evilnum | 69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4

Analysis

Target

69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4.lnk
Size

165KB
MD5

e07c8e2f268018c7a751998dec8502c7
SHA1

a5c91e06881e19079b7e8496c6f229a790e8c1ee
SHA256

69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4
SHA512

4b2537fe55d06acfb82ad24bca1ac00bb561a430a8668345141fdd72aac7f920d6a1daaad9b42fda5a1b6ddc5f823295cb0bcc01dbe639c467fc3c68dfa1b3d8

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2636	2668	cmd.exe	69
PID 2668 wrote to memory of 2636	2668	cmd.exe	69
PID 2636 wrote to memory of 2712	2636	cmd.exe	70
PID 2636 wrote to memory of 2712	2636	cmd.exe	70
PID 2636 wrote to memory of 1764	2636	cmd.exe	71
PID 2636 wrote to memory of 1764	2636	cmd.exe	71
PID 2636 wrote to memory of 3716	2636	cmd.exe	72
PID 2636 wrote to memory of 3716	2636	cmd.exe	72
PID 2636 wrote to memory of 2844	2636	cmd.exe	73
PID 2636 wrote to memory of 2844	2636	cmd.exe	73
PID 2636 wrote to memory of 432	2636	cmd.exe	74
PID 2636 wrote to memory of 432	2636	cmd.exe	74

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "GDPR-EXANTE2020.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "GDPR*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "GDPR*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1764
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:2844
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:432

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact