Overview

overview

10

Static

static

10

2.png.lnk

windows7_x64

10

2.png.lnk

windows10_x64

10

3.png.lnk

windows7_x64

10

3.png.lnk

windows10_x64

10

4.png.lnk

windows7_x64

10

4.png.lnk

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.png.lnk

  • Size

    69KB

  • MD5

    c32820d1eb296d44c56f8430584d9d69

  • SHA1

    a2dbd75dd079594d36509f5ef84a22f869df68cf

  • SHA256

    9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5

  • SHA512

    7a2fde5f81d4b96314340c412c19e1e4d075c6ef9b52969470d46a4bcafd1bf39deeca97d60921d1d27f665bd15e8ba635bf72a24799899566de4d5ad5226780

Score
10/10
evilnumtrojan

Malware Config

Signatures

  • EvilNum JS Component 3 IoCs
  • Evilnum

    A malware family with multiple components distributed through LNK files.

    trojanevilnum
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\2.png.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "2.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\system32\forfiles.exe
        forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "2.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
        3⤵
          PID:1840
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
          3⤵
            PID:3716
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" rd a"
            3⤵
              PID:3292
            • C:\Windows\system32\find.exe
              find "TRU4"
              3⤵
                PID:4060
              • C:\Windows\system32\cscript.exe
                cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
                3⤵
                • Deletes itself
                • Suspicious use of WriteProcessMemory
                PID:1296
                • C:\Windows\System32\cscript.exe
                  "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3284
                  • C:\Windows\System32\cscript.exe
                    "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:788
                    • C:\Windows\System32\reg.exe
                      "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.reg
                      6⤵
                        PID:2768
                      • C:\Windows\System32\reg.exe
                        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\mediaIE.reg
                        6⤵
                        • Modifies Internet Explorer Automatic Crash Recovery
                        • Modifies Internet Explorer Phishing Filter
                        • Modifies Internet Explorer Protected Mode
                        • Modifies Internet Explorer Protected Mode Banner
                        • Modifies Internet Explorer settings
                        PID:1372
                      • C:\Windows\System32\cscript.exe
                        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
                        6⤵
                          PID:1600
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2116
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:82945 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3260
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:82947 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2648

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads