analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Annabelle_ransom.exe

Full analysis: https://app.any.run/tasks/5ad2bbc0-1390-4262-9db9-ee5353a44a2e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 28, 2018, 08:10:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
ransomware
annabelle
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

0F743287C9911B4B1C726C7C7EDCAF7D

SHA1:

9760579E73095455FCBADDFE1E7E98A2BB28BFE0

SHA256:

716335BA5CD1E7186C40295B199190E2B6655E48F1C1CBE12139BA67FAA5E1AC

SSDEEP:

393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses NETSH.EXE for network configuration

      • Annabelle_ransom.exe (PID: 912)

    • UAC/LUA settings modification

      • Annabelle_ransom.exe (PID: 912)

    • Starts VSSADMIN.EXE (used for deleting shadow copies)

      • Annabelle_ransom.exe (PID: 912)

    • Changes the autorun value in the registry

      • Annabelle_ransom.exe (PID: 912)
      • Annabelle_ransom.exe (PID: 1956)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • Annabelle_ransom.exe (PID: 912)
      • vssvc.exe (PID: 1456)
      • NetSh.exe (PID: 2824)
      • Annabelle_ransom.exe (PID: 1956)

    • Creates files like Ransomware

      • Annabelle_ransom.exe (PID: 912)

    • Disables SEHOP

      • Annabelle_ransom.exe (PID: 912)
      • Annabelle_ransom.exe (PID: 1956)

  • INFO

    • Loads the .NET runtime environment

      • Annabelle_ransom.exe (PID: 912)
      • Annabelle_ransom.exe (PID: 1956)

    • Loads rich edit control libraries

      • Annabelle_ransom.exe (PID: 1956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 2.1.0.0
ProductName: UpdateBackup
OriginalFileName: Annabelle.exe
LegalTrademarks: -
LegalCopyright: Copyright © 2018
InternalName: Annabelle.exe
FileVersion: 2.1.0.0
FileDescription: Annabelle
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.1.0.0
FileVersionNumber: 2.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x0000
UninitializedDataSize: -
InitializedDataSize: 274432
CodeSize: 16437248
LinkerVersion: 80
PEType: PE32+
TimeStamp: 2018:02:18 18:54:24+01:00
MachineType: AMD AMD64

Summary

Architecture: IMAGE_FILE_MACHINE_AMD64
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Feb-2018 17:54:24
Comments: -
CompanyName: -
FileDescription: Annabelle
FileVersion: 2.1.0.0
InternalName: Annabelle.exe
LegalCopyright: Copyright © 2018
LegalTrademarks: -
OriginalFilename: Annabelle.exe
ProductName: UpdateBackup
ProductVersion: 2.1.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_AMD64
Number of sections: 2
Time date stamp: 18-Feb-2018 17:54:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00F0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00FACE8C
0x00FAD000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.99834
.rsrc
0x00FB0000
0x00042FA0
0x00043000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.9752

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06715
2829
UNKNOWN
UNKNOWN
RT_MANIFEST
32512
1.7815
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start annabelle_ransom.exe no specs annabelle_ransom.exe vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs netsh.exe no specs vssvc.exe no specs annabelle_ransom.exe

Process information

PID
CMD
Path
Indicators
Parent process
348"C:\Users\admin\Desktop\Annabelle_ransom.exe" C:\Users\admin\Desktop\Annabelle_ransom.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Annabelle
Exit code:
3221226540
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\annabelle_ransom.exe
c:\systemroot\system32\ntdll.dll
912"C:\Users\admin\Desktop\Annabelle_ransom.exe" C:\Users\admin\Desktop\Annabelle_ransom.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Annabelle
Exit code:
0
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\annabelle_ransom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
2768vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3020vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2948vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2824NetSh Advfirewall set allprofiles state offC:\Windows\system32\NetSh.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1456C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1956C:\Users\admin\Desktop\Annabelle_ransom.exeC:\Users\admin\Desktop\Annabelle_ransom.exe
userinit.exe
User:
admin
Integrity Level:
HIGH
Description:
Annabelle
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\annabelle_ransom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
Total events
453
Read events
293
Write events
160
Delete events
0

Modification events

(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UpdateBackup
Value:
C:\Users\admin\Desktop\Annabelle_ransom.exe
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UpdateBackup
Value:
C:\Users\admin\Desktop\Annabelle_ransom.exe
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UpdateBackup
Value:
C:\Users\admin\Desktop\Annabelle_ransom.exe
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableRoutinelyTakingAction
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:WindowsDefenderMAJ
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:WindowsDefenderMAJ
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
0
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
0
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore
Operation:writeName:DisableSR
Value:
1
Executable files
0
Suspicious files
26
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
912Annabelle_ransom.exeC:\Users\admin\Desktop\Annabelle_ransom.exe.ANNABELLE
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Documents\servermb.rtf.ANNABELLEbinary
MD5:8ED2FB2193A9CC3B08C6BAC07DA1AB7C
SHA256:C0475AC79187B58DECDAB90FB2CE2D78039E285D05C872149564E82B37D850B9
912Annabelle_ransom.exeC:\Users\admin\Downloads\engineevaluation.png.ANNABELLEbinary
MD5:78373AAB02261F71D6B1C55CD5D361F5
SHA256:A91E8FC01404EB589F9944B9119AB9F73DFAFA57AEA72B20388096E6AA75E801
912Annabelle_ransom.exeC:\Users\admin\Documents\journalresource.rtf.ANNABELLEbinary
MD5:690D06CE62B93BE5D602EE6997F3674C
SHA256:03F140DC4A2C9CE9AD2365BC1D40CC8E6B044DBE38909DB23A1640329767D78D
912Annabelle_ransom.exeC:\Users\admin\Pictures\instrumentsfeatures.png.ANNABELLEbinary
MD5:0AF4E75CD97B8776FF0D85DC4B44A96A
SHA256:AB79A9485C03029F9CAB5BB1A9356DC4A8AC421145C74A989CFF00CB63466C3E
912Annabelle_ransom.exeC:\Users\admin\Pictures\portreturns.png.ANNABELLEbinary
MD5:35F1344AB1B9C4274C69475117D02B47
SHA256:CD89A98A1902E3AAEE6ABF9C4C2BDEF48EB17C78785C4C0B00A8CD281423D82F
912Annabelle_ransom.exeC:\Users\admin\Downloads\issueloans.png.ANNABELLEbinary
MD5:8A2793D47F7925B5472ABEF08692D2E5
SHA256:ACCF2B349DC69EBD6B6C31A48DACD1B6CAC274F8F407628981C8149B96B123F8
912Annabelle_ransom.exeC:\Users\admin\Desktop\linesarea.jpg.ANNABELLEbinary
MD5:6A96945499F6E24A4FA4FFB363EABCF7
SHA256:DF842B8CC2DACAB958D27BC7B7D021376E5E9B5B3EF86C53A5A56F6652738147
912Annabelle_ransom.exeC:\Users\admin\Desktop\planwere.rtf.ANNABELLEbinary
MD5:120CA2756A6AFDD71BD53C33D15F1D34
SHA256:709BF0DAE45A1A5252F73A2820168B9FCBC6F3E3C7140A5DD92708681BBD775E
912Annabelle_ransom.exeC:\Users\admin\Desktop\filocations.rtf.ANNABELLEbinary
MD5:5ADD42E9E6F9C2CFE172548A5AB1442F
SHA256:1992EDE297997195A9392E7678134DE33E2A0B4E669422D84923AD692BC633D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
67.215.92.215:80
http://myip.dnsomatic.com/
US
text
12 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
67.215.92.215:80
myip.dnsomatic.com
OpenDNS, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
myip.dnsomatic.com
  • 67.215.92.215
suspicious

Threats

PID
Process
Class
Message
Attempted Information Leak
ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Annabelle_ransom.exe