Analysis
-
max time kernel
52s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 10:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10v2004-20240802-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe Annabelle.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2316 NetSh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Annabelle.exe -
Executes dropped EXE 2 IoCs
pid Process 1312 Annabelle.exe 3820 Annabelle.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 52 raw.githubusercontent.com 53 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2412 vssadmin.exe 4632 vssadmin.exe 888 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 561788.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3156 msedge.exe 3156 msedge.exe 3520 msedge.exe 3520 msedge.exe 3748 identity_helper.exe 3748 identity_helper.exe 3404 msedge.exe 3404 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe Token: SeShutdownPrivilege 3456 shutdown.exe Token: SeRemoteShutdownPrivilege 3456 shutdown.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1932 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3520 wrote to memory of 2036 3520 msedge.exe 84 PID 3520 wrote to memory of 2036 3520 msedge.exe 84 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 2648 3520 msedge.exe 85 PID 3520 wrote to memory of 3156 3520 msedge.exe 86 PID 3520 wrote to memory of 3156 3520 msedge.exe 86 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 PID 3520 wrote to memory of 724 3520 msedge.exe 87 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff889ca46f8,0x7ff889ca4708,0x7ff889ca47182⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:82⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:82⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3404
-
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:1312 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2412
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:888
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4632
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2316
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Executes dropped EXE
PID:3820
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3961055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5387d519892ef276e837921c3e3e40406
SHA1e81e322e503e711e3a2cc51bc10c1abbede0d064
SHA2565145b36b1c906eea77826844c400ada9429032f969927e04b5f2039bb6e99bff
SHA51255ba51b39200f8c201314eb4dc2ba1501fc31a0dcb96e66830cdcfffc8d0b0ea88a4a67d4b98d65c8035d10339c94fe3dad6fdb9c62f53fc19b54dacd25b18ae
-
Filesize
6KB
MD5b616811da390cd3b1962f57cd6ecbeca
SHA1f017fefd9a6f5136e2ace300de438185925d81af
SHA2561b0a5f42a3e1ad368e3492b7870a9f3de8be89855d61a882caa39c192df2c4c6
SHA5127d170d8d99ae6109631b46baef0494add7c1c9bf30ff51cf11d9d9786aece2f2b6556f3c6f2248fcf6fac6aab63aaf636de88f9f384a639944ad1441232c8d46
-
Filesize
6KB
MD57aa296ae70ce5a4219a822e2c141bacb
SHA1479ebed688f67d452e570412e9ba00c1d25189e5
SHA2562ca37da46f1ee782e9b46470167eb593efa32ed719fdc4bfcc6a711323c2c420
SHA512a51f09177de7d159cbf1615822c725ed8e9df891579ff1b5746389a74ac617365822e208ce336fd417488b42142c9a5970f4ca782f98d655f1acf3598b1bc049
-
Filesize
6KB
MD5c61ef99a44559d7958c881bf8b87ab83
SHA1cf912b09af85ba67c35637bdebe5e48a2657af99
SHA2566f545d742ed6894dc6df1c873a1ecc8a72af1544c76f1a433350a1405aa6f8e4
SHA5121ae9cd4d459b46faa13469ba16609357e6cc81d837fde231d977876d7d69ea253b6baf73e4bf989c73a0c6f0a3c4150e6b3e18206aee13654e22f53ee8472c8a
-
Filesize
1KB
MD5076b2b26784880572fab0b8580f2d0d5
SHA1eef909959795387ef3313409551bc15da64b181a
SHA256628c7a30d8763c6f725e87ead7a0be9f61c442bfc7c5c416f757ad209e0a85b5
SHA5128653fa9eff774bda5c89f8983c7346bd850a61c9746540da50c8a324e9ce4fb14e4cac6f9eeeebf6949c0576f2cea778eb62b153d5566349eaf9c50b3c9731df
-
Filesize
874B
MD5b3ee09281b99b23807dd09cd86e48973
SHA185311c9c422159037920e809156a12d3ed94c165
SHA256a15b59f04e0f889654494ee3858aa4055ccb00130c79b6da9b91bda0c17fb4a5
SHA51230a83e809e13d79eeb809cb1074b83522dd17439dbab504988cd64357811a8dcca10b419fab9ee382e0cc7340ac0beb4cfc7a762cad4ccd11f97916260065d3f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5254255801dc458b4e746f653e9642ddd
SHA1a54c29060643ec62f0ae572a0512563beaee061b
SHA256b38cc44616fbb5100a7de6f1427373bcdfc275aea15be229a635f1ab054ccbc7
SHA512adb74b673722b3741f65d26f2e57fdcc7e0a2b798af47aaac67bf22a3f21815c96b00bbbe37d51b68a1ddb448e4c56a66d21ad1f5c16e7df8a1dcf5444e113ee
-
Filesize
11KB
MD5967d85e7727fe9f71dbda7418fd8e967
SHA146dac7b22bffad9e530ae3392f2df961f4cf00fe
SHA256f9ce7b6b80276d34cb65519115d58f99b857a5f73f7b82ad5fb8dadb4069a724
SHA5129210a1297f64a2e1ecb9cfccbfd8b099c165b61f90499ef9392e3d8abd0103626d1b677fc520961a18b8deae1ffa05834a4f4a1cebb6fdc81290b7b1b3d619ff
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677