File name:	windows.exe
Full analysis:	https://app.any.run/tasks/d4068c74-73b2-4586-b4ef-32c5c66686ca
Verdict:	Malicious activity
Threats:	INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	January 13, 2025, 14:40:54
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	inc ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:	38ECA0067E68A296B6142CDC9F43F5A5
SHA1:	E58763611A199E785A7A492BE9F6EC7628DED535
SHA256:	CB320D0C18A399F8473B69C0E472180A0AA21B3936BDCC5FC290620412265C61
SSDEEP:	3072:BUViX88MYMorfeSEQvVYxVZ/cY+aci6V5SoksuJBrfuaOxlMEZsPeB2D4ecGzMWX:OiLCSEVcio5S0kByvQEMNX

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:04:09 08:25:18+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	105472
InitializedDataSize:	61952
UninitializedDataSize:	-
EntryPoint:	0x9a34
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows command line


(PID) Process:	(6376) windows.exe	Key:	HKEY_CURRENT_USER\Control Panel\Desktop
Operation:	write	Name:	Wallpaper
Value: C:\Users\admin\AppData\Local\Temp\\background-image.jpg
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Security
Operation:	write	Name:	Descriptor
Value: 010004805C000000680000000000000014000000020048000300000000001800E7020E000102000000000005200000002002000000001400030002000101000000000001000000000000140027020200010100000000000504000000010100000000000514000000010100000000000514000000
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:	write	Name:	RedirectionGuard
Value: 1
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	Password
Value: 00
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	delete value	Name:	Password
Value:
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	Server
Value:
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	From
Value:
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	User
Value:
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Outbound Routing\Groups\<All devices>
Operation:	write	Name:	Devices
Value:
(PID) Process:	(9668) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Outbound Routing\Rules\0:0
Operation:	write	Name:	CountryCode
Value: 0

PID	Process	Filename		Type
6376	windows.exe	C:\Users\admin\AppData\Local\VirtualStore\INC-README.html		—
		MD5:—	SHA256:—
6376	windows.exe	C:\Users\admin\AppData\Local\VirtualStore\INC-README.txt		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\INC-README.html		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\INC-README.txt		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\Adobe\INC-README.html		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\Adobe\INC-README.txt		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\Adobe\ARM\INC-README.html		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\INC-README.html		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\INC-README.txt		—
		MD5:—	SHA256:—
6376	windows.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcroRdrDCx64Upd2300820470_MUI.msp		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	svchost.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	52.109.89.18:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	unknown	xml	178 Kb	whitelisted
—	—	POST	200	40.79.167.8:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	whitelisted
—	—	GET	200	52.113.194.132:443	https://ecs.office.com/config/v2/Office/onenote/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=onenote&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=onenote.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=OneNoteFreeRetail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bDEE50CB8-CEAE-4720-946C-EE5F9FA6CA8D%7d&LabMachine=false	unknown	tss	368 Kb	whitelisted
—	—	POST	200	20.189.173.6:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	10 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.19.122.63:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5496	svchost.exe	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
—	—	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
4712	MoUsoCoreWorker.exe	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
www.bing.com	2.19.122.63 2.19.122.13 2.19.122.9 2.19.122.60 2.19.122.8 2.19.122.5 2.19.122.65 2.19.122.7 2.19.122.64	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	23.209.214.100	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
officeclient.microsoft.com	52.109.89.18	whitelisted
ecs.office.com	52.113.194.132	whitelisted
self.events.data.microsoft.com	20.189.173.6 13.89.179.8	whitelisted

Process	Message
ONENOTE.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

windows.exe

38ECA0067E68A296B6142CDC9F43F5A5

E58763611A199E785A7A492BE9F6EC7628DED535

CB320D0C18A399F8473B69C0E472180A0AA21B3936BDCC5FC290620412265C61

3072:BUViX88MYMorfeSEQvVYxVZ/cY+aci6V5SoksuJBrfuaOxlMEZsPeB2D4ecGzMWX:OiLCSEVcio5S0kByvQEMNX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

INC has been detected (YARA)

INC has been detected

Renames files like ransomware

INC note has been found

SUSPICIOUS

Executes as Windows Service

Changes the desktop background image

Reads security settings of Internet Explorer

INFO

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Reads the machine GUID from the registry

Creates files in the program directory

Reads security settings of Internet Explorer

Create files in a temporary directory

Reads Microsoft Office registry keys

Reads Environment values

Checks proxy server information

Reads the software policy settings

Sends debugging messages

Reads product name

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings