Overview
overview
9Static
static
7UB Downloa...ir.exe
windows7-x64
1UB Downloa...ir.exe
windows10-2004-x64
8UB Downloa...or.exe
windows7-x64
9UB Downloa...or.exe
windows10-2004-x64
9UB Downloa...ix.bat
windows7-x64
1UB Downloa...ix.bat
windows10-2004-x64
1UB Downloa...h2.exe
windows7-x64
5UB Downloa...h2.exe
windows10-2004-x64
5UB Downloa...ix.bat
windows7-x64
9UB Downloa...ix.bat
windows10-2004-x64
9UB Downloa...ix.bat
windows7-x64
1UB Downloa...ix.bat
windows10-2004-x64
1UB Downloa...b1.exe
windows7-x64
5UB Downloa...b1.exe
windows10-2004-x64
5UB Downloa...ix.bat
windows7-x64
9UB Downloa...ix.bat
windows10-2004-x64
9Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 10:20
Behavioral task
behavioral1
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Loud Chair.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Loud Chair.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Privacy Protector.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Privacy Protector.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/UB Silent/bsod fix.bat
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/UB Silent/bsod fix.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/UB Silent/u237cgatAh2.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/UB Silent/u237cgatAh2.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/UB Silent/w11 fix.bat
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/UB Silent/w11 fix.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Unlock All/bsod fix.bat
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Unlock All/bsod fix.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Unlock All/nRi28Wtqb1.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Unlock All/nRi28Wtqb1.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Unlock All/w11 fix.bat
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Unlock All/w11 fix.bat
Resource
win10v2004-20240709-en
General
-
Target
UB Downloads 12.6.24/UB Downloads 12.6.24/UB Downloads/Loud Chair.exe
-
Size
18.9MB
-
MD5
e85d8cd73a221953c10c6ae719c4daae
-
SHA1
a78ad50dd874b8a159c1300035927ffae558930f
-
SHA256
320d56906b73e07663ae65f53e6ee1008042e3ecdd640f34d60e48c035fa7eb5
-
SHA512
10c36ff7963159f6b76e80105aefefef3d6a075ad6d9d9a79397ce4f24f9f2f8deed59033543b0722614340ac9a9524c466509c609458b0160d826bc8e77fcd2
-
SSDEEP
393216:Infyt2vkj2gwfhbjlZDnJAKqnPg69iG4C7NH:tt2Q2XtRtnmVFJp
Malware Config
Signatures
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
Loud Chair.exeldr_aAuVbFk9A.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Loud Chair.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools ldr_aAuVbFk9A.exe -
Deletes itself 1 IoCs
Processes:
Loud Chair.exepid process 3444 Loud Chair.exe -
Executes dropped EXE 1 IoCs
Processes:
ldr_aAuVbFk9A.exepid process 1852 ldr_aAuVbFk9A.exe -
Loads dropped DLL 1 IoCs
Processes:
ldr_aAuVbFk9A.exepid process 1852 ldr_aAuVbFk9A.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
Loud Chair.exeldr_aAuVbFk9A.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN Loud Chair.exe File opened (read-only) \??\VBoxMiniRdrDN ldr_aAuVbFk9A.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Loud Chair.exeldr_aAuVbFk9A.exepid process 3444 Loud Chair.exe 3444 Loud Chair.exe 3444 Loud Chair.exe 3444 Loud Chair.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe 1852 ldr_aAuVbFk9A.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Loud Chair.exepid process 3444 Loud Chair.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Loud Chair.exedescription pid process target process PID 3444 wrote to memory of 1852 3444 Loud Chair.exe ldr_aAuVbFk9A.exe PID 3444 wrote to memory of 1852 3444 Loud Chair.exe ldr_aAuVbFk9A.exe -
cURL User-Agent 3 IoCs
Uses User-Agent string associated with cURL utility.
Processes:
description flow ioc HTTP User-Agent header 13 curl/8.4.0-DEV HTTP User-Agent header 14 curl/8.4.0-DEV HTTP User-Agent header 17 curl/8.4.0-DEV
Processes
-
C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\Loud Chair.exe"C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\Loud Chair.exe"1⤵
- Looks for VMWare Tools registry key
- Deletes itself
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\ldr_aAuVbFk9A.exe"ldr_aAuVbFk9A.exe" "C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\Loud Chair.exe"2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:1852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UB Downloads 12.6.24\UB Downloads 12.6.24\UB Downloads\ldr_aAuVbFk9A.exe
Filesize19.0MB
MD530b4515fa20df6cf7de8fe24e696fcda
SHA1794af0ec4e940b295585b53bdf64376cdf43e1ee
SHA256b1a1599bcb318a415df8a9599ef8826cd231ab8f69fec6cb2a7dd736883fdfe0
SHA5125d9d6abc9f85ccb5e6cf7c4d367aced6a3ab2d160ba2db3ab4a1990377209c637f9a27a23ffb1d8b59a4012bf2c3f608e8571390c291356b134f304835c6ce2d