Ransom.MSIL.ANNABELLE.A

This Ransomware may be unknowingly downloaded by a user while visiting malicious websites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It encrypts files found in specific folders.

Arrival Details

This Ransomware may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Ransomware drops and executes the following files:

• MBRiCoreX.exe

It adds the following processes:

• %System%\vssadmin.exe vssadmin delete shadows /all /quiet
• %System%\NetSh.exe NetSh Advfirewall set allprofiles state off
• %System%\Shutdown.exe -r -t 00 -f

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
UpdateBackUp = {Malware Path}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
UpdateBackUp = {Malware Path}

HKEY_LOCAL_MACHINE\Software\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Run
UpdateBackUp = {Malware Path}

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows
DisableCMD = 2

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WinDefend = 3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WinDefend = 3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoControlPanel = 1

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SafeBoot\Minimal
MinimalX = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = {Malware Path}\{Malware Filename}.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

Propagation

This Ransomware drops the following copy(ies) of itself in all removable drives:

• {Removable Drive}:\Copter.flv.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=Copter.flv.exe
shellexecute=Copter.flv.exe

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• ProcessHacker
• procexp64
• msconfig
• taskmgr
• chrome
• firefox
• regedit
• opera
• UserAccountControlSettings
• yandex
• microsoftedge
• microsoftedgecp
• iexplore

Other Details

This Ransomware does the following:

• It disables the following:
  • Windows Defender
  • System Restore
  • Task Manager
  • CMD
  • Run Command
  • Control Panel
  • Safe Boot
  • Registry Tools
  • Windows Script Host
  • USB driver
  
  It disables executing the following applications by adding the following registry entries:
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{application}
  • Debugger = RIP
  
  where {application} are as follows:
  • msconfig.exe
  • taskmgr.exe
  • cmd.exe
  • chrome.exe
  • firefox.exe
  • opera.exe
  • microsoftedge.exe
  • microsoftedgecp.exe
  • notepad++.exe
  • iexplore.exe
  • notepad.exe
  • MSASCuiL.exe
  • mmc.exe
  • gpedit.msc
  • UserAccountControlSettings.exe
  • Autoruns64.exe
  • Autoruns.exe
  • systemexplorer.exe
  • taskkill.exe
  • powershell.exe
  • yandex.exe
  • attrib.exe
  • bcdedit.exe
  • sethc.exe
  • mspaint.exe
  • dllhost.exe
  • rundll.exe
  • rundll32.exe
  • cabinet.dll
  • chkdsk.exe
  • DBGHELP.exe
  • DCIMAN32.exe
  • wmplayer.exe
  • ksuser.dll
  • mpg4dmod.dll
  • mydocs.dll
  • rasman.dll
  • shellstyle.dll
  • secpol.msc
  • url.dll
  • usbui.dll
  • webcheck.dll
  • recoverydrive.exe
  • logoff.exe
  • control.exe
  • explorer.exe
  • regedit.exe
  • csrss.exe
  
  It also connects to http://{BLOCKED}somatic.com/

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• %User Profile%\Downloads
• %User Profile%\Desktop
• D:\

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It appends the following extension to the file name of the encrypted files:

• .ANNABELLE

NOTES:
This ransomware displays the following message box:

It then reboots the system and displays this lock screen:

Once the user clicks the button “Credit”, it displays the following:


Once the user clicks the button “Information”, it displays the following:


Once the user clicks the button “Encrypted Files”, it displays the following:

Once the user clicks the button “Check Payment / Get Code”, it displays the following:

The unlock key is: wHYecVx64uX2zjVedeTeyRLN
It displays the following window that shows the decryption process of the malware:

It reboots the system and displays the malware's MBR, making the system unbootable: