General
-
Target
Chernobyl.exe
-
Size
534KB
-
Sample
240303-z9gk3sgg8w
-
MD5
a70b779e49a90f38aa8c4be7f4eaa4d2
-
SHA1
a4b09eef6d70b7ee9c4cd6a530560b914acfacbe
-
SHA256
de9900ede22fbb6c47216cafce4f2bb328ce2e5a3b4889583dda25926d3d1dd1
-
SHA512
980b489ea3ccd6103d6d23278c8c387f01108ef8abe684817750ab4f8d85b498d8c6a4c7f227c99aa46ed1e2838ce77ae9ea281490b695da6c892bdbb387027f
-
SSDEEP
12288:9HwMxOZzv4TatsNqaJiGH2OZzv4TatsNqaJn:9Jx6zvIXqawGH26zvIXqap
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
534KB
-
MD5
a70b779e49a90f38aa8c4be7f4eaa4d2
-
SHA1
a4b09eef6d70b7ee9c4cd6a530560b914acfacbe
-
SHA256
de9900ede22fbb6c47216cafce4f2bb328ce2e5a3b4889583dda25926d3d1dd1
-
SHA512
980b489ea3ccd6103d6d23278c8c387f01108ef8abe684817750ab4f8d85b498d8c6a4c7f227c99aa46ed1e2838ce77ae9ea281490b695da6c892bdbb387027f
-
SSDEEP
12288:9HwMxOZzv4TatsNqaJiGH2OZzv4TatsNqaJn:9Jx6zvIXqawGH26zvIXqap
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1