General
-
Target
Chernobyl.exe
-
Size
423KB
-
Sample
240303-ybb29sff26
-
MD5
493a80432585b0ed66493d19bfd760fe
-
SHA1
55dc4b662bc0cbbb46bef2e2c0b42f29e708d861
-
SHA256
3df8578b571811a77eefdf07069bd4d1ba16af70dba81bcf91d8182171728f74
-
SHA512
c699d41189692149d8e15f18494b78db2caf890502906bc5576a9db9ab102970b89010f8cf85cef9e7ee1e5c6b60f88a3179d26d04cdfa88d26d598deb0636f9
-
SSDEEP
6144:O1b/8Io02222222222222222222222222222222222222222222222222222222y:OqtH0tOZzv4TatsNqaJR
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
423KB
-
MD5
493a80432585b0ed66493d19bfd760fe
-
SHA1
55dc4b662bc0cbbb46bef2e2c0b42f29e708d861
-
SHA256
3df8578b571811a77eefdf07069bd4d1ba16af70dba81bcf91d8182171728f74
-
SHA512
c699d41189692149d8e15f18494b78db2caf890502906bc5576a9db9ab102970b89010f8cf85cef9e7ee1e5c6b60f88a3179d26d04cdfa88d26d598deb0636f9
-
SSDEEP
6144:O1b/8Io02222222222222222222222222222222222222222222222222222222y:OqtH0tOZzv4TatsNqaJR
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1