General
-
Target
Chernobyl.exe
-
Size
418KB
-
Sample
240303-c5ymgacb93
-
MD5
42d232a366705a95af9babb269a251b1
-
SHA1
015b04d84cf13b8c93d11cc8c80a0f4571fb6847
-
SHA256
97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d
-
SHA512
cc7a88709390ec82c94c587f2569c22c72a210298e14d77a0ad0ab633013d49af703d1fe77af904c272914885597442474a2c487d5a9bd2553de794a3ee1ce56
-
SSDEEP
6144:MEgbPPJo0222222222222222222222222222222222222222222222222222222Z:LtH0ZOZzv4TatsNqaJx
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
418KB
-
MD5
42d232a366705a95af9babb269a251b1
-
SHA1
015b04d84cf13b8c93d11cc8c80a0f4571fb6847
-
SHA256
97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d
-
SHA512
cc7a88709390ec82c94c587f2569c22c72a210298e14d77a0ad0ab633013d49af703d1fe77af904c272914885597442474a2c487d5a9bd2553de794a3ee1ce56
-
SSDEEP
6144:MEgbPPJo0222222222222222222222222222222222222222222222222222222Z:LtH0ZOZzv4TatsNqaJx
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1