Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
windows.exe
Resource
win10v2004-20241007-en
General
-
Target
windows.exe
-
Size
161KB
-
MD5
38eca0067e68a296b6142cdc9f43f5a5
-
SHA1
e58763611a199e785a7a492be9f6ec7628ded535
-
SHA256
cb320d0c18a399f8473b69c0e472180a0aa21b3936bdcc5fc290620412265c61
-
SHA512
5146219e6b82751d32250d1ac995055de0ab99fc9ee70e47d973a248b30ac47270faf8901b94ef3151d724ba6834fab963a9bd6d6243b891274e0c4d769271ed
-
SSDEEP
3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvdaEkZSc5:bYjHiqrrTeWUc5
Malware Config
Extracted
C:\ProgramData\Adobe\INC-README.html
https://twitter.com/hashtag/incransom?f=live</span>
Extracted
C:\ProgramData\Adobe\INC-README.txt
inc_ransom
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
http://incapt.su/
https://twitter.com/hashtag/incransom?f=live
http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Signatures
-
INC Ransomware
INC Ransom is a ransomware that emerged in July 2023.
-
Inc_ransom family
-
Renames multiple (302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: windows.exe File opened (read-only) \??\W: windows.exe File opened (read-only) \??\Z: windows.exe File opened (read-only) \??\H: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\S: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\V: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\I: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\Y: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\N: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\A: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\G: windows.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL windows.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL windows.exe File created C:\Windows\system32\spool\PRINTERS\PPqnjl0gvoam1h8dftt9ss00hyd.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windows.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 6088 ONENOTE.EXE 6088 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 6088 ONENOTE.EXE 6088 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe Token: SeTakeOwnershipPrivilege 2864 windows.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE 6088 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5988 wrote to memory of 6088 5988 printfilterpipelinesvc.exe 91 PID 5988 wrote to memory of 6088 5988 printfilterpipelinesvc.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5892
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5988 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D9E08FF6-4EE2-401C-B4C0-E35A8F1D8C5D}.xps" 1338125264363300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51438352603a20f2e5a15bc12d7d28bf1
SHA1a2d6912b531b0a968b01d7bf3c17f1933225e4ef
SHA2560601c5f2521efa21f044e607c3bed8e0f0d037c4998b61e20c493f4e3f88390e
SHA5121702d28ee7b74a43650f55869d3da71ee967bf21987cc679e3f865c5f2ee9ef132cbaf8c05ebb6ccc07750e82f19f9a8445163d2eac64cf779a29621475bb2f5
-
Filesize
3KB
MD5fb41a5c7981da369a1360d9e7ff1414a
SHA1a7e522aeecfe947ae4d3ea863c8091544ec189e7
SHA256657a6b530c13dc2762dde67f9b97ecaa48c2dd54b7851311f7712068275aa574
SHA512bce884644e9f01e2c2a32e37b694baab3e5b8e063eafa5c98d98004b019fdbb9ebb2630f0e9ee58871952dfc15c8e64682c90f074005b3ac11128304b0fc6778
-
Filesize
64KB
MD531505ee25f53a57e8ad40750d232c0ec
SHA1a8cfe9b03345354d5917fd1e32697b8e6abaccbc
SHA25601a0c9b6d6994928c7048833fcb1b98ff555cf469e7139886abbd5a254f813f2
SHA5122ec55af7df23e0ae2c4e77c270545601748594faa0fb4083b6905ae1cf71c5d07ac73c00d740de407a0c595dbbd37bcf46ff2aaa9962a25c437d97689d7036cc
-
Filesize
4KB
MD58d666a32cba0549e8e378215e73c2045
SHA106e2139d8a38bfa0b58ec3d9048d4996ceada2a0
SHA2564e3f3ac8521fcb589e030b343a20ad8e20e83099c26e90434b24c4acdeec607a
SHA512d99f83c2b35fd3a7ba08f6157b82b43d33639a82e58fa75fe8be44a8f69019afc590c3112e3f7cd7c09e085a96d3516a1c010f72e754df73f1e641ab3a7265a6
-
Filesize
4KB
MD5b3290cd1dde777829a390b96d8e5e475
SHA13cc3bb217450650ee83ecebb0598c2d62e93c568
SHA2563aedd9ed58a9f4205e7e645546310fa2e8b510673bf593d86d60374d44c4d0d1
SHA5121112fac76e043b3004cd9558c037c6613281d66e622ff002c12ca50109564b9e140fb513a5490934057c2b11d044f736ef54a0e9203fc0feae2df4f7e9723123
-
Filesize
4KB
MD5a4e08f38bc9d085476de65e004df29ff
SHA14109bb5aefcc7118cb820c92e27b942b114585f3
SHA25687bfc0ee7d5658259a46c96f7e645558202dea47e9b612cd78b5489694e87885
SHA5127cd46fcf6f99183e4be9a3058465227f185f79192d0c8f0355dbcebbb730d64b9b55219a86dc93d96723151aeb55f0e72cfaf4a4a3bd88c1e55991d1963b7b32