Threat Research

LOLBin to INC Ransomware | Huntress

Huntress

Huntress analyzes a LOLBin-driven pattern observed before deploying INC ransomware, noting a consistent pre-attack playbook across endpoints and proactive hunting to surface affected machines. The activity includes Defender evasion, security-tool disruption, credential usage, remote access, data collection, and cloud-based exfiltration, enabling timely mitigation. #ScreenConnect #MEGASync #rclone #INC_ransomware #Mnuchin #Huntress

Keypoints

  • Threat actors appear to have substantial prior knowledge of the target environment, surfacing a consistent playbook before ransomware deployment.
  • SystemSettingsAdminFlows.exe was used to disable Windows Defender, with Windows Defender Event ID 5007 recorded as evidence.
  • The attackers attempted to disable other security tools (e.g., CylancePROTECT) and terminated security services, indicating defense evasion efforts.
  • Kaz.exe appeared with an original file name field referencing Treasury Secretary Steven Mnuchin, suggesting decoy technique and timing after av.exe.
  • Endpoint activity included rogue ScreenConnect usage, RDP via a compromised account, and casual use of notepad.exe/wordpad.exe to inspect files.
  • Data collection and exfiltration activities were observed, including rclone with an include list, MEGASync usage, and extensive 7zG.exe archiving before MEGASync/7Zip uninstallation.
  • Huntress’s investigations enabled rapid identification of other customers at risk, facilitating proactive incident response to prevent encryption activity.

MITRE Techniques

  • [T1133] External Remote Services – The threat actor accessed environments via a compromised user account; ‘the activity illustrated in Figure 1, associated with the user account known to be compromised within the customer’s infrastructure’
  • [T1078.002] Valid Accounts – Use of a compromised domain account to gain access; ‘the user account known to be compromised’
  • [T1059.003] Windows Command Shell – Use of SystemSettingsAdminFlows.exe, a native Windows utility, to modify defenses; ‘SystemSettingsAdminFlows.exe, a native Windows utility’
  • [T1562.001] Disable or Modify Tools – Disabling Windows Defender and other security tools; ‘to essentially disable Windows Defender’
  • [T1543.003] Windows Service – Termination or manipulation of security services (e.g., CylancePROTECT); ‘CylancePROTECT service had been abnormally terminated’
  • [T1560.001] Archive via Utility – Data collection via archiving with a utility; ‘rclone copy E: <mount_point> –include-from include.txt’
  • [T1219] Remote Access Software – Presence of rogue ScreenConnect installation; ‘rogue ScreenConnect installation’
  • [T1105] Ingress Tool Transfer – Transferring tools/data to external destinations; ‘MEGAsync.exe’ usage for cloud transfer
  • [T1537] Exfiltration – Data transferred to cloud account using MEGAsync.exe; ‘Transfer Data to Cloud Account (use of MEGAsync.exe)’
  • [T1486] Data Encrypted For Impact – Endpoints show patterns leading up to encryption activity; ‘Data Encrypted For Impact’

Indicators of Compromise

  • [File Hash] Av.exe – 36eb4290aa11a950e60d12ab18a8e139d25464355ce761f98891e1ea94f39445
  • [File Hash] kaz.exe – fc39cca5d71b1a9ed3c71cca6f1b86cfe03466624ad78cdb57580dba90847851
  • [File Name] av.exe, kaz.exe – observed as executables involved in the activity
  • [ScreenConnect Instance ID] ababcab28dcdb35c – rogue ScreenConnect instance ID

Read more: https://huntress.com/blog/lolbin-to-inc-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint