hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

12-01-2025 20:22

250112-y52j1szpfq 10

12-01-2025 20:20

250112-y4hqhsxpct 8

12-01-2025 20:14

250112-y1akqszmhr 1

12-01-2025 20:12

250112-yyweeszmep 9

Analysis

max time kernel
61s
max time network
94s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-01-2025 20:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4384	NetSh.exe
2044	NetSh.exe

Executes dropped EXE 2 IoCs

pid	Process
236	Annabelle.exe
3364	Annabelle.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
59	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\40ddbe8d-ca05-4324-bbc1-72d681f05be1.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250112201239.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1684	vssadmin.exe
1864	vssadmin.exe
3000	vssadmin.exe
3104	vssadmin.exe
3092	vssadmin.exe
3212	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
2328	msedge.exe
2328	msedge.exe
1820	identity_helper.exe
1820	identity_helper.exe
3832	msedge.exe
3832	msedge.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	taskmgr.exe
Token: SeSystemProfilePrivilege	2124	taskmgr.exe
Token: SeCreateGlobalPrivilege	2124	taskmgr.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3828	2328	msedge.exe	82
PID 2328 wrote to memory of 3828	2328	msedge.exe	82
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 3232	2328	msedge.exe	83
PID 2328 wrote to memory of 4848	2328	msedge.exe	84
PID 2328 wrote to memory of 4848	2328	msedge.exe	84
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85
PID 2328 wrote to memory of 3512	2328	msedge.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb50bd46f8,0x7ffb50bd4708,0x7ffb50bd4718
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff78f5f5460,0x7ff78f5f5470,0x7ff78f5f5480
    3⤵
    PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,5213030345970344111,13537245991814570898,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  PID:2212
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System policy modification
  PID:236
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3000
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1864
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1684
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2044
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:5300
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3364
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3212
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3104
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3092
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4384
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:5228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e9055 /state1:0x41c64e6d
1⤵
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Save1.txt

Filesize
11B

MD5
c574673963f5deaa865000217e2b05ec

SHA1
bc00804848ce6b87fdb52aa5c0dca96138fb3512

SHA256
3b3ccb221b8715d0cd71a858d7024a3ebbcaa3507d7e1866f05dce4a75ad6362

SHA512
08fcf72301e768eef7d2724a5bf3037a1984ee937ba6fa6545f9389eec8cddb2b04a92240f1c570c6a743628f221207f9f106b7737265082ffdf01f66eb8843c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
69cd4fbd25488dc00a347c8a390c8652

SHA1
22cf04f96e4af55a94c87105201f08cf7ff47aa5

SHA256
23ef6c8a50cc68d03460913947c655fb7c62854cca6108e5c85cc472edcdd5cf

SHA512
02ef1bcd904dcba1f0f035a61593dab52eff317762cebd59261b0d211b0b7f7447814ac5ec6c47481088761a338b6ea00a2865e759565980043b47bc4f60f5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
90d9cc370060ef5ae526755155220c89

SHA1
3d536fcef3ebde92ca496819539288686ba8528e

SHA256
db4df83a39030515b39da7becb9f640e86fe6daec54296ce4fccaf9423c29e27

SHA512
5179e5b0093b160b3f67fed92fb4edf97ff7439d970dce46c281cdcbf4589f157f7bcd1d8608cef03cc81258f3c0744f31b95db8c70f162bed255efad48e37b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
862639d73b9053b2507bbc5c5383f08d

SHA1
13d316a0284adddbdf1934198665b142110476a4

SHA256
b01e319024051b54fbd6f08a13852b56bcc71c64116fbdb6937f6abafd51c6ba

SHA512
1e5bfb6a267aea2aacea33b5386a87a632a7021ebccad14eb2e53582d790b47b9e81cbb6b616f3efa62940bb8ae7b0c15d87c18553afae1a8fdbd25947b1d878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3135a2111de35c25d91e4d6ef0fef522

SHA1
0bb34b99e9e7c12051dd5de2ead901213fdba963

SHA256
490d461b934276e896a1848191546fd188ce93da223c4f0496d40dfa7f5c0b1e

SHA512
044efc95489d64c86efd9063cb74f01a51fcd35eb5e0d13e072d7d5cd556f1533784ef4bd58e00bdd47317b293e9c0015c81294ac3c90dbfe9fbd5dd0d1559d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
75237b876e4ebf0cf587313ae92b7952

SHA1
ef712d6b1e678d091b39cd593b8d4a2a5520f139

SHA256
d7abd571a35eaba20a7c57d7ac93cbb59b8d4b417f4b67590ee1c29ff561442b

SHA512
0c96b1f590a69141018c2112e36de65fb30ab57320b4b76da3a672b23c716197fc06e0f381491975319a8ad4ae138660469d3149cfbb69be96a2cfdfcaf802b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58cf51.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
afe2e1d0368418ccca6c14d012a14aca

SHA1
42dc9fe46f5c14453c62a5357c9351cc832939d5

SHA256
1673dd1e58aafadc64031c422902bd0f27d74f5245b6fcdb3bc44cd22480dc11

SHA512
5943aed74c79bd979f3cb15d286bff9bd0c0c1a47e072b89e1ee8bf65964ae40c989a3c44ceb12d9f2197b78302b2a98213ff3e407fdfb8c9ee8d3114c4e4894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6093541f132d682effc5954ecf76545c

SHA1
89e1e5e5aab0b8b407c882be1ab86745efca9873

SHA256
9d2317940074e500a6c5de7c141a3b9508e3dc1309c01523c9cfff1a3e86ad96

SHA512
d64aa6364adb8f42afe42d725d4912ec8476eaa7a769bfe4d3daed11b312396c13a1720e10e90a687fc2d434c1e1c83433f96cffe7df9fdd6cbfe6cd866ffc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea907249c6a5240e89dc3da5c668f8a6

SHA1
b3e34b57dc28b494fef413da492fc7fa9318cdad

SHA256
b60f4fc86c7e404ff0530221c04724517653927b52a4cd7fe85b76a0fe18c3cd

SHA512
b801746d9276cb9c3d2e961e14e9e0edcf3483e8ada3bfd23995c9ddc51f85277780b5b9f46a84a99a85da99da158cb4fed02210f2905992defb0c6084d1600b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f9ccc5a1537be3071b81faab6b9b4552

SHA1
4272a42264a6a30587a95e5f87dc18ece5c34d13

SHA256
e816164f1c374eff25ddc41ee594fc3d6f1d3072fa46979f48d38b26f6122c75

SHA512
65456f98fc83d1b2c6477f1bec939f6e6c24ef0facb04f59c2747f4052179f0475cdee1b3fe3c5f6325dd8978108a40ef7b873561c0e4e28bb256f8bcab1b79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2cad20898338fbc7fb993756151e2fe1

SHA1
740566d988a46b18920bbb42ff71eb145a931aee

SHA256
4c2f60eb2a2e891ea30a7eed7813758fb7d3200f5938e7012a22233b26b9dfa6

SHA512
e1a82109629e89a57d803f1bf0433c07d01a1fcc9db30ca81eff4a415bb4f36dd772bc05272538fc0db97a20f7475f172164fbe3142d507088770a53ec1a0796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d8c86e7d523ce692226bc2731ee03459

SHA1
a63bb7eba70e607d9557d5f59caf383b5a66161e

SHA256
9c2edac30eb6825a955114fcb679842a742cbba2a06413d3976047c8f1250261

SHA512
e2342039ba773cb0121540b8eb2e2b421db155384c7e48d4e40267f95759120782a905cfcdfc96931f1908f24d0d7eb5179e15e121592c3efd3e812998019f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3d04a7d76c084a5828981d256940cdd3

SHA1
49c0815e2e3a3cd197ce682a0cc2c8c7fd1ec4a7

SHA256
35190e981c24a16900bea84b626fd665f496ee83ca645c61b9cd4972849154af

SHA512
e3813992fad3e143ee7da929806bc869aefb6030210cd74f2b2035d2070216cba1a8b92ce3fef8010479c14cc163efc1f3a135ab63e87985cb8be23051f648aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580d2a.TMP

Filesize
874B

MD5
6c05d1549c1370fec1d0cc26beb42cb5

SHA1
6add428887883c18c1f53b5b8494b31fc7aab57e

SHA256
679137b51ed712e32eb32129907e4d84ecc34a63cec07c7d161dfbfe79106d57

SHA512
296a42aaeb52b9ebf7af4745c603193daa1845b41c3402167150f218c1691a2bd99c3139b9a562b2dc1114b09c1637f3a3d719540990e23c59546dbf35f4c68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
545e0745bc3f5612bb7aa612028ba46b

SHA1
61da3c5ecb94a59d758efd4891ffb00bf893e5e3

SHA256
edb6c14a969882f0c4b8c2f4424ddabcd75427fec8a00ae345bc300e0a2f6635

SHA512
bc28f2132078be7d40d1920512058a321b0b12661f675f6ed4cfd583a9f30b301f785f15928bf58b0a1433fb9a1aa5c7ed630afb7ba17f06fba6a03870ef0b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef7d44a703a76d672b881dec486558a2

SHA1
a053defa257ed51370868896dd2e55dc1ee81f65

SHA256
154106fb370c7f7b3cdd656038605ef74a1fa01c75765fd96f6bc6b6141ca989

SHA512
2a7686c7918d4ccd18c7ef9dce9c674d3e2ef64a75a3c2d15958f847edf172583007fc4e521223f8f7496ba66903ae3446bf14f24d7ce46cc1bc9da518653913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
99bdc72e10ffe1582d191cba772d2ffb

SHA1
9d4063a594f80096af7a9f9788c4e8ad1dc9b20d

SHA256
742076e3d4a3656bfe793f0624d6e7c546d243895f73984bf176f4a167b9ae04

SHA512
6820510d33f377d2f92762733099d17c36062cb4c2c49f832d41e1d67fb1846a8bcf346374f5861cd86b5b6eb25cd1da15e08227e06b9f72c5219304bb59b591

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1225de6a8f537acd352d3d2614b2c6c4

SHA1
515ab923d629b30d0209926739f9fe615a9f6a68

SHA256
adb03c232a3bd5965bf54557850877d740fc4cb3de5648e75f3b7de3f321f7a6

SHA512
e3efaaf18a959761e6becfb825f86e0d2ffae039cd5c4957884ebabf1c63a33629de1b1f499c3b62e689b8303efc78d3d1af74770e0f63e86fd1790a0d6bba41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
170de8c9797d0227131c30b5da0958ea

SHA1
2b7e5e617e23a246cce31cadcc4056bf306641fb

SHA256
8cd0f21b97246c853f60f7d10f290c74b2eadb80f28d686fbb8a5ea1427d074b

SHA512
584dbdc5ce7ded64e691b3256e3ed87441840b6021e580d544be711eda8c95e2ca7efc14f9fbdc42b3aed4a125300303842a67593d355302963456f3bbb6baa5

Download Submit
C:\Users\Admin\Documents\SplitConvertTo.xlt.ANNABELLE

Filesize
267KB

MD5
4da469539ed45e6b257eb8bcc3616a07

SHA1
0e89c0fc8b0b4368f7e04f20791c180f5f431fd0

SHA256
93612b0b33a1e00fe320a91d81476d5cc12ed2478ba8ebeb6e9a1f53cfcc7b77

SHA512
b0dddd3f558c816f3cb4476bf7f63ddc3d644ea47318e5a84250786e0c7097a470176dca4d37e2adcad0b0021f4c314994ed3d936176c35a7ef9348274c8b010

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 705581.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
memory/236-412-0x0000029231700000-0x00000292326F4000-memory.dmp

Filesize
16.0MB

Download
memory/236-425-0x000002924CC70000-0x000002924E1FE000-memory.dmp

Filesize
21.6MB

Download
memory/2124-437-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-430-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-436-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-435-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-434-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-438-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-439-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-440-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-428-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download
memory/2124-429-0x000002C3FDC00000-0x000002C3FDC01000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads