General
-
Target
Chernobyl.exe
-
Size
423KB
-
Sample
240303-xrmy2aee91
-
MD5
42b985c803f65d080d32c4739a670ff1
-
SHA1
9ffaa06fe681b886b13d75f87cdb506afad0076e
-
SHA256
99297c9266dbd506808ecd06ba6e67c8b01806e8fb7f1dd61783b35c3bb6aa58
-
SHA512
1eccbf3188bd270546bd730759b4e63f814540fd80e6e9e0f47391886527c092a9e42f629e265aadfe6a79c52ba6443cca615fede5cb68098fb2c543e4bedff8
-
SSDEEP
6144:RebuEko022222222222222222222222222222222222222222222222222222220:ytH0bOZzv4TatsNqaJR
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
423KB
-
MD5
42b985c803f65d080d32c4739a670ff1
-
SHA1
9ffaa06fe681b886b13d75f87cdb506afad0076e
-
SHA256
99297c9266dbd506808ecd06ba6e67c8b01806e8fb7f1dd61783b35c3bb6aa58
-
SHA512
1eccbf3188bd270546bd730759b4e63f814540fd80e6e9e0f47391886527c092a9e42f629e265aadfe6a79c52ba6443cca615fede5cb68098fb2c543e4bedff8
-
SSDEEP
6144:RebuEko022222222222222222222222222222222222222222222222222222220:ytH0bOZzv4TatsNqaJR
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1