Analysis

  • max time kernel
    46s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 19:25

General

  • Target

    Chernobyl.exe

  • Size

    126KB

  • MD5

    d59ea869efea7a22baf00e179e05cca8

  • SHA1

    96a55a0d6d305dd7c9e11c6fba5eb31dac8d4eab

  • SHA256

    5afc406a9a72118bd28a15c671a02a1972fc4dfe4cab66db784f4a22a0ae3968

  • SHA512

    a69efdcef30ed5450e9f9d195494d6303b48efdbe253fb740bdc299e7325aebba2e7c27668239b5aa7eddc6717e26c2318700d326ed7e0a8463731f27eb4d892

  • SSDEEP

    3072:vEbAxMSwSRSE8fdSIbvh8wqYOeuDAQa3tC6cVpL4JOu2/JseB:vEbAO7WEzv4TatcVNqOR/Jd

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 14 IoCs
  • Modifies file permissions 1 TTPs 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\smss.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\csrss.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\wininit.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\wininit.exe /grant "Admin:F"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\lsass.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\services.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\winlogon.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:676
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
      2⤵
        PID:1176
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\winload.efi
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
        2⤵
          PID:1588
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\Windows\System32\winload.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2600
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
          2⤵
            PID:2832
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\Windows\System32\ntoskrnl.exe
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1692
            • C:\Windows\SysWOW64\icacls.exe
              icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2408
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
            2⤵
              PID:1136
              • C:\Windows\SysWOW64\takeown.exe
                takeown /f C:\Windows\System32\svchost.exe
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:112
              • C:\Windows\SysWOW64\icacls.exe
                icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:668

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2208-0-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

            Filesize

            152KB

          • memory/2208-1-0x00000000746A0000-0x0000000074D8E000-memory.dmp

            Filesize

            6.9MB

          • memory/2208-2-0x0000000004CE0000-0x0000000004D20000-memory.dmp

            Filesize

            256KB

          • memory/2208-3-0x0000000004CE0000-0x0000000004D20000-memory.dmp

            Filesize

            256KB

          • memory/2208-4-0x00000000746A0000-0x0000000074D8E000-memory.dmp

            Filesize

            6.9MB

          • memory/2208-5-0x0000000004CE0000-0x0000000004D20000-memory.dmp

            Filesize

            256KB

          • memory/2208-6-0x0000000004CE0000-0x0000000004D20000-memory.dmp

            Filesize

            256KB