File name:

Annabelle_ransom.exe

Full analysis: https://app.any.run/tasks/5ad2bbc0-1390-4262-9db9-ee5353a44a2e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 28, 2018, 08:10:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
ransomware
annabelle
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

0F743287C9911B4B1C726C7C7EDCAF7D

SHA1:

9760579E73095455FCBADDFE1E7E98A2BB28BFE0

SHA256:

716335BA5CD1E7186C40295B199190E2B6655E48F1C1CBE12139BA67FAA5E1AC

SSDEEP:

393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses NETSH.EXE for network configuration

      • Annabelle_ransom.exe (PID: 912)

    • UAC/LUA settings modification

      • Annabelle_ransom.exe (PID: 912)

    • Changes the autorun value in the registry

      • Annabelle_ransom.exe (PID: 1956)
      • Annabelle_ransom.exe (PID: 912)

    • Starts VSSADMIN.EXE (used for deleting shadow copies)

      • Annabelle_ransom.exe (PID: 912)

  • SUSPICIOUS

    • Disables SEHOP

      • Annabelle_ransom.exe (PID: 912)
      • Annabelle_ransom.exe (PID: 1956)

    • Reads the machine GUID from the registry

      • Annabelle_ransom.exe (PID: 912)
      • vssvc.exe (PID: 1456)
      • NetSh.exe (PID: 2824)
      • Annabelle_ransom.exe (PID: 1956)

    • Creates files like Ransomware

      • Annabelle_ransom.exe (PID: 912)

  • INFO

    • Loads rich edit control libraries

      • Annabelle_ransom.exe (PID: 1956)

    • Loads the .NET runtime environment

      • Annabelle_ransom.exe (PID: 912)
      • Annabelle_ransom.exe (PID: 1956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2018:02:18 18:54:24+01:00
PEType: PE32+
LinkerVersion: 80
CodeSize: 16437248
InitializedDataSize: 274432
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.1.0.0
ProductVersionNumber: 2.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Annabelle
FileVersion: 2.1.0.0
InternalName: Annabelle.exe
LegalCopyright: Copyright © 2018
LegalTrademarks: -
OriginalFileName: Annabelle.exe
ProductName: UpdateBackup
ProductVersion: 2.1.0.0
AssemblyVersion: 1.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_AMD64
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Feb-2018 17:54:24
Comments: -
CompanyName: -
FileDescription: Annabelle
FileVersion: 2.1.0.0
InternalName: Annabelle.exe
LegalCopyright: Copyright © 2018
LegalTrademarks: -
OriginalFilename: Annabelle.exe
ProductName: UpdateBackup
ProductVersion: 2.1.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_AMD64
Number of sections: 2
Time date stamp: 18-Feb-2018 17:54:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00F0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00FACE8C
0x00FAD000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.99834
.rsrc
0x00FB0000
0x00042FA0
0x00043000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.9752

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06715
2829
UNKNOWN
UNKNOWN
RT_MANIFEST
32512
1.7815
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start annabelle_ransom.exe vssadmin.exe no specs vssadmin.exe no specs netsh.exe no specs vssadmin.exe no specs vssvc.exe no specs annabelle_ransom.exe annabelle_ransom.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
348"C:\Users\admin\Desktop\Annabelle_ransom.exe" C:\Users\admin\Desktop\Annabelle_ransom.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Annabelle
Exit code:
3221226540
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\annabelle_ransom.exe
c:\systemroot\system32\ntdll.dll
912"C:\Users\admin\Desktop\Annabelle_ransom.exe" C:\Users\admin\Desktop\Annabelle_ransom.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Annabelle
Exit code:
0
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\annabelle_ransom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
1456C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1956C:\Users\admin\Desktop\Annabelle_ransom.exeC:\Users\admin\Desktop\Annabelle_ransom.exe
userinit.exe
User:
admin
Integrity Level:
HIGH
Description:
Annabelle
Exit code:
0
Version:
2.1.0.0
Modules
Images
c:\users\admin\desktop\annabelle_ransom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
2768vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2824NetSh Advfirewall set allprofiles state offC:\Windows\system32\NetSh.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2948vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3020vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.exeAnnabelle_ransom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
453
Read events
293
Write events
160
Delete events
0

Modification events

(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UpdateBackup
Value:
C:\Users\admin\Desktop\Annabelle_ransom.exe
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UpdateBackup
Value:
C:\Users\admin\Desktop\Annabelle_ransom.exe
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UpdateBackup
Value:
C:\Users\admin\Desktop\Annabelle_ransom.exe
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableRoutinelyTakingAction
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:WindowsDefenderMAJ
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:WindowsDefenderMAJ
Value:
1
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
0
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
0
(PID) Process:(912) Annabelle_ransom.exeKey:HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\SystemRestore
Operation:writeName:DisableSR
Value:
1
Executable files
0
Suspicious files
26
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
912Annabelle_ransom.exeC:\Users\admin\Desktop\Annabelle_ransom.exe.ANNABELLE
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Documents\greenthought.rtf.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Documents\interfacearts.rtf.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Documents\journalresource.rtf.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Pictures\finallylisting.png.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Downloads\clittle.jpg.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Desktop\planwere.rtf.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Documents\lordincludes.rtf.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Downloads\engineevaluation.png.ANNABELLEbinary
MD5:
SHA256:
912Annabelle_ransom.exeC:\Users\admin\Desktop\filocations.rtf.ANNABELLEbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
67.215.92.215:80
http://myip.dnsomatic.com/
US
text
12 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
67.215.92.215:80
myip.dnsomatic.com
OpenDNS, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
myip.dnsomatic.com
  • 67.215.92.215
suspicious

Threats

PID
Process
Class
Message
Attempted Information Leak
ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Annabelle_ransom.exe