ff95ef4991b31a1e2d3a0acbccb205234842bf2e1157510846d01136a6b26a31

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Loud Chair.exe
Size

18.9MB
MD5

e85d8cd73a221953c10c6ae719c4daae
SHA1

a78ad50dd874b8a159c1300035927ffae558930f
SHA256

320d56906b73e07663ae65f53e6ee1008042e3ecdd640f34d60e48c035fa7eb5
SHA512

10c36ff7963159f6b76e80105aefefef3d6a075ad6d9d9a79397ce4f24f9f2f8deed59033543b0722614340ac9a9524c466509c609458b0160d826bc8e77fcd2
SSDEEP

393216:Infyt2vkj2gwfhbjlZDnJAKqnPg69iG4C7NH:tt2Q2XtRtnmVFJp

Score

8^/10

evasion

Malware Config

Signatures

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Loud Chair.exeldr_aAuVbFk9A.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Loud Chair.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	ldr_aAuVbFk9A.exe

Deletes itself 1 IoCs

Processes:

Loud Chair.exe

pid process

3444 Loud Chair.exe
Executes dropped EXE 1 IoCs

Processes:

ldr_aAuVbFk9A.exe

pid process

1852 ldr_aAuVbFk9A.exe
Loads dropped DLL 1 IoCs

Processes:

ldr_aAuVbFk9A.exe

pid process

1852 ldr_aAuVbFk9A.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Loud Chair.exeldr_aAuVbFk9A.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Loud Chair.exe
File opened (read-only) \??\VBoxMiniRdrDN ldr_aAuVbFk9A.exe

pid	process
1852	ldr_aAuVbFk9A.exe

pid	process
1852	ldr_aAuVbFk9A.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Loud Chair.exe
File opened (read-only)	\??\VBoxMiniRdrDN	ldr_aAuVbFk9A.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Loud Chair.exeldr_aAuVbFk9A.exe

pid	process
3444	Loud Chair.exe
3444	Loud Chair.exe
3444	Loud Chair.exe
3444	Loud Chair.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe
1852	ldr_aAuVbFk9A.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Loud Chair.exe

pid process

3444 Loud Chair.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Loud Chair.exe

description	pid	process	target process
PID 3444 wrote to memory of 1852	3444	Loud Chair.exe	ldr_aAuVbFk9A.exe
PID 3444 wrote to memory of 1852	3444	Loud Chair.exe	ldr_aAuVbFk9A.exe

cURL User-Agent 3 IoCs
Uses User-Agent string associated with cURL utility.

Processes:

description flow ioc

HTTP User-Agent header 13 curl/8.4.0-DEV
HTTP User-Agent header 14 curl/8.4.0-DEV
HTTP User-Agent header 17 curl/8.4.0-DEV

description	flow	ioc
HTTP User-Agent header	13	curl/8.4.0-DEV
HTTP User-Agent header	14	curl/8.4.0-DEV
HTTP User-Agent header	17	curl/8.4.0-DEV

C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\Loud Chair.exe
"C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\Loud Chair.exe"
1⤵
- Looks for VMWare Tools registry key
- Deletes itself
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\ldr_aAuVbFk9A.exe
"ldr_aAuVbFk9A.exe" "C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\Loud Chair.exe"
2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\ldr_aAuVbFk9A.exe

Filesize
19.0MB

MD5
30b4515fa20df6cf7de8fe24e696fcda

SHA1
794af0ec4e940b295585b53bdf64376cdf43e1ee

SHA256
b1a1599bcb318a415df8a9599ef8826cd231ab8f69fec6cb2a7dd736883fdfe0

SHA512
5d9d6abc9f85ccb5e6cf7c4d367aced6a3ab2d160ba2db3ab4a1990377209c637f9a27a23ffb1d8b59a4012bf2c3f608e8571390c291356b134f304835c6ce2d

Download Submit
memory/1852-14-0x00007FF83AE50000-0x00007FF83AE52000-memory.dmp

Filesize
8KB

Download
memory/1852-17-0x00007FF70D940000-0x00007FF70F9EF000-memory.dmp

Filesize
32.7MB

Download
memory/1852-20-0x00007FF70D940000-0x00007FF70F9EF000-memory.dmp

Filesize
32.7MB

Download
memory/3444-0-0x00007FF83AE50000-0x00007FF83AE52000-memory.dmp

Filesize
8KB

Download
memory/3444-3-0x00007FF733EF7000-0x00007FF734ADF000-memory.dmp

Filesize
11.9MB

Download
memory/3444-1-0x00007FF733D50000-0x00007FF735DD0000-memory.dmp

Filesize
32.5MB

Download
memory/3444-6-0x00007FF733D50000-0x00007FF735DD0000-memory.dmp

Filesize
32.5MB

Download
memory/3444-11-0x00007FF733D50000-0x00007FF735DD0000-memory.dmp

Filesize
32.5MB

Download
memory/3444-13-0x00007FF733EF7000-0x00007FF734ADF000-memory.dmp

Filesize
11.9MB

Download