General
-
Target
Chernobyl.exe
-
Size
423KB
-
Sample
240303-x4wfyafe23
-
MD5
ae230ad6f0cca298bf6ea4ab531fafc0
-
SHA1
986f2fdb3e9748fc05274be6e96138fc09bf6bc2
-
SHA256
db196292a9c5804f914c856ff7f1b82f1280ddc51685c2fd210d1afa3ac9c9ba
-
SHA512
a26b6b9780f79e17ffa9662207b68493b4d6a67c486073e036bdc03810e66d4f0da3b60ec3e492b623c200301f27d393b67aed6e1c573e943d36ce08dbb35e7c
-
SSDEEP
6144:7PJabGeEo022222222222222222222222222222222222222222222222222222B:utH0sOZzv4TatsNqaJR
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
423KB
-
MD5
ae230ad6f0cca298bf6ea4ab531fafc0
-
SHA1
986f2fdb3e9748fc05274be6e96138fc09bf6bc2
-
SHA256
db196292a9c5804f914c856ff7f1b82f1280ddc51685c2fd210d1afa3ac9c9ba
-
SHA512
a26b6b9780f79e17ffa9662207b68493b4d6a67c486073e036bdc03810e66d4f0da3b60ec3e492b623c200301f27d393b67aed6e1c573e943d36ce08dbb35e7c
-
SSDEEP
6144:7PJabGeEo022222222222222222222222222222222222222222222222222222B:utH0sOZzv4TatsNqaJR
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1