Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe
Resource
win10v2004-20241007-en
General
-
Target
909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe
-
Size
161KB
-
MD5
defcffd4596542872a2d811724c858a6
-
SHA1
4e8da1c8081a260af131f1967b555024a9cfd97d
-
SHA256
909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf
-
SHA512
27d509c2da94d1fa76d2d039efd4f3395e11fd96c6bfe43656be05fbfd5886c325b07166bbc525a7410cb85217d4f28d494d90055791e2e15f32b38d14124999
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvgaEkZSc5o:bYjHiqrrT/WUc5o
Malware Config
Extracted
C:\ProgramData\Adobe\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
C:\ProgramData\Adobe\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\B: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\I: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\J: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\M: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\Q: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\S: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\U: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\F: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\A: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\G: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\L: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\R: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\T: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\Y: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\E: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\K: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\O: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\P: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\V: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\W: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\H: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\N: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File opened (read-only) \??\X: 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe File created C:\Windows\system32\spool\PRINTERS\PP8pg7uw3z09gro8gi5fb_yi9cc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5452 ONENOTE.EXE 5452 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe Token: SeTakeOwnershipPrivilege 3736 909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE 5452 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4924 wrote to memory of 5452 4924 printfilterpipelinesvc.exe 100 PID 4924 wrote to memory of 5452 4924 printfilterpipelinesvc.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe"C:\Users\Admin\AppData\Local\Temp\909033ac13a6114191e0821fa49aee1bf5517d7849251b4d1c135f4cd7ffeecf.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:6020
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7BD02A8E-B18B-4F70-BA84-AE7D57FE0703}.xps" 1337669459393300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD56693cc0ae44733a41afbce4e9bc3a77f
SHA128bf2f9b7fcc458d88e14c3a14fc5365031d59d6
SHA25601c2801f9e62aafdb0961f01b169ffa20755f50a9f5faa1a042c325540b1e849
SHA512b24583c77f14e5674535fca556c7cfc833473bdae1e3d7c5c98d3650063a45f5765aac95823bdeb69a5157167a82a7334ede38609c743885625f3eb731d6b70c
-
Filesize
3KB
MD584ff254aa61432ce17f99bca481d7036
SHA107bce877cda84b42ccd0702e6a8c2009f2b42ba2
SHA256890f0867556f6aa6738e913d226f9f752f06a935ac60ea2709effc82135ed367
SHA512c3ebe187f39f9b61e616c934d08c6a0c5d7127d0798354adbfac8c37959a745129e6a28414edb2c6f6fe4faaf6c45caa2c8be2bdf6da147da04498d711debe9d
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD5609dea5781101ca34d4a1163d9da9b84
SHA17dabd0971d079e4299280392ac3de7fc31376640
SHA256270732fd46fc4e87fe8f632c748b9d16aef814c3e15b815b638d6daa6d260cab
SHA51232e0a4c256100822dbfcd1ec254e65b269ffcd3744060c3cf0863bf2db0964fa76f84f465d4ff9ea2830ecae0e158d9147b60f0de3b93d9022afbbfd14dc7ac0