General

  • Target

    Chernobyl.exe

  • Size

    419KB

  • Sample

    240303-wkjglaed92

  • MD5

    07aab9ab01b16396006ccd984dda1ca8

  • SHA1

    1c8066c4957be1f0dac95806100beb6d24115d59

  • SHA256

    99bb4ada945c3d8071a150492a69d1ae4cf83820e2d77509d6eae7d0f02e05d0

  • SHA512

    fd9a004a740ddfa0cc7360141948bc58584f074566a2060df21a9b0add2c3168fb32b572147850f54ec5240b57440ad7561f2826bb087d654f6d545e54aab2e9

  • SSDEEP

    6144:EbbxC1o022222222222222222222222222222222222222222222222222222225:OtH04OZzv4TatsNqaJx

Malware Config

Targets

    • Target

      Chernobyl.exe

    • Size

      419KB

    • MD5

      07aab9ab01b16396006ccd984dda1ca8

    • SHA1

      1c8066c4957be1f0dac95806100beb6d24115d59

    • SHA256

      99bb4ada945c3d8071a150492a69d1ae4cf83820e2d77509d6eae7d0f02e05d0

    • SHA512

      fd9a004a740ddfa0cc7360141948bc58584f074566a2060df21a9b0add2c3168fb32b572147850f54ec5240b57440ad7561f2826bb087d654f6d545e54aab2e9

    • SSDEEP

      6144:EbbxC1o022222222222222222222222222222222222222222222222222222225:OtH04OZzv4TatsNqaJx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks