Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 14:36

General

  • Target

    windows.exe

  • Size

    161KB

  • MD5

    38eca0067e68a296b6142cdc9f43f5a5

  • SHA1

    e58763611a199e785a7a492be9f6ec7628ded535

  • SHA256

    cb320d0c18a399f8473b69c0e472180a0aa21b3936bdcc5fc290620412265c61

  • SHA512

    5146219e6b82751d32250d1ac995055de0ab99fc9ee70e47d973a248b30ac47270faf8901b94ef3151d724ba6834fab963a9bd6d6243b891274e0c4d769271ed

  • SSDEEP

    3072:YduKWsRRjHRvsfdO3Q+rSBPJasYIeuvdaEkZSc5:bYjHiqrrTeWUc5

Malware Config

Extracted

Path

C:\ProgramData\Adobe\INC-README.html

Ransom Note
<html> <head> <title>INC Ransom</title> </head> <body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"> <div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Your personal ID: </span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">677fb7e638e2eaa58bad14c0</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to recovery companies!</span> <span style="font-size: 14px; margin-top: 8px;">They are essentially just middlemen who will make money off you and cheat you.</span> <span style="font-size: 14px; margin-top: 8px;">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span> <span style="font-size: 14px; margin-top: 8px;">If you approached us directly without intermediaries you would pay several times less.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">For those who have cyber insurance against ransomware attacks.</span> <span style="font-size: 14px; margin-top: 8px;">Insurance companies require you to keep your insurance information secret.</span> <span style="font-size: 14px; margin-top: 8px;">In most cases, we find this information and download it.</span> </div> </div> <div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">What guarantees are that we won't fool you?</span> <span style="font-size: 14px; margin-top: 8px;">We are not a politically motivated group and we want nothing more than money.</span> <span style="font-size: 14px; margin-top: 8px;">If you pay, we will provide you with decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">After you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Don't go to the police or the FBI for help. They won't help you.</span> <span style="font-size: 14px; margin-top: 8px;">The police will try to prohibit you from paying the ransom in any way.</span> <span style="font-size: 14px; margin-top: 8px;">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span> <span style="font-size: 14px; margin-top: 8px;">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span> <span style="font-size: 14px; margin-top: 8px;">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span> <span style="font-size: 14px; margin-top: 8px;">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span> <span style="font-size: 14px; margin-top: 8px;">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span> <span style="font-size: 14px; margin-top: 8px;">The police and FBI won't protect you from repeated attacks.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">If you do not pay the ransom, we will attack your company again in the future.</span> </div> </div> </div> </body> </html>
URLs

https://twitter.com/hashtag/incransom?f=live</span>

Extracted

Path

C:\ProgramData\Adobe\INC-README.txt

Family

inc_ransom

Ransom Note
~~~~ INC Ransom ~~~~ -----> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Link: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/ http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/ Link for normal browser: http://incapt.su/ -----> What guarantees are that we won't fool you? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly restore your systems and make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live -----> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world. Tor Browser Link for chat: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/ Your personal ID: 677fb7e638e2eaa58bad14c0 -----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files! -----> Don't go to the police or the FBI for help. They won't help you. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files. This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI won't protect you from repeated attacks. -----> Don't go to recovery companies! They are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M. If you approached us directly without intermediaries you would pay several times less. -----> For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. In most cases, we find this information and download it. -----> If you do not pay the ransom, we will attack your company again in the future.
URLs

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/

http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

http://incapt.su/

https://twitter.com/hashtag/incransom?f=live

http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Signatures

  • INC Ransomware

    INC Ransom is a ransomware that emerged in July 2023.

  • Inc_ransom family
  • Renames multiple (302) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\windows.exe
    "C:\Users\Admin\AppData\Local\Temp\windows.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2864
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5892
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5988
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D9E08FF6-4EE2-401C-B4C0-E35A8F1D8C5D}.xps" 133812526436330000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:6088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\INC-README.html

      Filesize

      8KB

      MD5

      1438352603a20f2e5a15bc12d7d28bf1

      SHA1

      a2d6912b531b0a968b01d7bf3c17f1933225e4ef

      SHA256

      0601c5f2521efa21f044e607c3bed8e0f0d037c4998b61e20c493f4e3f88390e

      SHA512

      1702d28ee7b74a43650f55869d3da71ee967bf21987cc679e3f865c5f2ee9ef132cbaf8c05ebb6ccc07750e82f19f9a8445163d2eac64cf779a29621475bb2f5

    • C:\ProgramData\Adobe\INC-README.txt

      Filesize

      3KB

      MD5

      fb41a5c7981da369a1360d9e7ff1414a

      SHA1

      a7e522aeecfe947ae4d3ea863c8091544ec189e7

      SHA256

      657a6b530c13dc2762dde67f9b97ecaa48c2dd54b7851311f7712068275aa574

      SHA512

      bce884644e9f01e2c2a32e37b694baab3e5b8e063eafa5c98d98004b019fdbb9ebb2630f0e9ee58871952dfc15c8e64682c90f074005b3ac11128304b0fc6778

    • C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs

      Filesize

      64KB

      MD5

      31505ee25f53a57e8ad40750d232c0ec

      SHA1

      a8cfe9b03345354d5917fd1e32697b8e6abaccbc

      SHA256

      01a0c9b6d6994928c7048833fcb1b98ff555cf469e7139886abbd5a254f813f2

      SHA512

      2ec55af7df23e0ae2c4e77c270545601748594faa0fb4083b6905ae1cf71c5d07ac73c00d740de407a0c595dbbd37bcf46ff2aaa9962a25c437d97689d7036cc

    • C:\Users\Admin\AppData\Local\Temp\{08DD0E5D-B943-41C9-83E2-3A554FACDA68}

      Filesize

      4KB

      MD5

      8d666a32cba0549e8e378215e73c2045

      SHA1

      06e2139d8a38bfa0b58ec3d9048d4996ceada2a0

      SHA256

      4e3f3ac8521fcb589e030b343a20ad8e20e83099c26e90434b24c4acdeec607a

      SHA512

      d99f83c2b35fd3a7ba08f6157b82b43d33639a82e58fa75fe8be44a8f69019afc590c3112e3f7cd7c09e085a96d3516a1c010f72e754df73f1e641ab3a7265a6

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      b3290cd1dde777829a390b96d8e5e475

      SHA1

      3cc3bb217450650ee83ecebb0598c2d62e93c568

      SHA256

      3aedd9ed58a9f4205e7e645546310fa2e8b510673bf593d86d60374d44c4d0d1

      SHA512

      1112fac76e043b3004cd9558c037c6613281d66e622ff002c12ca50109564b9e140fb513a5490934057c2b11d044f736ef54a0e9203fc0feae2df4f7e9723123

    • C:\Users\Admin\Documents\OneNote Notebooks\Quick Notes.one

      Filesize

      4KB

      MD5

      a4e08f38bc9d085476de65e004df29ff

      SHA1

      4109bb5aefcc7118cb820c92e27b942b114585f3

      SHA256

      87bfc0ee7d5658259a46c96f7e645558202dea47e9b612cd78b5489694e87885

      SHA512

      7cd46fcf6f99183e4be9a3058465227f185f79192d0c8f0355dbcebbb730d64b9b55219a86dc93d96723151aeb55f0e72cfaf4a4a3bd88c1e55991d1963b7b32

    • memory/6088-1457-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1461-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1462-0x00007FF84FBB0000-0x00007FF84FBC0000-memory.dmp

      Filesize

      64KB

    • memory/6088-1463-0x00007FF84FBB0000-0x00007FF84FBC0000-memory.dmp

      Filesize

      64KB

    • memory/6088-1460-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1458-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1459-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1515-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1514-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1513-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/6088-1512-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB