General

  • Target

    Chernobyl.exe

  • Size

    424KB

  • Sample

    240303-z5rv9agg4w

  • MD5

    6e89ee0b1441568348ccfd8ba90ad469

  • SHA1

    f0c5ae9da26471c08ffd959a86ee62e275423031

  • SHA256

    4f5f39615e8606648cf5c3d39984da911e1cab5326241185503dc980b51ed1cc

  • SHA512

    43a8cbc19ebbc289ef40113fd075485332643a8b15d4826cdeb7ec1f128e6c1f9d366b552bfece854a74805101362267615e2fbd13b929e423e3ab431e52d74a

  • SSDEEP

    6144:cfJzhBb/Lo02222222222222222222222222222222222222222222222222222F:cfJzhqtH05OZzv4TatsNqaJR

Malware Config

Targets

    • Target

      Chernobyl.exe

    • Size

      424KB

    • MD5

      6e89ee0b1441568348ccfd8ba90ad469

    • SHA1

      f0c5ae9da26471c08ffd959a86ee62e275423031

    • SHA256

      4f5f39615e8606648cf5c3d39984da911e1cab5326241185503dc980b51ed1cc

    • SHA512

      43a8cbc19ebbc289ef40113fd075485332643a8b15d4826cdeb7ec1f128e6c1f9d366b552bfece854a74805101362267615e2fbd13b929e423e3ab431e52d74a

    • SSDEEP

      6144:cfJzhBb/Lo02222222222222222222222222222222222222222222222222222F:cfJzhqtH05OZzv4TatsNqaJR

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Possible privilege escalation attempt

    • Modifies file permissions

    • Modifies system executable filetype association

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks