Analysis
-
max time kernel
130s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:59
General
-
Target
3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d.lnk
-
Size
2KB
-
MD5
5cfc2d030aaf562aa03237f52ba7115a
-
SHA1
f37eaea4dba612c383e582a73010ac4028499f11
-
SHA256
3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d
-
SHA512
22b6c93e31f89efb7384e8c8fad23b037286b3b72b92ba7aeeb19b29a8d27743f46d465d433663c18d0aac861eaced58dbfc8268f0d02a279f99c998483278ab
Score
10/10
Malware Config
Signatures
-
Evilnum
A malware family with multiple components distributed through LNK files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\3c68fd735f165dfed20be28518aa425e8537a84b93a84d85d501e6d9b8f3417d.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "KYC Documenten.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""3⤵
-
-
C:\Windows\system32\find.exefind "END2"3⤵
-
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\0.js"3⤵
-
-