Analysis
-
max time kernel
34s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:13
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
341KB
-
MD5
284b916cf9a64dfab9e1979890145e61
-
SHA1
74133e2fc0238a6244cea8953d5213fd507e506a
-
SHA256
8e25f551c62c72c1f47877affafb617992282b2e115c8c8977918fc6493aece3
-
SHA512
50d83a75ce4092249c958c8005fca3f45688adb4e462b242afddfa3834030b8a442a8577cafc7dd522c96b4cf3f0c87144ea64a2590495fe16dbefc3cbdf2f2c
-
SSDEEP
6144:iHb1o0222222222222222222222222222222222222222222222222222222222U:PkWOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 2512 takeown.exe 2572 takeown.exe 1580 takeown.exe 1708 icacls.exe 2584 takeown.exe 2832 takeown.exe 2672 icacls.exe 2468 takeown.exe 1516 takeown.exe 2528 takeown.exe 2628 takeown.exe 1944 icacls.exe 1532 takeown.exe 2692 takeown.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 2512 takeown.exe 2628 takeown.exe 2528 takeown.exe 2584 takeown.exe 2468 takeown.exe 1532 takeown.exe 2832 takeown.exe 1516 takeown.exe 1708 icacls.exe 2692 takeown.exe 2672 icacls.exe 1580 takeown.exe 2572 takeown.exe 1944 icacls.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2192 Chernobyl.exe Token: SeDebugPrivilege 2192 Chernobyl.exe Token: SeTakeOwnershipPrivilege 1532 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 1580 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 2512 takeown.exe Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeTakeOwnershipPrivilege 2528 takeown.exe Token: SeTakeOwnershipPrivilege 2584 takeown.exe Token: SeTakeOwnershipPrivilege 2832 takeown.exe Token: SeTakeOwnershipPrivilege 2572 takeown.exe Token: SeTakeOwnershipPrivilege 2468 takeown.exe Token: SeShutdownPrivilege 2192 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2192 wrote to memory of 844 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 844 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 844 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 844 2192 Chernobyl.exe cmd.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 844 wrote to memory of 2996 844 cmd.exe rundll32.exe PID 2192 wrote to memory of 1492 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1492 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1492 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1492 2192 Chernobyl.exe cmd.exe PID 1492 wrote to memory of 1532 1492 cmd.exe takeown.exe PID 1492 wrote to memory of 1532 1492 cmd.exe takeown.exe PID 1492 wrote to memory of 1532 1492 cmd.exe takeown.exe PID 1492 wrote to memory of 1532 1492 cmd.exe takeown.exe PID 2192 wrote to memory of 1512 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1512 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1512 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1512 2192 Chernobyl.exe cmd.exe PID 1512 wrote to memory of 1516 1512 cmd.exe takeown.exe PID 1512 wrote to memory of 1516 1512 cmd.exe takeown.exe PID 1512 wrote to memory of 1516 1512 cmd.exe takeown.exe PID 1512 wrote to memory of 1516 1512 cmd.exe takeown.exe PID 2192 wrote to memory of 2860 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2860 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2860 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2860 2192 Chernobyl.exe cmd.exe PID 2860 wrote to memory of 1580 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 1580 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 1580 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 1580 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 1708 2860 cmd.exe icacls.exe PID 2860 wrote to memory of 1708 2860 cmd.exe icacls.exe PID 2860 wrote to memory of 1708 2860 cmd.exe icacls.exe PID 2860 wrote to memory of 1708 2860 cmd.exe icacls.exe PID 2192 wrote to memory of 1340 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1340 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1340 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 1340 2192 Chernobyl.exe cmd.exe PID 1340 wrote to memory of 2692 1340 cmd.exe takeown.exe PID 1340 wrote to memory of 2692 1340 cmd.exe takeown.exe PID 1340 wrote to memory of 2692 1340 cmd.exe takeown.exe PID 1340 wrote to memory of 2692 1340 cmd.exe takeown.exe PID 2192 wrote to memory of 2496 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2496 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2496 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2496 2192 Chernobyl.exe cmd.exe PID 2496 wrote to memory of 2512 2496 cmd.exe takeown.exe PID 2496 wrote to memory of 2512 2496 cmd.exe takeown.exe PID 2496 wrote to memory of 2512 2496 cmd.exe takeown.exe PID 2496 wrote to memory of 2512 2496 cmd.exe takeown.exe PID 2192 wrote to memory of 2508 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2508 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2508 2192 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 2508 2192 Chernobyl.exe cmd.exe PID 2508 wrote to memory of 2628 2508 cmd.exe takeown.exe PID 2508 wrote to memory of 2628 2508 cmd.exe takeown.exe PID 2508 wrote to memory of 2628 2508 cmd.exe takeown.exe PID 2508 wrote to memory of 2628 2508 cmd.exe takeown.exe PID 2192 wrote to memory of 2680 2192 Chernobyl.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:2680
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2640
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2688
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2980
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:2416
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Æń63≈ø√¶4¥σœÆ■¬ñ█½ÿ√♦♣╚ó«☼¾♦6♦♥▬ž♪¾╠™ε™φφÆσ¼7õφΣö■♫╧í▼φ6č○ñπ♦Ÿ╚5ßš£σóñ♫¾šσ1ö×ñ≈♪õΣ◄¶åΣ☼↕↕♥ñ♂♫æÿ▬3◄æ
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b