Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 06:27

General

  • Target

    2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe

  • Size

    142KB

  • MD5

    9e28725a40faab491e96a80d5c258c31

  • SHA1

    2cc8ca797c6c731f0266a27176d71697e097824b

  • SHA256

    0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e

  • SHA512

    5448cdb27bc354091bb25a5cb3d17e71cad8ec2825069b177b3cddec8887e6118dc614eed41c24f948bd39751903f79e66939ae3081f175355cc2bb0d054ec29

  • SSDEEP

    3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGVV:DojR/QY4CP434KrtOiJHFVV

Malware Config

Extracted

Path

F:\INC-README.txt

Family

inc_ransom

Ransom Note
Inc. Ransomware We have hacked you and downloaded all confidential data of your company and its clients. It can be spread out to people and media. Your reputation will be ruined. Do not hesitate and save your business. Please, contact us via: http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/ Your personal ID: 938BFE0F7AD109ED We're the ones who can quickly recover your systems with no losses. Do not try to devalue our tool - nothing will come of it. Starting from now, you have 72 hours to contact us if you don't want your sensitive data being published in our blog: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ You should be informed, in our business reputation - is a basic condition of the success. Inc provides a deal. After successfull negotiations you will be provided: 1. Decryption assistance; 2. Initial access; 3. How to secure your network; 4. Evidence of deletion of internal documents; 5. Guarantees not to attack you in the future. Instruction how to get to chat page: 1. Download TOR Browser from official website (https://www.torproject.org/download/); 2. Install TOR Browser and open it; 3. Copy chat link and press enter; 4. On the page you will need to register your account using your personal ID; 5. Use this ID and your password to get chat page again.
URLs

http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Signatures

  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

  • Inc_ransom family
  • Renames multiple (305) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    PID:2956
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5860
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:6016
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{140D9C2F-B11A-4A08-BE7D-499DC98015B8}.xps" 133768168532640000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

      Filesize

      64KB

      MD5

      fcd6bcb56c1689fcef28b57c22475bad

      SHA1

      1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

      SHA256

      de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

      SHA512

      73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

    • C:\Users\Admin\AppData\Local\Temp\{F7A89ED0-441D-4EE8-974D-47A3E1FD6AC9}

      Filesize

      4KB

      MD5

      65afb7437614a7aa029fa0afcbce0752

      SHA1

      25a7eddb4f4120b722231048c0955a3e7bf2ef18

      SHA256

      ee505ca773967f431705ccf3c715696034e54bbd971f99d65049c7ba1170848d

      SHA512

      400ad0d420e480de9e4122bdfbca1219e245cb499a8d406a72e0ca04a94ed252d0cc1500d02639ca1ba2c7eae55ea83eb4fed522ab28216d6df042e2f8a3d0ec

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      286518748daaf41b392cd2edc336cf51

      SHA1

      2e3b141f3934028493ac727b2bf998e5e33e4251

      SHA256

      399392bd02085f27db2bd9a88b0496cb5ed0f9713630f8cdce00663dd35cf5c3

      SHA512

      df132a7436c64769ebccff44d7cc2f0a3d9da22b17175e35fea4b72392bf42560c35448e63e57fcb32e9cd2c51e9515799dbbe36eabf4a82d480d9108725169d

    • F:\INC-README.html

      Filesize

      1KB

      MD5

      85b81261146c08f4d472d18edc33c3b6

      SHA1

      7eb932f20e9c03fc8d77007f2651cbf5aad888a4

      SHA256

      265a0f64e8f11bbb397f0f02d035ac172a5ef02e38fdb864913a540ad9ad60b3

      SHA512

      b8d76760065743b3ef754c6b630300e091282207048a91a2b57577d9ed6e110640946e3bc099e7777ddcefa463d718908a630e9468447c3ca1f2c57e213bdff3

    • F:\INC-README.txt

      Filesize

      1KB

      MD5

      bcbfa1399779f0779b61dd8169d2393d

      SHA1

      424013a1f7830b13065817c5c865a2101709be92

      SHA256

      cad9dde04935dfe6517c61ea55a40365c5f65062c4305508989a10a5c90ac03d

      SHA512

      fd7d0721e44d0f2f5c983406b3d4b1705d2c99b44cd5fee4c46cc9950ff05fa7c985bcee882d3852038f2e3a815ed34739e66cd80418e06634e37074f8e4acdf

    • memory/3364-1465-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

      Filesize

      64KB

    • memory/3364-1466-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

      Filesize

      64KB

    • memory/3364-1464-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

      Filesize

      64KB

    • memory/3364-1467-0x00007FFB42650000-0x00007FFB42660000-memory.dmp

      Filesize

      64KB

    • memory/3364-1468-0x00007FFB42650000-0x00007FFB42660000-memory.dmp

      Filesize

      64KB

    • memory/3364-1463-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

      Filesize

      64KB

    • memory/3364-1462-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

      Filesize

      64KB