General

  • Target

    Chernobyl.exe

  • Size

    423KB

  • Sample

    240303-x4wfyafe23

  • MD5

    ae230ad6f0cca298bf6ea4ab531fafc0

  • SHA1

    986f2fdb3e9748fc05274be6e96138fc09bf6bc2

  • SHA256

    db196292a9c5804f914c856ff7f1b82f1280ddc51685c2fd210d1afa3ac9c9ba

  • SHA512

    a26b6b9780f79e17ffa9662207b68493b4d6a67c486073e036bdc03810e66d4f0da3b60ec3e492b623c200301f27d393b67aed6e1c573e943d36ce08dbb35e7c

  • SSDEEP

    6144:7PJabGeEo022222222222222222222222222222222222222222222222222222B:utH0sOZzv4TatsNqaJR

Malware Config

Targets

    • Target

      Chernobyl.exe

    • Size

      423KB

    • MD5

      ae230ad6f0cca298bf6ea4ab531fafc0

    • SHA1

      986f2fdb3e9748fc05274be6e96138fc09bf6bc2

    • SHA256

      db196292a9c5804f914c856ff7f1b82f1280ddc51685c2fd210d1afa3ac9c9ba

    • SHA512

      a26b6b9780f79e17ffa9662207b68493b4d6a67c486073e036bdc03810e66d4f0da3b60ec3e492b623c200301f27d393b67aed6e1c573e943d36ce08dbb35e7c

    • SSDEEP

      6144:7PJabGeEo022222222222222222222222222222222222222222222222222222B:utH0sOZzv4TatsNqaJR

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks