Overview

overview

10

Static

static

3

Annabelle_ransom.exe

windows7-x64

Sharing

Copy URL Twitter E-mail

General

  • Target

    Annabelle_ransom.bin.zip

  • Size

    15.6MB

  • Sample

    240416-abnjasbh56

  • MD5

    32b59c2b1cb0fd2b058edcb5c6e7aebd

  • SHA1

    c51b79a052d9c97434f9deccb973c39000965b96

  • SHA256

    8755ff4ea42e3910261105f3887c4aca181b3c0f868e9f7431714aa573f6d314

  • SHA512

    f1275e0c1068e0e78dde0bf28472f839dbd4d10e3ca10771976ea8a4fa48d63dd1a17ba59b80d5a003273ca5b369eb9d0a4bce406f144a749cd6067bcb049ed8

  • SSDEEP

    393216:/zbQHnK/SsYx8qToIuwBo+615Yfl87/JZjDSa9QhbdFtT:/zbQq/spoPwcY8LJlZ6hZF9

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      Annabelle_ransom.bin

    • Size

      15.9MB

    • MD5

      0f743287c9911b4b1c726c7c7edcaf7d

    • SHA1

      9760579e73095455fcbaddfe1e7e98a2bb28bfe0

    • SHA256

      716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

    • SHA512

      2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

    • SSDEEP

      393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Tasks