Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 06:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe
-
Size
142KB
-
MD5
9e28725a40faab491e96a80d5c258c31
-
SHA1
2cc8ca797c6c731f0266a27176d71697e097824b
-
SHA256
0e3f849e351cea99f9979889fc4d3700c710573a215805329eb097c533d87c3e
-
SHA512
5448cdb27bc354091bb25a5cb3d17e71cad8ec2825069b177b3cddec8887e6118dc614eed41c24f948bd39751903f79e66939ae3081f175355cc2bb0d054ec29
-
SSDEEP
3072:uA5ohBykv/QGvx4TOPu5XH4KoUu2JsaO0xiQhzNHaGVV:DojR/QY4CP434KrtOiJHFVV
Malware Config
Extracted
F:\INC-README.txt
inc_ransom
http://incpaysp74dphcbjyvg2eepxnl3tkgt5mq5vd4tnjusoissz342bdnad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (305) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\N: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\P: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\S: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\V: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\W: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\F: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\E: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\Z: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\T: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\M: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\Q: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\G: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\O: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\H: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\I: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\J: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\L: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\R: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\U: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\A: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\B: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\X: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File opened (read-only) \??\Y: 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe File created C:\Windows\system32\spool\PRINTERS\PPhrh68bpn5myym30usfbdfkvde.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3364 ONENOTE.EXE 3364 ONENOTE.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE 3364 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 6016 wrote to memory of 3364 6016 printfilterpipelinesvc.exe 100 PID 6016 wrote to memory of 3364 6016 printfilterpipelinesvc.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-23_9e28725a40faab491e96a80d5c258c31_inc_luca-stealer.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5860
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:6016 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{140D9C2F-B11A-4A08-BE7D-499DC98015B8}.xps" 1337681685326400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD565afb7437614a7aa029fa0afcbce0752
SHA125a7eddb4f4120b722231048c0955a3e7bf2ef18
SHA256ee505ca773967f431705ccf3c715696034e54bbd971f99d65049c7ba1170848d
SHA512400ad0d420e480de9e4122bdfbca1219e245cb499a8d406a72e0ca04a94ed252d0cc1500d02639ca1ba2c7eae55ea83eb4fed522ab28216d6df042e2f8a3d0ec
-
Filesize
4KB
MD5286518748daaf41b392cd2edc336cf51
SHA12e3b141f3934028493ac727b2bf998e5e33e4251
SHA256399392bd02085f27db2bd9a88b0496cb5ed0f9713630f8cdce00663dd35cf5c3
SHA512df132a7436c64769ebccff44d7cc2f0a3d9da22b17175e35fea4b72392bf42560c35448e63e57fcb32e9cd2c51e9515799dbbe36eabf4a82d480d9108725169d
-
Filesize
1KB
MD585b81261146c08f4d472d18edc33c3b6
SHA17eb932f20e9c03fc8d77007f2651cbf5aad888a4
SHA256265a0f64e8f11bbb397f0f02d035ac172a5ef02e38fdb864913a540ad9ad60b3
SHA512b8d76760065743b3ef754c6b630300e091282207048a91a2b57577d9ed6e110640946e3bc099e7777ddcefa463d718908a630e9468447c3ca1f2c57e213bdff3
-
Filesize
1KB
MD5bcbfa1399779f0779b61dd8169d2393d
SHA1424013a1f7830b13065817c5c865a2101709be92
SHA256cad9dde04935dfe6517c61ea55a40365c5f65062c4305508989a10a5c90ac03d
SHA512fd7d0721e44d0f2f5c983406b3d4b1705d2c99b44cd5fee4c46cc9950ff05fa7c985bcee882d3852038f2e3a815ed34739e66cd80418e06634e37074f8e4acdf