Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 21:16
Static task
static1
Behavioral task
behavioral1
Sample
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe
Resource
win10v2004-20241007-en
General
-
Target
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe
-
Size
161KB
-
MD5
2cd3dac4b0d7eadb7746246ea86575fa
-
SHA1
a330bb81a31061b5b06d8610b828b2e5921fd03b
-
SHA256
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d
-
SHA512
28b27fd7d691f01dd5ac14797f56b93f0850dcfd6f8bc8f5ae024bac941bd1be2a7480fb55e79a3968f884495d31dfaf647244099973734b7873c9d444d02d87
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvkaEkZSc5:bYjHiqrrTDWUc5
Malware Config
Extracted
C:\ProgramData\Adobe\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Extracted
C:\ProgramData\Adobe\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (276) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\M: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\R: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\Y: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\A: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\G: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\N: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\O: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\Q: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\S: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\X: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\Z: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\F: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\B: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\E: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\I: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\J: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\U: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\W: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\K: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\L: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\P: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\T: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File opened (read-only) \??\V: 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe File created C:\Windows\system32\spool\PRINTERS\PP2ozki9ker7rjec_7_aely0gbc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 6056 ONENOTE.EXE 6056 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe Token: SeTakeOwnershipPrivilege 1384 9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE 6056 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5912 wrote to memory of 6056 5912 printfilterpipelinesvc.exe 101 PID 5912 wrote to memory of 6056 5912 printfilterpipelinesvc.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe"C:\Users\Admin\AppData\Local\Temp\9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5796
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{348ED536-31D8-4BC6-9D5D-1A62148714E1}.xps" 1337678383497100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5c440fd185cec6776938878e19c0b2cdf
SHA1d7f2d2429deb3a97fd1ca5d67871a3fdba737f00
SHA256faaae528ebd137d41ecf83d24bc08f893ce3d9a5b21f4083a6c91ce25a66d7a7
SHA5125f10808fa21eac7d6d7c44a5f8efd1daea11834c6ba1b8105de5b3df00ace1c42aaf6cd7c744ecd1106d7feeb3108d744ea64be65c9bfabf25af1195103af920
-
Filesize
3KB
MD584a0b17fb7a7b47a9f19d0ee9f07650d
SHA11534ffe74f0d031db744dd37644b0e5e050de66a
SHA256d6da5f92f160671f81c3671e516c23193ac9f8e31e72f73ffa16291d6ff5b4b4
SHA512a82abf03d16d6a17fb33d70bca7f07ff9bc9fc45fdbc9738d097d732c6894749b453b699c75fead14e5e001660fbcb96cc4fb8282a0deca40e4d24a9077a7a78
-
Filesize
4KB
MD5b5383e24e22c0100aca2c420a4c698dc
SHA187e9ff03584c30edff43130f58993a25d5528624
SHA256e4a57a5c2284ea0df1ff9008d68b457aeab10f4f4040e94bd0bc76dd97541718
SHA512c8bb21a333712189c9f0f2da49346fb60afc2e056c396bf34ca816b9cceac4df5e46962c1a8f4b0440aedd5bbd2136c2ca5376d809b07603cbacc3eacf6fd3e7