General

  • Target

    Chernobyl.exe

  • Size

    419KB

  • Sample

    240303-wrrrjsee85

  • MD5

    6af6c1ad5299c91303fa3eba88d215ae

  • SHA1

    b0ee45c6b965d37a6dab8bdbdae22c2241e6c118

  • SHA256

    d762bff854ccaea043b18ef8a1c290aee0632ce517625ffb44d743e41c02bf9b

  • SHA512

    635e36ba5869b33d763c3d89a4b64efdf2f9d9e93a514f4b88a9be39f0fdbe1572038e6519c26b88299379d57804a6f530960525406a22b03ff66da7989156e1

  • SSDEEP

    6144:TtbAR4o02222222222222222222222222222222222222222222222222222222o:stH0XOZzv4TatsNqaJx

Malware Config

Targets

    • Target

      Chernobyl.exe

    • Size

      419KB

    • MD5

      6af6c1ad5299c91303fa3eba88d215ae

    • SHA1

      b0ee45c6b965d37a6dab8bdbdae22c2241e6c118

    • SHA256

      d762bff854ccaea043b18ef8a1c290aee0632ce517625ffb44d743e41c02bf9b

    • SHA512

      635e36ba5869b33d763c3d89a4b64efdf2f9d9e93a514f4b88a9be39f0fdbe1572038e6519c26b88299379d57804a6f530960525406a22b03ff66da7989156e1

    • SSDEEP

      6144:TtbAR4o02222222222222222222222222222222222222222222222222222222o:stH0XOZzv4TatsNqaJx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks