Annabelle will then configure Image File Execution registry entries to not be able to open the above mentioned software and other software such as Notepad ++, Notepad, Internet Explorer, Chrome, Opera . Then the malicious code will spread itself. with the file autoru.inf. This is also quite useless because new versions of Windows do not support the autoplay feature.
When all is finished, it will encrypt the machine with a static key and add the .ANNABELLE extension to the end of the file name.
Encrypted files will be attached with the .ANNABELLE extension to the name
The computer will then restart and when the user logs in, the lock screen will appear with the developer name iCoreX0812 and how to contact them on Discord. Eventually it will run a software that replaces the Master Boot Record to display a screen with information about the developer every time the machine turns on.
Screen showing the developer information
MBR lock screen
In general, this code only allows its owner to display his 'skills', not really to blackmail. It is also based on Stupid Ransomware and can be decoded. Because of the static key, Michael Gillespie can update StupidDecryptor to fake this variant code.
By replacing the MBR, run Rkill in Safe Mode to clean up the IFEO registry entries, use Michael's decryption tool to decrypt the file and security scans to clean up the remnants, you can put your computer in a state of normal if this is infected.
IOC information
Hashes
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
Related files
Copter.flv.exe
MBRiCoreX.exe
See more: