General
-
Target
Chernobyl.exe
-
Size
338KB
-
Sample
240302-yefvmagf21
-
MD5
0f6ef368d9dfdf12dcf44f727fbd4d5c
-
SHA1
5bbf583c7d0f74255c13b7bbdb5d5609d80393e9
-
SHA256
30acb23863a1043c7210c8fb75236fce5111bef305c6574e518e9d0e50d740cf
-
SHA512
16e211d19604b49c4b6837f580ec2c83cb27868f481d3ee33394716110e32ac363165bed5e9445c3807753cac793e5a044c3986d10ab04cfbd832c68438f546c
-
SSDEEP
6144:Ubeo02222222222222222222222222222222222222222222222222222222222w:QkHOZzv4TatsNqaJA
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
338KB
-
MD5
0f6ef368d9dfdf12dcf44f727fbd4d5c
-
SHA1
5bbf583c7d0f74255c13b7bbdb5d5609d80393e9
-
SHA256
30acb23863a1043c7210c8fb75236fce5111bef305c6574e518e9d0e50d740cf
-
SHA512
16e211d19604b49c4b6837f580ec2c83cb27868f481d3ee33394716110e32ac363165bed5e9445c3807753cac793e5a044c3986d10ab04cfbd832c68438f546c
-
SSDEEP
6144:Ubeo02222222222222222222222222222222222222222222222222222222222w:QkHOZzv4TatsNqaJA
Score10/10-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4