evilnum | 3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d

Analysis

Target

3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d.lnk
Size

2KB
MD5

5cfc2d030aaf562aa03237f52ba7115a
SHA1

f37eaea4dba612c383e582a73010ac4028499f11
SHA256

3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d
SHA512

22b6c93e31f89efb7384e8c8fad23b037286b3b72b92ba7aeeb19b29a8d27743f46d465d433663c18d0aac861eaced58dbfc8268f0d02a279f99c998483278ab

Score

10^/10

evilnum trojan

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1832	536	cmd.exe	29
PID 536 wrote to memory of 1832	536	cmd.exe	29
PID 536 wrote to memory of 1832	536	cmd.exe	29
PID 1832 wrote to memory of 1776	1832	cmd.exe	30
PID 1832 wrote to memory of 1776	1832	cmd.exe	30
PID 1832 wrote to memory of 1776	1832	cmd.exe	30
PID 1832 wrote to memory of 1924	1832	cmd.exe	31
PID 1832 wrote to memory of 1924	1832	cmd.exe	31
PID 1832 wrote to memory of 1924	1832	cmd.exe	31
PID 1832 wrote to memory of 1164	1832	cmd.exe	32
PID 1832 wrote to memory of 1164	1832	cmd.exe	32
PID 1832 wrote to memory of 1164	1832	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "KYC Documenten.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1776
- - C:\Windows\system32\find.exe
    find "END2"
    3⤵
    PID:1924
- - C:\Windows\system32\wscript.exe
    wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:1164

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/536-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download