evilnum | 04f1fce5628ec0cff7f616a37d11bb7498974522e5400bb5a2059dd00e0d0100

Analysis

max time kernel
154s
max time network
152s
platform
windows7_x64
resource
win7-en-20211208
submitted
04-02-2022 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Barclays CC Front.jpg.lnk
Size

83KB
MD5

42a0e13c97e0aa0867f769b71e378d24
SHA1

c7575dccc6d1a228393e9ac0840a4c10bb4c1fb2
SHA256

bb579920513264854cb4ff08d86eb4ee6c2ade66ca14abd9752320053a1a7028
SHA512

8106fb31144357c1e3ef61c74157ab60e5f81515d6c831347da09aae68c38fcb2cb58ae74758af1f4db32e590abf123c430821d86016191bedcdf579fbc59f0b

Score

10^/10

evilnum trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	1188	cscript.exe
4	1188	cscript.exe
6	1188	cscript.exe
7	1188	cscript.exe
8	1188	cscript.exe
9	1188	cscript.exe
10	1188	cscript.exe
11	1188	cscript.exe
12	1188	cscript.exe
13	1188	cscript.exe
14	1188	cscript.exe
15	1188	cscript.exe
16	1188	cscript.exe
17	1188	cscript.exe
18	1188	cscript.exe
19	1188	cscript.exe
20	1188	cscript.exe
21	1188	cscript.exe
22	1188	cscript.exe
23	1188	cscript.exe
24	1188	cscript.exe
25	1188	cscript.exe
26	1188	cscript.exe
27	1188	cscript.exe
28	1188	cscript.exe
29	1188	cscript.exe
31	1188	cscript.exe
32	1188	cscript.exe
33	1188	cscript.exe
34	1188	cscript.exe
35	1188	cscript.exe
36	1188	cscript.exe
37	1188	cscript.exe
38	1188	cscript.exe
39	1188	cscript.exe
40	1188	cscript.exe
41	1188	cscript.exe
42	1188	cscript.exe
43	1188	cscript.exe
44	1188	cscript.exe
45	1188	cscript.exe
46	1188	cscript.exe
47	1188	cscript.exe
48	1188	cscript.exe
49	1188	cscript.exe
50	1188	cscript.exe
51	1188	cscript.exe
52	1188	cscript.exe
53	1188	cscript.exe
54	1188	cscript.exe
55	1188	cscript.exe
56	1188	cscript.exe
57	1188	cscript.exe
58	1188	cscript.exe
59	1188	cscript.exe
60	1188	cscript.exe
61	1188	cscript.exe
62	1188	cscript.exe
63	1188	cscript.exe
65	1188	cscript.exe
66	1188	cscript.exe
67	1188	cscript.exe
68	1188	cscript.exe
69	1188	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
800	cmd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 800	1408	cmd.exe	28
PID 1408 wrote to memory of 800	1408	cmd.exe	28
PID 1408 wrote to memory of 800	1408	cmd.exe	28
PID 800 wrote to memory of 920	800	cmd.exe	29
PID 800 wrote to memory of 920	800	cmd.exe	29
PID 800 wrote to memory of 920	800	cmd.exe	29
PID 920 wrote to memory of 1172	920	forfiles.exe	30
PID 920 wrote to memory of 1172	920	forfiles.exe	30
PID 920 wrote to memory of 1172	920	forfiles.exe	30
PID 920 wrote to memory of 1176	920	forfiles.exe	31
PID 920 wrote to memory of 1176	920	forfiles.exe	31
PID 920 wrote to memory of 1176	920	forfiles.exe	31
PID 800 wrote to memory of 1796	800	cmd.exe	32
PID 800 wrote to memory of 1796	800	cmd.exe	32
PID 800 wrote to memory of 1796	800	cmd.exe	32
PID 800 wrote to memory of 976	800	cmd.exe	33
PID 800 wrote to memory of 976	800	cmd.exe	33
PID 800 wrote to memory of 976	800	cmd.exe	33
PID 800 wrote to memory of 1724	800	cmd.exe	34
PID 800 wrote to memory of 1724	800	cmd.exe	34
PID 800 wrote to memory of 1724	800	cmd.exe	34
PID 800 wrote to memory of 308	800	cmd.exe	35
PID 800 wrote to memory of 308	800	cmd.exe	35
PID 800 wrote to memory of 308	800	cmd.exe	35
PID 308 wrote to memory of 1360	308	cscript.exe	37
PID 308 wrote to memory of 1360	308	cscript.exe	37
PID 308 wrote to memory of 1360	308	cscript.exe	37
PID 1360 wrote to memory of 1188	1360	cscript.exe	39
PID 1360 wrote to memory of 1188	1360	cscript.exe	39
PID 1360 wrote to memory of 1188	1360	cscript.exe	39

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Barclays CC Front.jpg.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Barclays CC Front.jpg*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "RDE3">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Barc*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\cmd.exe
      /c move "C:\Users\Admin\AppData\Local\Temp\Barclays CC Back.jpg.lnk" C:\Users\Admin\AppData\Local\Temp\1.lnk
      4⤵
      PID:1172
  - - C:\Windows\system32\cmd.exe
      /c move "C:\Users\Admin\AppData\Local\Temp\Barclays Utility.jpg.lnk" C:\Users\Admin\AppData\Local\Temp\1.lnk
      4⤵
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1796
- - C:\Windows\system32\find.exe
    find "RDE3"
    3⤵
    PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1724
- - C:\Windows\system32\cscript.exe
    cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        5⤵
        Blocklisted process makes network request
        
        PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download