General

  • Target

    Chernobyl.exe

  • Size

    419KB

  • Sample

    240303-wg7d9adf71

  • MD5

    abdd86e2b314276bbf101dfd6bdc60bf

  • SHA1

    a1bac78a000aa6bda717220bd43fd91f6b445bd2

  • SHA256

    85341ee72034e658366122533c3c81926f68e86e8226744a239068f056a3001a

  • SHA512

    d08238f7f6fc1f4861483e305a3cacdd0d438bf5af3e858fe972a997a83f944e371dff1a0c5c5ced787489d899be7120e1b92bb1306575728a5b200893b1b921

  • SSDEEP

    6144:SJbxU1o02222222222222222222222222222222222222222222222222222222i:ktH0ROZzv4TatsNqaJx

Malware Config

Targets

    • Target

      Chernobyl.exe

    • Size

      419KB

    • MD5

      abdd86e2b314276bbf101dfd6bdc60bf

    • SHA1

      a1bac78a000aa6bda717220bd43fd91f6b445bd2

    • SHA256

      85341ee72034e658366122533c3c81926f68e86e8226744a239068f056a3001a

    • SHA512

      d08238f7f6fc1f4861483e305a3cacdd0d438bf5af3e858fe972a997a83f944e371dff1a0c5c5ced787489d899be7120e1b92bb1306575728a5b200893b1b921

    • SSDEEP

      6144:SJbxU1o02222222222222222222222222222222222222222222222222222222i:ktH0ROZzv4TatsNqaJx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks