Analysis
-
max time kernel
44s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 21:31
Errors
Reason
Machine shutdown
General
-
Target
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe
-
Size
161KB
-
MD5
2cd3dac4b0d7eadb7746246ea86575fa
-
SHA1
a330bb81a31061b5b06d8610b828b2e5921fd03b
-
SHA256
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d
-
SHA512
28b27fd7d691f01dd5ac14797f56b93f0850dcfd6f8bc8f5ae024bac941bd1be2a7480fb55e79a3968f884495d31dfaf647244099973734b7873c9d444d02d87
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvkaEkZSc5:bYjHiqrrTDWUc5
Score
10/10
Malware Config
Extracted
Path
F:\INC-README.txt
Family
inc_ransom
Ransom Note
~~~~ INC Ransom ~~~~
-----> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites.
The sooner you pay the ransom, the sooner your company will be safe.
Tor Browser Link:
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Link for normal browser:
http://incapt.su/
-----> What guarantees are that we won't fool you?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.
After you pay the ransom, you will quickly restore your systems and make even more money.
Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.
Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.
If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.
You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live
-----> You need to contact us on TOR darknet sites with your personal ID
Download and install Tor Browser https://www.torproject.org/
Write to the chat room and wait for an answer, we'll guarantee a response from you.
Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.
Tor Browser Link for chat:
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Your personal ID:
664425e7b24e38251bc125c7
-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!
-----> Don't go to the police or the FBI for help. They won't help you.
The police will try to prohibit you from paying the ransom in any way.
The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.
This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.
Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.
The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.
If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.
The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.
The police and FBI won't protect you from repeated attacks.
-----> Don't go to recovery companies!
They are essentially just middlemen who will make money off you and cheat you.
We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.
If you approached us directly without intermediaries you would pay several times less.
-----> For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret.
In most cases, we find this information and download it.
-----> If you do not pay the ransom, we will attack your company again in the future.
URLs
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
Path
F:\INC-README.html
Ransom Note
<html>
<head>
<title>INC Ransom</title>
</head>
<body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;">
<div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;">
<div style="width: 80%;">
<div style="display: flex; flex-direction: column;">
<span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
<span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span>
<span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span>
<span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span>
<span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span>
<span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span>
<span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span>
<span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span>
<span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span>
<span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Your personal ID: </span>
<span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">664425e7b24e38251bc125c7</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span>
<span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span>
<span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span>
<span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span>
<span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span>
<span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span>
</div>
</div>
<div style="width: 80%;">
<div style="display: flex; flex-direction: column;">
<span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span>
<span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span>
<span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span>
<span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span>
<span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span>
<span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span>
<span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span>
<span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span>
<span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span>
<span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span>
<span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span>
<span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span>
<span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span>
<span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span>
<span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span>
<span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span>
</div>
<div style="display: flex; flex-direction: column; margin-top: 16px;">
<span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span>
</div>
</div>
</div>
</body>
</html>
URLs
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (329) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe"C:\Users\Admin\AppData\Local\Temp\9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3BAB295A-F61F-4C9F-B5EB-6FC1D7CBE1BB}.xps" 1337678472760100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3941055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4KB
MD5056684bb07f9da6663a9251834e5ec34
SHA149f702d6883c2e18f90b5f9e9159c999f09349b6
SHA25678d4922ea13d4e27d75f489eaa3aa22814ad905af012f2a9e047b060384b5732
SHA512931c5774e7fa5b6fb180c71e5fe0db0d63c023e35041c90733f9380f74e8ea2b144d92c63363f3a4bbde9f10754ea3bebd9563ee95787a57004b87020bdafd3f
-
Filesize
4KB
MD5f9ff5b5d5ba3f8c0175dbbf136a26574
SHA1fe6f417ff16e4605b2f7c96ee9e0772dd763cbc1
SHA256a5207a7de8e05940f5b964075494c52e87f0ffca2ad7c5462ca73c42cd63c5e9
SHA512635a2dc504f2d3d97b9c64d28406b3afa6c6798c3109a51c9289627d45d5385a336602e8d1621de0a5392ab5a8dbe6d818e02be636424be2af136dfb67c86a70
-
Filesize
8KB
MD5c440fd185cec6776938878e19c0b2cdf
SHA1d7f2d2429deb3a97fd1ca5d67871a3fdba737f00
SHA256faaae528ebd137d41ecf83d24bc08f893ce3d9a5b21f4083a6c91ce25a66d7a7
SHA5125f10808fa21eac7d6d7c44a5f8efd1daea11834c6ba1b8105de5b3df00ace1c42aaf6cd7c744ecd1106d7feeb3108d744ea64be65c9bfabf25af1195103af920
-
Filesize
3KB
MD584a0b17fb7a7b47a9f19d0ee9f07650d
SHA11534ffe74f0d031db744dd37644b0e5e050de66a
SHA256d6da5f92f160671f81c3671e516c23193ac9f8e31e72f73ffa16291d6ff5b4b4
SHA512a82abf03d16d6a17fb33d70bca7f07ff9bc9fc45fdbc9738d097d732c6894749b453b699c75fead14e5e001660fbcb96cc4fb8282a0deca40e4d24a9077a7a78
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB