Analysis

  • max time kernel
    20s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:27

General

  • Target

    Chernobyl.exe

  • Size

    343KB

  • MD5

    c9ce5df22d3f9ea06215cd30ed5e07b8

  • SHA1

    0631376b2fd56c4bd9795291e03067ce95884cea

  • SHA256

    72ee1e0f426ed0786fa2de693982292fc5bae8135068b4a73fc758832048bde0

  • SHA512

    38702bbb0de87b669f58feeaadd828bec1b80c47807ea2e0251731a613426999a4804e650c189ed23dfa75d7f3794bad7472b668fca83904bf0269208f3d1cff

  • SSDEEP

    6144:FbbKo02222222222222222222222222222222222222222222222222222222226:F9kMOZzv4TatsNqaJg

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 14 IoCs
  • Modifies file permissions 1 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:784
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            3⤵
              PID:1668
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2360
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
              3⤵
                PID:1312
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
              2⤵
                PID:1000
                • C:\Windows\SysWOW64\rundll32.exe
                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                  3⤵
                    PID:1588
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2104
                  • C:\Windows\SysWOW64\rundll32.exe
                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                    3⤵
                      PID:1596
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                    2⤵
                      PID:1752
                      • C:\Windows\SysWOW64\rundll32.exe
                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                        3⤵
                          PID:1692
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                        2⤵
                          PID:2860
                          • C:\Windows\SysWOW64\rundll32.exe
                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:1680
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                            2⤵
                              PID:1584
                              • C:\Windows\SysWOW64\rundll32.exe
                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                3⤵
                                  PID:2628
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                2⤵
                                  PID:1788
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                    3⤵
                                      PID:2528
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                    2⤵
                                      PID:796
                                      • C:\Windows\SysWOW64\rundll32.exe
                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                        3⤵
                                          PID:2632
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                        2⤵
                                          PID:2036
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                            3⤵
                                              PID:2648
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
                                            2⤵
                                              PID:2588
                                              • C:\Windows\SysWOW64\takeown.exe
                                                takeown /f C:\Windows\System32\smss.exe
                                                3⤵
                                                • Possible privilege escalation attempt
                                                • Modifies file permissions
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2500
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
                                              2⤵
                                                PID:2488
                                                • C:\Windows\SysWOW64\takeown.exe
                                                  takeown /f C:\Windows\System32\csrss.exe
                                                  3⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2184
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
                                                2⤵
                                                  PID:2444
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    takeown /f C:\Windows\System32\wininit.exe
                                                    3⤵
                                                    • Possible privilege escalation attempt
                                                    • Modifies file permissions
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2972
                                                  • C:\Windows\SysWOW64\icacls.exe
                                                    icacls C:\Windows\System32\wininit.exe /grant "Admin:F"
                                                    3⤵
                                                    • Possible privilege escalation attempt
                                                    • Modifies file permissions
                                                    PID:2716
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
                                                  2⤵
                                                    PID:2468
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      takeown /f C:\Windows\System32\LogonUI.exe
                                                      3⤵
                                                      • Possible privilege escalation attempt
                                                      • Modifies file permissions
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1440
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
                                                    2⤵
                                                      PID:2044
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        takeown /f C:\Windows\System32\lsass.exe
                                                        3⤵
                                                        • Possible privilege escalation attempt
                                                        • Modifies file permissions
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2892
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
                                                      2⤵
                                                        PID:2764
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          takeown /f C:\Windows\System32\services.exe
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:884
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
                                                        2⤵
                                                          PID:1944
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /f C:\Windows\System32\winlogon.exe
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2252
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
                                                          2⤵
                                                            PID:2032
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              takeown /f C:\Windows\System32\winload.efi
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2024
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
                                                            2⤵
                                                              PID:2320
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                takeown /f C:\Windows\System32\winload.exe
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2164
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
                                                              2⤵
                                                                PID:1600
                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                  takeown /f C:\Windows\System32\ntoskrnl.exe
                                                                  3⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2348
                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                  icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"
                                                                  3⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  PID:1320
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                                                                2⤵
                                                                  PID:1036
                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                    takeown /f C:\Windows\System32\svchost.exe
                                                                    3⤵
                                                                    • Possible privilege escalation attempt
                                                                    • Modifies file permissions
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1744
                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                    icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                                                                    3⤵
                                                                    • Possible privilege escalation attempt
                                                                    • Modifies file permissions
                                                                    PID:1296

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\Desktop\╤■╤♠å≈öš®∩38☼╧±ě▲☻Â☺ÿ╩7♦¶5åï◄Æ♣æäöÇÿÿπ■▀◘▌ä¶Çæÿ◄×▼▐2π∞Ç♪▀é►▲○♂č♀√«řÆ®♠►í¢ø∞╬◄↑±äžÂ5µñ¢µ╠£¤╩◙█ř«♠¤éÿ™

                                                                Filesize

                                                                666B

                                                                MD5

                                                                9e1e5883c74742a497cf5c272ccd2321

                                                                SHA1

                                                                2cf33e34d08b8e17743a60352baffef4b6f02dee

                                                                SHA256

                                                                ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                                                                SHA512

                                                                f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

                                                              • memory/1196-0-0x0000000000FE0000-0x000000000103C000-memory.dmp

                                                                Filesize

                                                                368KB

                                                              • memory/1196-1-0x0000000074640000-0x0000000074D2E000-memory.dmp

                                                                Filesize

                                                                6.9MB

                                                              • memory/1196-2-0x0000000004A30000-0x0000000004A70000-memory.dmp

                                                                Filesize

                                                                256KB