Resubmissions

02-03-2024 19:41

240302-yefvmagf21 10

02-03-2024 19:39

240302-ydf41age9v 10

Analysis

  • max time kernel
    39s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 19:39

General

  • Target

    Chernobyl.exe

  • Size

    338KB

  • MD5

    0f6ef368d9dfdf12dcf44f727fbd4d5c

  • SHA1

    5bbf583c7d0f74255c13b7bbdb5d5609d80393e9

  • SHA256

    30acb23863a1043c7210c8fb75236fce5111bef305c6574e518e9d0e50d740cf

  • SHA512

    16e211d19604b49c4b6837f580ec2c83cb27868f481d3ee33394716110e32ac363165bed5e9445c3807753cac793e5a044c3986d10ab04cfbd832c68438f546c

  • SSDEEP

    6144:Ubeo02222222222222222222222222222222222222222222222222222222222w:QkHOZzv4TatsNqaJA

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 14 IoCs
  • Modifies file permissions 1 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2104
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:1456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\smss.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\csrss.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\wininit.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:872
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\System32\wininit.exe /grant "Admin:F"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2920
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\LogonUI.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\lsass.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\services.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
        2⤵
          PID:2684
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\Windows\System32\winlogon.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:3040
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
          2⤵
            PID:2688
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\Windows\System32\winload.efi
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:2460
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
            2⤵
              PID:2660
              • C:\Windows\SysWOW64\takeown.exe
                takeown /f C:\Windows\System32\winload.exe
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:2552
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
              2⤵
                PID:2436
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /f C:\Windows\System32\ntoskrnl.exe
                  3⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2468
                • C:\Windows\SysWOW64\icacls.exe
                  icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"
                  3⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:2512
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                2⤵
                  PID:2952
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /f C:\Windows\System32\svchost.exe
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2960
                  • C:\Windows\SysWOW64\icacls.exe
                    icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:1772

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\—↕óÂ∩ïé☺¤Σ≈Ç—Σ▼■¼ñ¢▼■²█ó╠╔▌ž5£♣☼↕řσ▲¶▼Σ²9®Âπ◘šŸßä≈♫íí╬♫◙▼☼í¾╧♂¾◙¢≈¾å™◙╚╔≈¬¢®ïπ☻♪æ♥πœŸ▌åÇ◘₧—↕≈ž86☺¥éč

                Filesize

                666B

                MD5

                9e1e5883c74742a497cf5c272ccd2321

                SHA1

                2cf33e34d08b8e17743a60352baffef4b6f02dee

                SHA256

                ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                SHA512

                f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

              • memory/2104-0-0x00000000012C0000-0x000000000131A000-memory.dmp

                Filesize

                360KB

              • memory/2104-1-0x0000000073E10000-0x00000000744FE000-memory.dmp

                Filesize

                6.9MB

              • memory/2104-306-0x0000000000A70000-0x0000000000AB0000-memory.dmp

                Filesize

                256KB

              • memory/2104-307-0x0000000073E10000-0x00000000744FE000-memory.dmp

                Filesize

                6.9MB

              • memory/2104-308-0x0000000000A70000-0x0000000000AB0000-memory.dmp

                Filesize

                256KB