Analysis

  • max time kernel
    34s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:13

General

  • Target

    Chernobyl.exe

  • Size

    341KB

  • MD5

    284b916cf9a64dfab9e1979890145e61

  • SHA1

    74133e2fc0238a6244cea8953d5213fd507e506a

  • SHA256

    8e25f551c62c72c1f47877affafb617992282b2e115c8c8977918fc6493aece3

  • SHA512

    50d83a75ce4092249c958c8005fca3f45688adb4e462b242afddfa3834030b8a442a8577cafc7dd522c96b4cf3f0c87144ea64a2590495fe16dbefc3cbdf2f2c

  • SSDEEP

    6144:iHb1o0222222222222222222222222222222222222222222222222222222222U:PkWOZzv4TatsNqaJg

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 14 IoCs
  • Modifies file permissions 1 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\smss.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\csrss.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\wininit.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\System32\wininit.exe /grant "Admin:F"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\LogonUI.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\lsass.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\services.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
        2⤵
          PID:2680
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\Windows\System32\winlogon.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
          2⤵
            PID:2640
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\Windows\System32\winload.efi
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:2584
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
            2⤵
              PID:2688
              • C:\Windows\SysWOW64\takeown.exe
                takeown /f C:\Windows\System32\winload.exe
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:2832
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
              2⤵
                PID:2980
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /f C:\Windows\System32\ntoskrnl.exe
                  3⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2572
                • C:\Windows\SysWOW64\icacls.exe
                  icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"
                  3⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:2672
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                2⤵
                  PID:2416
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /f C:\Windows\System32\svchost.exe
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2468
                  • C:\Windows\SysWOW64\icacls.exe
                    icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:1944

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\Æń63≈ø√¶4¥σœÆ■¬ñ█½ÿ√♦♣╚ó«☼¾♦6♦♥▬ž♪¾╠™ε™φφÆσ¼7õφΣö■♫╧í▼φ6č○ñπ♦Ÿ╚5ßš£σóñ♫¾šσ1ö×ñ≈♪õΣ◄¶åΣ☼↕↕♥ñ♂♫æÿ▬3◄æ

                Filesize

                666B

                MD5

                9e1e5883c74742a497cf5c272ccd2321

                SHA1

                2cf33e34d08b8e17743a60352baffef4b6f02dee

                SHA256

                ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                SHA512

                f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

              • memory/2192-0-0x0000000000050000-0x00000000000AC000-memory.dmp

                Filesize

                368KB

              • memory/2192-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

                Filesize

                6.9MB

              • memory/2192-306-0x0000000005370000-0x00000000053B0000-memory.dmp

                Filesize

                256KB

              • memory/2192-307-0x0000000005370000-0x00000000053B0000-memory.dmp

                Filesize

                256KB

              • memory/2192-308-0x0000000074C10000-0x00000000752FE000-memory.dmp

                Filesize

                6.9MB

              • memory/2192-309-0x0000000005370000-0x00000000053B0000-memory.dmp

                Filesize

                256KB