evilnum | 0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8 | Triage

Sharing

General

Target

EvilNum_PyVil.zip
Size

5.4MB
Sample

201226-bt35fyn9jx
MD5

bc864f30fab6440bda24050e97abc667
SHA1

9463f9d397c68b81a4088ffdf56ed2032e7e71e3
SHA256

0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8
SHA512

e4e8c91db03cbd18c5a777e40482651ca9564714c5221d2e27e12598673c2155b41c7506b2087442b75ca1fe218442cbaa472b1fb0455b4a0f4e7c9cf4c1985d

Score

10^/10

evilnum wannacry evasion ransomware trojan worm

Malware Config

Targets

- Target
  
  0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
- Size
  
  11KB
- MD5
  
  2b33321ead1744461759d9c092b3c7d4
- SHA1
  
  00f9f9aa1c82a76619489d8930e6edaf1da0a9a4
- SHA256
  
  0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
- SHA512
  
  e5fcf2d8124f168623389d2107cd806abcc8cb8b2c6d7ebce0167f01f086fda53e1c6d68a5dab9fb207e709a7ba9b7f975ca60a793bc8521c037c60aacaa60cd
Score

7^/10
- Deletes itself
- JavaScript code in executable
behavioral1 behavioral2
- Target
  
  3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
- Size
  
  685KB
- MD5
  
  6363ddf8a20345c0201868b209afbd63
- SHA1
  
  941727ee9620624f595175468c27f863e3c2bc4a
- SHA256
  
  3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
- SHA512
  
  f885eb46111da748b28b6a78d8e59e8e4f614e66e2e051e7a04d2d857c41513fdf68db77e2ee5319195389d6bd17e08fe5a2b159312e6deff5d157edfe8b2fe4
Score

10^/10

evilnum trojan
- Evilnum
  A malware family with multiple components distributed through LNK files.
  trojan evilnum
behavioral3 behavioral4
- Target
  
  79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
- Size
  
  347KB
- MD5
  
  7b478edc2b74d7ecdc6b1d9532c9e7f8
- SHA1
  
  8249c08bc5b032dfa1d2ccca7d3988c494e8697e
- SHA256
  
  79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
- SHA512
  
  5efe382eddda3a79c4cfdd90aef8beac1a987c02e6534582f651a07e33cab9baeb7b687cc8a04e67075d4525347ba81aefa65ea8018de2faea9c382bb5ae9ec4
Score

1^/10
behavioral5 behavioral6
- Target
  
  83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
- Size
  
  938KB
- MD5
  
  fc00819c4cdc8609313041cf345a7dca
- SHA1
  
  3cb2d94e7a3b6d6141106e3973189e06306ce2f0
- SHA256
  
  83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
- SHA512
  
  53b2761be2a805aa6cdc7857b70da8b25ccf0990dc1f9a6501ed73af9909db6a58667b9bcd786c9acc19309b18bc228ac02d3ebe97063b1cf6bf2362c935131c
Score

10^/10

evilnum trojan evasion ransomware
- Evilnum
  A malware family with multiple components distributed through LNK files.
  trojan evilnum
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Executes dropped EXE
behavioral7 behavioral8
- Target
  
  a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
- Size
  
  256KB
- MD5
  
  6706b28accb971bd98738649725456a9
- SHA1
  
  0305a4dda3ffa5fe7b1f89a14818f4954ae03118
- SHA256
  
  a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
- SHA512
  
  9db0f8e0d0fecee6089d7dbcfd75c98272295c78aae3fbd104192ea106fba4deed6fd89ce9b7abf38b996eca92e42ca9d15eb7122a01fb6fb42bc54a8b595317
Score

10^/10

wannacry ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Executes dropped EXE
- Drops file in System32 directory
behavioral9 behavioral10
- Target
  
  c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
- Size
  
  1.5MB
- MD5
  
  ffee111b993de52e2034e31953dee86b
- SHA1
  
  e88f7946cc7b987b0c49b28d770e722bd0fa3a04
- SHA256
  
  c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
- SHA512
  
  390d7a6d438ef634c7456a9f51948b22e250c61f2fac69493bb0cf1a06dfb189da191aca4e8ff4078b53f7092a1595309fb2b3eaa300e8989a2484b914151c47
Score

10^/10

evilnum trojan
- Evilnum
  A malware family with multiple components distributed through LNK files.
  trojan evilnum
behavioral11 behavioral12
- Target
  
  db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
- Size
  
  685KB
- MD5
  
  aad36ffbe3fc85f853751f4329a346e9
- SHA1
  
  fd443a1f4dfaa6ad38f0581f58ab38a0b0478770
- SHA256
  
  db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
- SHA512
  
  430d00f4bc9f6fa18bd257d90deca104752c5a45fdcb4e54eb5a8d08de2daab43a205c0fea57da93fea6d444106534311f44c734f7b396c2c7ad53c74d3a11b1
Score

10^/10

evilnum trojan
- Evilnum
  A malware family with multiple components distributed through LNK files.
  trojan evilnum
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral13 behavioral14
- Target
  
  e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
- Size
  
  256KB
- MD5
  
  8b346ef17943e7923e44e80c5b129a47
- SHA1
  
  f801ae848527b21d444c8177c78e78d2448dd0e4
- SHA256
  
  e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
- SHA512
  
  d80898838b90ea10ebdc653687039dde7b10f4afadbe1aae2bef6d107a50bbe443c04a838b610a6c0f37baba3ee4d144b9f608ecc97232a282a6c2de68c75c05
Score

1^/10
behavioral15 behavioral16
- Target
  
  f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
- Size
  
  938KB
- MD5
  
  cb908352d719b9e0a7142c4110ae502e
- SHA1
  
  e50a8c33b315517a4bad5eb35fb09e572c3ee9fa
- SHA256
  
  f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
- SHA512
  
  9502d7c069532571277e3c8c849e9ce81130a11bf5ad892dad688aa9e53973abc76fb5b53aee72ca37fe29e50aa2543f2681a6d849ada59b9e07ff6e3b574909
Score

10^/10

evilnum trojan evasion ransomware
- Evilnum
  A malware family with multiple components distributed through LNK files.
  trojan evilnum
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Executes dropped EXE
behavioral17 behavioral18

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Indicator Removal on Host

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

evilnumevasionransomwaretrojan

behavioral9

wannacryransomwareworm

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

evilnumevasionransomwaretrojan