{
	"id": "811065e9-cc37-430e-8720-4925082e81d5",
	"created_at": "2026-04-06T00:06:44.578866Z",
	"updated_at": "2026-04-10T03:21:55.887343Z",
	"deleted_at": null,
	"sha1_hash": "e5d9432027d5a37065e43eddafb23ea657780025",
	"title": "LOLBin to INC Ransomware | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 703206,
	"plain_text": "LOLBin to INC Ransomware | Huntress\r\nArchived: 2026-04-05 17:04:55 UTC\r\nThis blog post was originally published on May 1, 2024.\r\nBackground\r\nHuntress analysts have previously observed INC ransomware being deployed, and recently observed this specific\r\nransomware variant being deployed in a customer environment. The ransomware variant was identified, in part,\r\nthrough the threat actor’s efforts to verify that their deployment was effective, as illustrated through the following\r\ncommand line:\r\n\"C:\\windows\\system32\\NOTEPAD.EXE\"\r\nC:\\Users\\user\\Documents\\+\u003cREDACTED\u003e\\INC-README.txt\r\nDigging deeper into the incident, Huntress analysts were able to identify a specific pattern of activity associated\r\nwith the threat actor, particularly during what appears to be the intermediate stages of their attack, and prior to\r\nransomware deployment. Upon identifying this pattern, Huntress analysts began hunting across the entire\r\ninfrastructure to identify other endpoints where this same pattern of activity was observed, and in doing so,\r\nnotifying customers in an effort to head off the ransomware deployment. Even though the initial means of access\r\nand the follow-on activities varied slightly between the identified endpoints, this one pattern remained consistent\r\nand served to quickly surface impacted endpoints.\r\nAttack Pattern\r\nLooking across multiple endpoints, Huntress analysts observed a common, overarching pattern; that is, at the\r\npoint where their activities could be explicitly identified, the threat actor appeared to have significant prior\r\nknowledge of the infrastructure in which they were operating. \r\nThe initial endpoint that was investigated in detail revealed the activity illustrated in Figure 1, associated with the\r\nuser account known to be compromised within the customer’s infrastructure.\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 1 of 7\n\nFigure 1: Pattern of LOLBin Activity\r\nThe commands illustrated in Figure 1 were pulled directly from the Huntress platform, and are listed with the\r\nmost recent command at the top of the image. The threat actor used SystemSettingsAdminFlows.exe , a native\r\nWindows utility, to essentially disable Windows Defender. As illustrated in Figure 2, these modifications are\r\nmanifest in the Microsoft-Windows-Windows Defender/Operational Event Log as event ID 5007 records,\r\nindicating that the change took place.\r\nFigure 2: Windows Defender Event ID 5007 Record\r\nIt's important to note that the threat actor ran these commands on endpoints where Windows Defender was\r\nactively in use, indicating prior knowledge of the environment. In several instances, the threat actor brought along\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 2 of 7\n\nthe necessary tools to attempt to disable other installed security applications. However, in each instance, those\r\napplications were clearly installed and running on the endpoint. For example, on one endpoint where\r\nCylancePROTECT was installed, the following command line was observed:\r\nC:\\Windows\\temp\\av.exe-p CylanceSvc.exe\r\nTwenty-three seconds later, a Service Control Manager record was created in the System Event Log with event ID\r\n7031, indicating that the CylancePROTECT service had been abnormally terminated. Windows Defender did\r\ndetect the file av.exe as Trojan:Script/Wacatac.H!ml , and quarantined the file, but not before it was able to\r\nterminate the CylancePROTECT service. The file was deleted from quarantine before Huntress had a chance to\r\nretrieve a copy of the file. However, this activity has only been noted on endpoints where CylancePROTECT is\r\nrunning. Huntress has previously observed the use of a file by the same name to disable Sophos Anti-Virus\r\napplications.\r\nAlso seen within the same timeframe was the usage of an executable named kaz.exe that executed from the\r\nsame folder. Unfortunately, we were unable to recover this executable and it is not apparent what its functionality\r\nin this attack was at this time. One interesting thing about this executable, however, was that the original file name\r\nwas Treasury Secretary Steven Mnuchin , as taken from the PE header at run time. This field is illustrated in\r\nFigure 3. This executable was run within 4 minutes of av.exe , and after Windows Defender had been disabled.\r\nFigure 3: kaz.exe Original File Name field\r\nThe common activity illustrated in Figure 1 is consistent across all impacted endpoints so far, and has allowed\r\nHuntress to notify customers for whom ransomware has yet to be deployed. Hunting for activity on specific\r\nendpoints associated with the accounts found to be used by the threat actor, it's clear that as the threat actor is\r\napproaching the point of heightened activity and likely getting ready to deploy file encryption software, their\r\nactions become more directed and efficient, as illustrated in Figures 4 and 5. Figure 3 illustrates the threat actor’s\r\nwindow of activity on an endpoint on April 27, 2024.\r\nFigure 4: Threat actor activity, April 27, 2024 (UTC)\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 3 of 7\n\nFigure 5 illustrates the timeframe of the threat actor’s activities identified on a different, completely disparate\r\nendpoint on April 30, 2024.\r\nFigure 5: Threat actor activity, April 30, 2024 (UTC)\r\nIn both Figures 4 and 5, each showing threat actor activity on different endpoints and different days, it's\r\nabundantly clear that the threat actor has a prior understanding of the target infrastructure, and arrives with an\r\nefficient playbook. \r\nLooking across the breadth of data available thus far, there are a number of other activities that appear to be\r\nisolated to particular endpoints. For example, one endpoint had already generated an alert for a rogue\r\nScreenConnect installation, and a detailed investigation indicated that the infrastructure employed an entirely\r\ndifferent RMM tool. After accessing the endpoint via the newly installed ScreenConnect instance, the threat actor\r\nchanged the password on an existing account via net.exe . On another endpoint, the threat actor used a valid,\r\npreviously compromised account to access the endpoint via the Remote Desktop Protocol (RDP). In other\r\ninstances, the threat actor was observed viewing various files using notepad.exe and wordpad.exe .\r\nOn another endpoint, the following command line was observed:\r\nrclonecopy E:\\ \u003cmount_point\u003e --include-from include.txt\r\nHuntress wasn't able to retrieve a copy of the include.txt file; however, the use of such a file indicates that the\r\nthreat actor was clearly aware of the files they wanted to collect or exclude, further indicating likely prior\r\nknowledge of the environment. \r\nHuntress also observed the use of MEGAsync.exe within one infrastructure. On the compromised endpoint, the\r\nthreat actor installed 7Zip and MEGASync, then ran a total of 28 7zG.exe processes to archive data. Not long\r\nafter the last 7zG.exe process was run, both MEGASync and 7Zip were uninstalled from the endpoint. Huntress\r\nhas previously observed the use of MEGAsync.exe during incidents where INC ransomware was later deployed.\r\nConclusion\r\nThe timing of the activity that came to the attention of Huntress analysts indicates that the threat actor had likely\r\nbeen active in or simply had detailed prior knowledge of the infrastructure before getting to the point where they\r\nwere ready to deploy the INC ransomware. However, by leveraging the available details extracted from intensive\r\ninvestigations into the threat actor activity, Huntress was able to identify other customers who were likely being\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 4 of 7\n\nsubject to the same attack, from the same threat actor. Immediate notification of this activity, with the relevant\r\ndetails, allows customers to respond in an appropriate and timely manner, implementing their incident response\r\nplan, and obviating file encryption activity.\r\nThanks to Faith Stratton, Dray Agha, Jai Minton, Greg Linares, and Jamie Levy for their assistance in developing\r\nthis content and blog post.\r\nIndicators\r\nAv.exe SHA-256 hash:\r\n36eb4290aa11a950e60d12ab18a8e139d25464355ce761f98891e1ea94f39445\r\nkaz.exe SHA-256 hash:\r\nfc39cca5d71b1a9ed3c71cca6f1b86cfe03466624ad78cdb57580dba90847851\r\nababcab28dcdb35c - rogue ScreenConnect instance ID\r\nMITRE ATT\u0026CK Mapping\r\nInitial Access - T1133, External Remote Services \u0026 T1078.002, Domain Accounts\r\nExecution - T1059.003, Windows Command Shell (also observed use of GUI tools, browsers, etc.)\r\nPersistence - T1078.003: Local Accounts, T1078.002: Domain Accounts, T1543.003: Windows Service\r\nPrivilege Escalation - Not Observed\r\nDefense Evasion - T1562.001: Disable or Modify Tools\r\nCredential Access - Not Observed\r\nDiscovery - Not Observed\r\nLateral Movement - Not Observed\r\nCollection - T1560.001: Archive via Utility (rclone)\r\nCommand And Control - T1219: Remote Access Software, T1105: Ingress Tool Transfer\r\nExfiltration - T1537: Transfer Data to Cloud Account (use of MEGAsync.exe)\r\nImpact - T1486: Data Encrypted For Impact\r\nDetection Opportunities\r\nWe’ve provided a Sigma rule to detect the direct usage of SystemSettingsAdminFlows.exe to tamper with\r\nWindows Defender. While the binary is often used legitimately, this rule filters out instances with common parents\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 5 of 7\n\nlike SystemSettings.exe.\r\ntitle: Using SystemSettingsAdminFlows.exe To Tamper With Windows Defender\r\nid: ad44351e-89c4-4b1c-8cb0-676c55bf11ce\r\nstatus: experimental\r\ndescription: Detects the usage of SystemSettingsAdminFlows.exe to disable or tamper with Windows\r\nDefender\r\nreferences:\r\n- https://attack.mitre.org/techniques/T1562/001/\r\nauthor: Alden Schmidt, Matt Anderson\r\ndate: 2024/04/30\r\nmodified: 2024/04/30\r\ntags:\r\n- attack.defense_evasion\r\n- attack.t1562\r\nlogsource:\r\ncategory: process_creation\r\nproduct: windows\r\ndetection:\r\nselection_adminflows:\r\n- Image|endswith: '\\SystemSettingsAdminFlows.exe'\r\n- OriginalFilename: 'SystemSettingsAdminFlows.exe'\r\nselection_cli:\r\nCommandLine|contains:\r\n- 'Defender DisableEnhancedNotifications 1'\r\n- 'Defender SubmitSamplesConsent 0'\r\n- 'Defender SpynetReporting 0'\r\n- 'Defender RTP 1'\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 6 of 7\n\nfilter:\r\n- ParentImage|endswith: '\\SystemSettings.exe'\r\ncondition: all of selection_* and not filter\r\nfalsepositives:\r\n- Legitimate use of SystemSettingsAdminFlows.exe as a child of SystemSettings.exe\r\nlevel: high\r\nWe recommend monitoring the following:\r\nUse of various RMM and Remote Control/Desktop tools, such as ScreenConnect, and limiting the use of\r\nunapproved applications.\r\nUse of any file sync or backup utilities, such as MEGAsync, that are not approved for use in your\r\nenvironment.\r\nSource: https://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nhttps://www.huntress.com/blog/lolbin-to-inc-ransomware\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.huntress.com/blog/lolbin-to-inc-ransomware"
	],
	"report_names": [
		"lolbin-to-inc-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5d9432027d5a37065e43eddafb23ea657780025.pdf",
		"text": "https://archive.orkl.eu/e5d9432027d5a37065e43eddafb23ea657780025.txt",
		"img": "https://archive.orkl.eu/e5d9432027d5a37065e43eddafb23ea657780025.jpg"
	}
}