Windows
Analysis Report
1.exe
Overview
General Information
Detection
INC Ransomware
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected INC Ransomware
AI detected suspicious sample
Changes the wallpaper picture
Contains functionalty to change the wallpaper
Document exploit detected (process start blacklist hit)
Found Tor onion address
Found potential ransomware demand text
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
May use bcdedit to modify the Windows boot settings
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
1.exe (PID: 7412 cmdline:
"C:\Users\ user\Deskt op\1.exe" MD5: FB14AAE2ED93A7DDFA718F433F585735) conhost.exe (PID: 7420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
FXSSVC.exe (PID: 2932 cmdline:
C:\Windows \system32\ fxssvc.exe MD5: 8C6D3BF6997E02544BE68D43DABE2F39)
ONENOTE.EXE (PID: 7504 cmdline:
/insertdoc "C:\Users \user\AppD ata\Local\ Microsoft\ Windows\IN etCache\{A F3AB8FA-AD 7A-49AB-B8 F2-82D9D57 E4E04}.xps " 13378736 3258030000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA) OfficeC2RClient.exe (PID: 7560 cmdline:
OfficeC2RC lient.exe /error PID =7504 Proc essName="M icrosoft O neNote" UI Type=3 Err orSource=0 x8b10082a ErrorCode= 0x800c0006 ShowUI=1 MD5: 4F025E7F9ADD3623A8B384BC0C7B18CB)
onenoteim.exe (PID: 7604 cmdline:
"C:\Progra m Files\Wi ndowsApps\ Microsoft. Office.One Note_16001 .12026.201 12.0_x64__ 8wekyb3d8b bwe\onenot eim.exe" - ServerName :microsoft .onenoteim .AppXxqb9y psz6cs1w07 e1pmjy4ww4 dy9tpqr.mc a MD5: 56AC82018A550CF0C525F0C7891806F1)
- cleanup
{"Text Note": "~~~~ INC Ransom ~~~~\r\n\r\n-----> Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\r\nTor Browser Link:\r\n\thttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/\r\n\thttp://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/\r\n\r\nLink for normal browser:\r\n\thttp://incapt.su/\r\n\t\r\n-----> What guarantees are that we won't fool you?\r\nWe are not a politically motivated group and we want nothing more than money.\r\nIf you pay, we will provide you with decryption software and destroy the stolen data.\r\nAfter you pay the ransom, you will quickly restore your systems and make even more money.\r\nTreat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.\r\nOur pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.\r\nIf we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.\r\nYou can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live\r\n\r\n-----> You need to contact us on TOR darknet sites with your personal ID\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from you.\r\nSometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.\r\n\r\nTor Browser Link for chat:\r\n\thttp://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/\r\n\r\nYour personal ID:\r\n\t%id%\r\n\r\n-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!\r\n-----> Don't go to the police or the FBI for help. They won't help you.\r\nThe police will try to prohibit you from paying the ransom in any way.\r\nThe first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.\r\nThis is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.\r\nPaying the ransom to us is much cheaper and more profitable than paying fines and legal fees.\r\nThe police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.\r\nIf you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.\r\nThe police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.\r\nThe police and FBI won't protect you from repeated attacks. \r\n\r\n-----> Don't go to recovery companies!\r\nThey are essentially just middlemen who will make money off you and cheat you.\r\nWe are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.\r\nIf you approached us directly without intermediaries you would pay several times less.\r\n\r\n-----> For those who have cyber insurance against ransomware attacks.\r\nInsurance companies require you to keep your insurance information secret.\r\nIn most cases, we find this information and download it.\r\n\r\n-----> If you do not pay the ransom, we will attack your company again in the future.\r\n", "HTML Note": "<html>\r\n\t<head>\r\n\t\t<title>INC Ransom</title>\r\n\t</head>\r\n\t<body style=\"width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;\">\r\n\t\t<div style=\"display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;\">\r\n\t\t\t<div style=\"width: 80%;\">\r\n <div style=\"display: flex; flex-direction: column;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Your data is stolen and encrypted.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span>\r\n <span style=\"font-size: 14px;\">The sooner you pay the ransom, the sooner your company will be safe.</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Blog Tor Browser Link:</span>\r\n <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span>\r\n <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Blog Link for normal browser:</span>\r\n <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incapt.su/</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">You need to contact us on TOR darknet sites with your personal ID</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Download and install Tor Browser https://www.torproject.org/</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Chat Tor Browser Link:</span>\r\n <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Your personal ID: </span>\r\n <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">%id%</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Don't go to recovery companies!</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">They are essentially just middlemen who will make money off you and cheat you.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">If you approached us directly without intermediaries you would pay several times less.</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">For those who have cyber insurance against ransomware attacks.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Insurance companies require you to keep your insurance information secret.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">In most cases, we find this information and download it.</span>\r\n </div>\r\n </div>\r\n <div style=\"width: 80%;\">\r\n <div style=\"display: flex; flex-direction: column;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">What guarantees are that we won't fool you?</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">We are not a politically motivated group and we want nothing more than money.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">If you pay, we will provide you with decryption software and destroy the stolen data.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">After you pay the ransom, you will quickly restore your systems and make even more money.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">Don't go to the police or the FBI for help. They won't help you.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">The police will try to prohibit you from paying the ransom in any way.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span>\r\n <span style=\"font-size: 14px; margin-top: 8px;\">The police and FBI won't protect you from repeated attacks.</span>\r\n </div>\r\n <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n <span style=\"font-size: 20px; font-weight: 600;\">If you do not pay the ransom, we will attack your company again in the future.</span>\r\n </div>\r\n </div>\r\n\t\t</div>\r\n\t</body>\r\n</html>", "ID": "6755d7b438e2eaa58b4521ef"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_INCRansomware | Yara detected INC Ransomware | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_INCRansomware | Yara detected INC Ransomware | Joe Security | ||
JoeSecurity_INCRansomware | Yara detected INC Ransomware | Joe Security | ||
JoeSecurity_INCRansomware | Yara detected INC Ransomware | Joe Security | ||
JoeSecurity_INCRansomware | Yara detected INC Ransomware | Joe Security | ||
JoeSecurity_INCRansomware | Yara detected INC Ransomware | Joe Security | ||
Click to see the 5 entries |
Source: | Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |