Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe
-
Size
161KB
-
MD5
41a23093a50d8b9d897b03ba957695e9
-
SHA1
3276b8c9e8dd9c37e80120c6268dcf0191ae1349
-
SHA256
abaa2cc0895b34d3a3e0872a4a7a63d49de8ae654c4db961918d10a5163d186f
-
SHA512
14e0b378f087d7f16d79883885ede9f3b345dd03871aa94d3f8b4ea241190b8c2bbfcde76c911c70e8a2d8563605e218b43fc0631c0d63342ee519b659a9e243
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvXaEkZSc5:bYjHiqrrT8WUc5
Malware Config
Extracted
C:\ProgramData\Adobe\Setup\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Extracted
F:\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\X: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\L: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\G: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\K: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\Q: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\R: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\U: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\V: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\A: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\B: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\E: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\H: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\I: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\J: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\N: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\O: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\F: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\Y: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\Z: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\S: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\T: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\W: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File opened (read-only) \??\P: 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PP1wk2e6wvi8xso6tdm8gswpq0c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5356 ONENOTE.EXE 5356 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe Token: SeTakeOwnershipPrivilege 1208 2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE 5356 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5216 wrote to memory of 5356 5216 printfilterpipelinesvc.exe 92 PID 5216 wrote to memory of 5356 5216 printfilterpipelinesvc.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-10_41a23093a50d8b9d897b03ba957695e9_inc_luca-stealer.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:6100
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F73489A8-1585-43B7-89F6-BE3195E3BAB2}.xps" 1337828776038800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5139a66019e81d4ebf9b52dab674d314a
SHA1d9d39de05487437423474b9d2b0fd49eea76ed8f
SHA2563df9f143398217aaab29fefba63c4efeea8e5e16becc976b3b4d759c523a7bb8
SHA5125294e895ab92983f6e6b9de7518347ae68b5215e085e0f05bd9790b1cc7f49649f136e886bacebdc7d50b44a2e170212fc15fb6f220f4e4c8ef69d012e75d88c
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
4KB
MD51dba0c90cd4711c152aaef3e9067a6fa
SHA172a5565f4c5ef8da69d8a2a92173d987db203064
SHA25657c378a82aee6df31651adac73f644edeabb2d47866ff2aa371657fb7e5f9c9a
SHA512f22a1fd2b5ccd3994e6b98cd3b21df235e85f3281cdc5455b9d64afa2e592649977013940cbbc18ee3f12d90398410365920be2163b4f8340e4a8b8bcad11c20
-
Filesize
3KB
MD5c247320bfb70ec6c7298db3f37542c6b
SHA121263186f6997cd7e69b52b4419e6074bd0b4c4c
SHA25604d6a6b4a197cfedb21472d3fe07cd78bbbcfda4fe562e544b5c0e1986093307
SHA512bb60a09c6bbcd83eb6933f00d404a09f85429ecf3b5556a6c1bab7ee5066685a926319fc53d6b02cc44842b814a513d77c5fe82070ed4f90d89c327237e6b3a9