General

  • Target

    Chernobyl.exe

  • Size

    418KB

  • Sample

    240303-c5ymgacb93

  • MD5

    42d232a366705a95af9babb269a251b1

  • SHA1

    015b04d84cf13b8c93d11cc8c80a0f4571fb6847

  • SHA256

    97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d

  • SHA512

    cc7a88709390ec82c94c587f2569c22c72a210298e14d77a0ad0ab633013d49af703d1fe77af904c272914885597442474a2c487d5a9bd2553de794a3ee1ce56

  • SSDEEP

    6144:MEgbPPJo0222222222222222222222222222222222222222222222222222222Z:LtH0ZOZzv4TatsNqaJx

Malware Config

Targets

    • Target

      Chernobyl.exe

    • Size

      418KB

    • MD5

      42d232a366705a95af9babb269a251b1

    • SHA1

      015b04d84cf13b8c93d11cc8c80a0f4571fb6847

    • SHA256

      97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d

    • SHA512

      cc7a88709390ec82c94c587f2569c22c72a210298e14d77a0ad0ab633013d49af703d1fe77af904c272914885597442474a2c487d5a9bd2553de794a3ee1ce56

    • SSDEEP

      6144:MEgbPPJo0222222222222222222222222222222222222222222222222222222Z:LtH0ZOZzv4TatsNqaJx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks