52fbf596a705ce92744475f728c25f6f78456ea15979c1a5d8ce4882a

      Download Submit

    • memory/2844-1528-0x00000242BF1A0000-0x00000242BF1A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1530-0x00000242BF230000-0x00000242BF231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1533-0x00000242BF240000-0x00000242BF241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1532-0x00000242BF240000-0x00000242BF241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1512-0x00000242B6590000-0x00000242B65A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1516-0x00000242B6E60000-0x00000242B6E70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2844-1523-0x00000242BF120000-0x00000242BF121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1531-0x00000242BF230000-0x00000242BF231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-1526-0x00000242BF1A0000-0x00000242BF1A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5464-1525-0x00007FFA9B980000-0x00007FFA9B990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5464-1509-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5464-1529-0x00007FFA9B980000-0x00007FFA9B990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5464-1508-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5464-1511-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5464-1510-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5464-1507-0x00007FFA9DE50000-0x00007FFA9DE60000-memory.dmp

      Filesize

      64KB

      Download