9a6ae29076f271ff9d607732b48762f12689dd7ab3887d4638a22ab7948b8e32

Analysis

max time kernel
146s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-04-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UB Downloads 6.4.24/UB Downloads/Loud Chair.exe
Size

13.2MB
MD5

98bacaf4133c9b00d4f84bfc4ae8eecd
SHA1

29d668c06dcf1b03be9c29039b41853fd164c8f6
SHA256

357b7b31ebafb438f27e9117b9385d5423f69c6704416adb9bfafd9b0822c42d
SHA512

6f221e477ceed21bfbbd6942ce1d3ddbca0991a4ab2266988f42dd7380041b7e68f154761ef10c943d669cd357f909889c578459aefe7a6814bd8f8a09e7fde8
SSDEEP

393216:dF8GsIpSpyQyAwgag97/TLBjnj15XqvG:dFRlpSpyFAwgLbTLB94vG

Score

8^/10

evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Loud Chair.exeldr_ys99OTIzw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Loud Chair.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	ldr_ys99OTIzw.exe

Deletes itself 1 IoCs

Processes:

Loud Chair.exe

pid process

4716 Loud Chair.exe
Executes dropped EXE 1 IoCs

Processes:

ldr_ys99OTIzw.exe

pid process

2912 ldr_ys99OTIzw.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Loud Chair.exeldr_ys99OTIzw.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Loud Chair.exe
File opened (read-only) \??\VBoxMiniRdrDN ldr_ys99OTIzw.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Loud Chair.exeldr_ys99OTIzw.exe

pid process

4716 Loud Chair.exe
4716 Loud Chair.exe
2912 ldr_ys99OTIzw.exe
2912 ldr_ys99OTIzw.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Loud Chair.exe

pid process

4716 Loud Chair.exe

pid	process
4716	Loud Chair.exe

pid	process
2912	ldr_ys99OTIzw.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Loud Chair.exe
File opened (read-only)	\??\VBoxMiniRdrDN	ldr_ys99OTIzw.exe

pid	process
4716	Loud Chair.exe
4716	Loud Chair.exe
2912	ldr_ys99OTIzw.exe
2912	ldr_ys99OTIzw.exe

pid	process
4716	Loud Chair.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Loud Chair.exe

description	pid	process	target process
PID 4716 wrote to memory of 2912	4716	Loud Chair.exe	ldr_ys99OTIzw.exe
PID 4716 wrote to memory of 2912	4716	Loud Chair.exe	ldr_ys99OTIzw.exe

C:\Users\Admin\AppData\Local\Temp\UB Downloads 6.4.24\UB Downloads\Loud Chair.exe
"C:\Users\Admin\AppData\Local\Temp\UB Downloads 6.4.24\UB Downloads\Loud Chair.exe"
1⤵
- Looks for VMWare Tools registry key
- Deletes itself
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\UB Downloads 6.4.24\UB Downloads\ldr_ys99OTIzw.exe
"ldr_ys99OTIzw.exe" "C:\Users\Admin\AppData\Local\Temp\UB Downloads 6.4.24\UB Downloads\Loud Chair.exe"
2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UB Downloads 6.4.24\UB Downloads\ldr_ys99OTIzw.exe

Filesize
15.5MB

MD5
553fecac1e9b5c62dd18bbed6b9f9385

SHA1
274eefffcacbe1344210a5a53ab433d3946ff9f4

SHA256
780147aaca8ed34c3f14914be968447a697a5dd4eefa2b15fc9d5baa8bc1bce7

SHA512
1810637949e9136baf5a4bb42158590f4b89ac7993b74b6de73db6c37017565e3f5048fa707fce5e33c0f448437971dd103aa4b3ad9959b489546bcfc2dc1606

Download Submit
memory/2912-11-0x00007FF91A970000-0x00007FF91A972000-memory.dmp

Filesize
8KB

Download
memory/2912-12-0x00007FF6DDF80000-0x00007FF6DFA06000-memory.dmp

Filesize
26.5MB

Download
memory/2912-13-0x00007FF6DDF80000-0x00007FF6DFA06000-memory.dmp

Filesize
26.5MB

Download
memory/2912-19-0x00007FF6DDF80000-0x00007FF6DFA06000-memory.dmp

Filesize
26.5MB

Download
memory/4716-0-0x00007FF91A970000-0x00007FF91A972000-memory.dmp

Filesize
8KB

Download
memory/4716-2-0x00007FF786420000-0x00007FF787A8A000-memory.dmp

Filesize
22.4MB

Download
memory/4716-1-0x00007FF786420000-0x00007FF787A8A000-memory.dmp

Filesize
22.4MB

Download
memory/4716-9-0x00007FF786420000-0x00007FF787A8A000-memory.dmp

Filesize
22.4MB

Download