General
-
Target
Chernobyl.exe
-
Size
423KB
-
Sample
240303-zm6axsgh87
-
MD5
eab1b06ec4eb0e4fb8a4ddb111de3842
-
SHA1
1cad235f7d73eb9d42e34b155e1a7da6e119039c
-
SHA256
f71a2fae22ef13b3691ed0f9deaaa59f36c96c32e40ae44d9811c33fb9f166f0
-
SHA512
09b22abc0d104db5accfcb2dcc7dce707203ff6f547a4312c3fe39e8d4afe60249c237288d2e6bb80218a336de8c919b60ea848c38ea4ed3d6bc9e3b5241d051
-
SSDEEP
6144:g3qhb34o0222222222222222222222222222222222222222222222222222222V:gytH0FOZzv4TatsNqaJR
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
Chernobyl.exe
-
Size
423KB
-
MD5
eab1b06ec4eb0e4fb8a4ddb111de3842
-
SHA1
1cad235f7d73eb9d42e34b155e1a7da6e119039c
-
SHA256
f71a2fae22ef13b3691ed0f9deaaa59f36c96c32e40ae44d9811c33fb9f166f0
-
SHA512
09b22abc0d104db5accfcb2dcc7dce707203ff6f547a4312c3fe39e8d4afe60249c237288d2e6bb80218a336de8c919b60ea848c38ea4ed3d6bc9e3b5241d051
-
SSDEEP
6144:g3qhb34o0222222222222222222222222222222222222222222222222222222V:gytH0FOZzv4TatsNqaJR
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Modifies system executable filetype association
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1