Analysis
-
max time kernel
1484s -
max time network
1498s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe File created C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3904 wrote to memory of 960 3904 Chernobyl.exe 82 PID 3904 wrote to memory of 960 3904 Chernobyl.exe 82 PID 3904 wrote to memory of 960 3904 Chernobyl.exe 82 PID 3904 wrote to memory of 420 3904 Chernobyl.exe 84 PID 3904 wrote to memory of 420 3904 Chernobyl.exe 84 PID 3904 wrote to memory of 420 3904 Chernobyl.exe 84 PID 960 wrote to memory of 4460 960 cmd.exe 86 PID 960 wrote to memory of 4460 960 cmd.exe 86 PID 960 wrote to memory of 4460 960 cmd.exe 86 PID 3904 wrote to memory of 252 3904 Chernobyl.exe 87 PID 3904 wrote to memory of 252 3904 Chernobyl.exe 87 PID 3904 wrote to memory of 252 3904 Chernobyl.exe 87 PID 3904 wrote to memory of 4052 3904 Chernobyl.exe 89 PID 3904 wrote to memory of 4052 3904 Chernobyl.exe 89 PID 3904 wrote to memory of 4052 3904 Chernobyl.exe 89 PID 3904 wrote to memory of 648 3904 Chernobyl.exe 91 PID 3904 wrote to memory of 648 3904 Chernobyl.exe 91 PID 3904 wrote to memory of 648 3904 Chernobyl.exe 91 PID 3904 wrote to memory of 4644 3904 Chernobyl.exe 93 PID 3904 wrote to memory of 4644 3904 Chernobyl.exe 93 PID 3904 wrote to memory of 4644 3904 Chernobyl.exe 93 PID 420 wrote to memory of 3984 420 cmd.exe 95 PID 420 wrote to memory of 3984 420 cmd.exe 95 PID 420 wrote to memory of 3984 420 cmd.exe 95 PID 3904 wrote to memory of 4336 3904 Chernobyl.exe 96 PID 3904 wrote to memory of 4336 3904 Chernobyl.exe 96 PID 3904 wrote to memory of 4336 3904 Chernobyl.exe 96 PID 3904 wrote to memory of 3588 3904 Chernobyl.exe 98 PID 3904 wrote to memory of 3588 3904 Chernobyl.exe 98 PID 3904 wrote to memory of 3588 3904 Chernobyl.exe 98 PID 4052 wrote to memory of 4488 4052 cmd.exe 99 PID 4052 wrote to memory of 4488 4052 cmd.exe 99 PID 4052 wrote to memory of 4488 4052 cmd.exe 99 PID 252 wrote to memory of 248 252 cmd.exe 100 PID 252 wrote to memory of 248 252 cmd.exe 100 PID 252 wrote to memory of 248 252 cmd.exe 100 PID 3904 wrote to memory of 1244 3904 Chernobyl.exe 102 PID 3904 wrote to memory of 1244 3904 Chernobyl.exe 102 PID 3904 wrote to memory of 1244 3904 Chernobyl.exe 102 PID 3904 wrote to memory of 4936 3904 Chernobyl.exe 104 PID 3904 wrote to memory of 4936 3904 Chernobyl.exe 104 PID 3904 wrote to memory of 4936 3904 Chernobyl.exe 104 PID 648 wrote to memory of 2600 648 cmd.exe 106 PID 648 wrote to memory of 2600 648 cmd.exe 106 PID 648 wrote to memory of 2600 648 cmd.exe 106 PID 3904 wrote to memory of 3744 3904 Chernobyl.exe 107 PID 3904 wrote to memory of 3744 3904 Chernobyl.exe 107 PID 3904 wrote to memory of 3744 3904 Chernobyl.exe 107 PID 3904 wrote to memory of 1256 3904 Chernobyl.exe 109 PID 3904 wrote to memory of 1256 3904 Chernobyl.exe 109 PID 3904 wrote to memory of 1256 3904 Chernobyl.exe 109 PID 4644 wrote to memory of 2664 4644 cmd.exe 111 PID 4644 wrote to memory of 2664 4644 cmd.exe 111 PID 4644 wrote to memory of 2664 4644 cmd.exe 111 PID 4336 wrote to memory of 4840 4336 cmd.exe 112 PID 4336 wrote to memory of 4840 4336 cmd.exe 112 PID 4336 wrote to memory of 4840 4336 cmd.exe 112 PID 3588 wrote to memory of 3672 3588 cmd.exe 113 PID 3588 wrote to memory of 3672 3588 cmd.exe 113 PID 3588 wrote to memory of 3672 3588 cmd.exe 113 PID 1244 wrote to memory of 4356 1244 cmd.exe 114 PID 1244 wrote to memory of 4356 1244 cmd.exe 114 PID 1244 wrote to memory of 4356 1244 cmd.exe 114 PID 1256 wrote to memory of 1872 1256 cmd.exe 115 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:252 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:248
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4936
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3744
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:792
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1872
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\äœ∞ÿ♪¶3∩é™▲±╤▼╩╠◙π¾∞œ♦▐×╩čεšπ¤4█µŸ▬±¼æÇæ±ß♀é¶Â▬∞—ÿ╩◘↑♥¼♦¢♥▀æÿ♦♪ń3š¾Σ☺∞√▲ž√■₧☺£Æ¬♥▐ě¤éä╥¬—φæ↑▌▐5öÇ╤õø
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b