Overview

overview

10

Static

static

6

0d7dc074be...41c.js

windows7_x64

7

0d7dc074be...41c.js

windows10_x64

7

3b7cd07e87...ce.lnk

windows7_x64

10

3b7cd07e87...ce.lnk

windows10_x64

10

79e21ff914...3c.exe

windows7_x64

1

79e21ff914...3c.exe

windows10_x64

1

83c375dcda...90.lnk

windows7_x64

10

83c375dcda...90.lnk

windows10_x64

10

a81f152a31...5d.exe

windows7_x64

10

a81f152a31...5d.exe

windows10_x64

1

c7cf5c62ec...20.lnk

windows7_x64

10

c7cf5c62ec...20.lnk

windows10_x64

10

db5d09edc2...f1.lnk

windows7_x64

10

db5d09edc2...f1.lnk

windows10_x64

10

e678ec3dbc...2f.exe

windows7_x64

1

e678ec3dbc...2f.exe

windows10_x64

1

f5f79e2169...9e.lnk

windows7_x64

10

f5f79e2169...9e.lnk

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EvilNum_PyVil.zip

  • Size

    5.4MB

  • Sample

    201226-bt35fyn9jx

  • MD5

    bc864f30fab6440bda24050e97abc667

  • SHA1

    9463f9d397c68b81a4088ffdf56ed2032e7e71e3

  • SHA256

    0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8

  • SHA512

    e4e8c91db03cbd18c5a777e40482651ca9564714c5221d2e27e12598673c2155b41c7506b2087442b75ca1fe218442cbaa472b1fb0455b4a0f4e7c9cf4c1985d

Score
10/10
evilnumwannacryevasionransomwaretrojanworm

Malware Config

Targets

    • Target

      0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c

    • Size

      11KB

    • MD5

      2b33321ead1744461759d9c092b3c7d4

    • SHA1

      00f9f9aa1c82a76619489d8930e6edaf1da0a9a4

    • SHA256

      0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c

    • SHA512

      e5fcf2d8124f168623389d2107cd806abcc8cb8b2c6d7ebce0167f01f086fda53e1c6d68a5dab9fb207e709a7ba9b7f975ca60a793bc8521c037c60aacaa60cd

    Score
    7/10

    • Deletes itself

    • JavaScript code in executable

    behavioral1behavioral2

    • Target

      3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce

    • Size

      685KB

    • MD5

      6363ddf8a20345c0201868b209afbd63

    • SHA1

      941727ee9620624f595175468c27f863e3c2bc4a

    • SHA256

      3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce

    • SHA512

      f885eb46111da748b28b6a78d8e59e8e4f614e66e2e051e7a04d2d857c41513fdf68db77e2ee5319195389d6bd17e08fe5a2b159312e6deff5d157edfe8b2fe4

    Score
    10/10
    evilnumtrojan

    • Evilnum

      A malware family with multiple components distributed through LNK files.

      trojanevilnum
    behavioral3behavioral4

    • Target

      79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c

    • Size

      347KB

    • MD5

      7b478edc2b74d7ecdc6b1d9532c9e7f8

    • SHA1

      8249c08bc5b032dfa1d2ccca7d3988c494e8697e

    • SHA256

      79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c

    • SHA512

      5efe382eddda3a79c4cfdd90aef8beac1a987c02e6534582f651a07e33cab9baeb7b687cc8a04e67075d4525347ba81aefa65ea8018de2faea9c382bb5ae9ec4

    Score
    1/10
    behavioral5behavioral6

    • Target

      83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90

    • Size

      938KB

    • MD5

      fc00819c4cdc8609313041cf345a7dca

    • SHA1

      3cb2d94e7a3b6d6141106e3973189e06306ce2f0

    • SHA256

      83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90

    • SHA512

      53b2761be2a805aa6cdc7857b70da8b25ccf0990dc1f9a6501ed73af9909db6a58667b9bcd786c9acc19309b18bc228ac02d3ebe97063b1cf6bf2362c935131c

    Score
    10/10
    evilnumtrojanevasionransomware

    • Evilnum

      A malware family with multiple components distributed through LNK files.

      trojanevilnum

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    behavioral7behavioral8

    • Target

      a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d

    • Size

      256KB

    • MD5

      6706b28accb971bd98738649725456a9

    • SHA1

      0305a4dda3ffa5fe7b1f89a14818f4954ae03118

    • SHA256

      a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d

    • SHA512

      9db0f8e0d0fecee6089d7dbcfd75c98272295c78aae3fbd104192ea106fba4deed6fd89ce9b7abf38b996eca92e42ca9d15eb7122a01fb6fb42bc54a8b595317

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral9behavioral10

    • Target

      c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720

    • Size

      1.5MB

    • MD5

      ffee111b993de52e2034e31953dee86b

    • SHA1

      e88f7946cc7b987b0c49b28d770e722bd0fa3a04

    • SHA256

      c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720

    • SHA512

      390d7a6d438ef634c7456a9f51948b22e250c61f2fac69493bb0cf1a06dfb189da191aca4e8ff4078b53f7092a1595309fb2b3eaa300e8989a2484b914151c47

    Score
    10/10
    evilnumtrojan

    • Evilnum

      A malware family with multiple components distributed through LNK files.

      trojanevilnum
    behavioral11behavioral12

    • Target

      db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1

    • Size

      685KB

    • MD5

      aad36ffbe3fc85f853751f4329a346e9

    • SHA1

      fd443a1f4dfaa6ad38f0581f58ab38a0b0478770

    • SHA256

      db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1

    • SHA512

      430d00f4bc9f6fa18bd257d90deca104752c5a45fdcb4e54eb5a8d08de2daab43a205c0fea57da93fea6d444106534311f44c734f7b396c2c7ad53c74d3a11b1

    Score
    10/10
    evilnumtrojan

    • Evilnum

      A malware family with multiple components distributed through LNK files.

      trojanevilnum

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral13behavioral14

    • Target

      e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f

    • Size

      256KB

    • MD5

      8b346ef17943e7923e44e80c5b129a47

    • SHA1

      f801ae848527b21d444c8177c78e78d2448dd0e4

    • SHA256

      e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f

    • SHA512

      d80898838b90ea10ebdc653687039dde7b10f4afadbe1aae2bef6d107a50bbe443c04a838b610a6c0f37baba3ee4d144b9f608ecc97232a282a6c2de68c75c05

    Score
    1/10
    behavioral15behavioral16

    • Target

      f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e

    • Size

      938KB

    • MD5

      cb908352d719b9e0a7142c4110ae502e

    • SHA1

      e50a8c33b315517a4bad5eb35fb09e572c3ee9fa

    • SHA256

      f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e

    • SHA512

      9502d7c069532571277e3c8c849e9ce81130a11bf5ad892dad688aa9e53973abc76fb5b53aee72ca37fe29e50aa2543f2681a6d849ada59b9e07ff6e3b574909

    Score
    10/10
    evilnumtrojanevasionransomware

    • Evilnum

      A malware family with multiple components distributed through LNK files.

      trojanevilnum

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2
T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

2
T1070

File Deletion

6
T1107

Credential Access

Discovery

Remote System Discovery

1
T1018

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

8
T1490

Tasks