Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 17:27
Static task
static1
Behavioral task
behavioral1
Sample
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe
Resource
win10v2004-20241007-en
General
-
Target
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe
-
Size
161KB
-
MD5
14889a7e231c4884f28aefd592e61398
-
SHA1
002ee090f71fce5363ba5d2036fae288e7b03aab
-
SHA256
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090
-
SHA512
04b3437c09ba328e0e0697f969c613beefd4eec6c70c7bb9e0b5b7a6bb5d3303360d1d7b471d9307efd2ad60dcd078276b35546d5207939485c77c2d87a648e2
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuv4aEkZSc5:bYjHiqrrTnWUc5
Malware Config
Extracted
C:\ProgramData\Adobe\Setup\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Extracted
C:\ProgramData\Adobe\Setup\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exedescription ioc process File opened (read-only) \??\Z: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\A: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\B: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\I: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\L: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\T: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\W: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\V: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\Y: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\F: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\J: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\O: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\P: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\Q: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\S: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\E: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\X: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\U: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\G: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\H: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\K: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\M: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\N: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File opened (read-only) \??\R: c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe -
Drops file in System32 directory 3 IoCs
Processes:
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe File created C:\Windows\system32\spool\PRINTERS\PP9kx2p6dx8ljh1pfv709ws6my.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ONENOTE.EXEpid process 5472 ONENOTE.EXE 5472 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exedescription pid process Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe Token: SeTakeOwnershipPrivilege 2732 c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE 5472 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
printfilterpipelinesvc.exedescription pid process target process PID 5268 wrote to memory of 5472 5268 printfilterpipelinesvc.exe ONENOTE.EXE PID 5268 wrote to memory of 5472 5268 printfilterpipelinesvc.exe ONENOTE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe"C:\Users\Admin\AppData\Local\Temp\c600e439da89f5ee5bbf5b7e3672b6165ded49dd748f06892647930e64783090.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:6120
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5268 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9463C7F5-81E2-4B8C-861E-AD9CF8CFDBFC}.xps" 1337677006214000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5498f0989511dd5bb1c18ef64cc2efc71
SHA1186b7ec10cd98d449b6dc89d0a943349f927e696
SHA256ff18b423865ef9d2ffc3670d7d23c6c127e887e0bc75ad59e557944634497324
SHA5129345c1695e0018b0aa6ea1764b860bd1abd828edc3ad2eb6fcd0939f0633b89f94f1667bbc041937b1d9082358ce3b51cebb9626b8bd40924b50741402101f33
-
Filesize
3KB
MD53d226c5f42d41a2da38bd29d5d007cf2
SHA1a1ce273185f889fba831f0a4a5f04e8727b4976a
SHA256287ef4614fc3d09d9d39735e57ae8d3fb55c7b22de1b83364b5f62a9e3f1a5ee
SHA512e72f075eb9418a6f7b53d7fc827ac8eca138ecf4c2ac863db85b91fed0213672d0be48e96c50b2c8703445ac6da0a2bb02ff3ff33a936eb9f3d0456f2a993972
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD5d979b7254f9207493234d3f1b3a1878e
SHA17edb71dedb7b48e1d3a9eb80ba4d80ee80abe973
SHA256db419a2c36cb4d2073e9dfbbf8d7653a9f4cc6e12843a8ca277f3d9975591a0f
SHA5124d498a95cf1ebca0f28bf505c0febf13927762cf462079cb2b9dd48ec1c50026070e8b3b697291eb25caf33378d29207cb2c18b18d6facd442fb9ea9d4679228
-
Filesize
4KB
MD5b1a9598e6241f1f979ca6f3bfb05093e
SHA185eab4e6b5bfe57b090b8b6d91f2355cbd8538f7
SHA256705234727fb3dc3aeb997cfa22308ab84ef534acc4f41c80ebcec98823a07ad5
SHA51252c690a2a9eab3e26a5df930cd68877fdf7d975f3ba1392e4fda551e7725d89032bb68b58f8fb9ece8c1bace225b0c60e11f3572a1be2f08bebff67776148cc5