General
-
Target
Chernobyl.exe
-
Size
419KB
-
Sample
240303-wg7d9adf71
-
MD5
abdd86e2b314276bbf101dfd6bdc60bf
-
SHA1
a1bac78a000aa6bda717220bd43fd91f6b445bd2
-
SHA256
85341ee72034e658366122533c3c81926f68e86e8226744a239068f056a3001a
-
SHA512
d08238f7f6fc1f4861483e305a3cacdd0d438bf5af3e858fe972a997a83f944e371dff1a0c5c5ced787489d899be7120e1b92bb1306575728a5b200893b1b921
-
SSDEEP
6144:SJbxU1o02222222222222222222222222222222222222222222222222222222i:ktH0ROZzv4TatsNqaJx
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240220-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
419KB
-
MD5
abdd86e2b314276bbf101dfd6bdc60bf
-
SHA1
a1bac78a000aa6bda717220bd43fd91f6b445bd2
-
SHA256
85341ee72034e658366122533c3c81926f68e86e8226744a239068f056a3001a
-
SHA512
d08238f7f6fc1f4861483e305a3cacdd0d438bf5af3e858fe972a997a83f944e371dff1a0c5c5ced787489d899be7120e1b92bb1306575728a5b200893b1b921
-
SSDEEP
6144:SJbxU1o02222222222222222222222222222222222222222222222222222222i:ktH0ROZzv4TatsNqaJx
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1