Overview
overview
9Static
static
7Downloads ...v2.exe
windows7-x64
9Downloads ...v2.exe
windows10-2004-x64
9Downloads ...S2.exe
windows7-x64
1Downloads ...S2.exe
windows10-2004-x64
1Downloads ...ir.exe
windows7-x64
1Downloads ...ir.exe
windows10-2004-x64
8Downloads ...er.exe
windows7-x64
9Downloads ...er.exe
windows10-2004-x64
9Downloads ...or.exe
windows7-x64
9Downloads ...or.exe
windows10-2004-x64
9Downloads ...q1.exe
windows7-x64
5Downloads ...q1.exe
windows10-2004-x64
5Downloads ...ix.bat
windows7-x64
1Downloads ...ix.bat
windows10-2004-x64
1Downloads ...ix.bat
windows7-x64
9Downloads ...ix.bat
windows10-2004-x64
9Downloads ...ix.bat
windows7-x64
1Downloads ...ix.bat
windows10-2004-x64
1Downloads ...b1.exe
windows7-x64
5Downloads ...b1.exe
windows10-2004-x64
5Downloads ...ix.bat
windows7-x64
9Downloads ...ix.bat
windows10-2004-x64
9Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 23:20
Behavioral task
behavioral1
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Blocker v2.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Blocker v2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/CS2.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/CS2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Loud Chair.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Loud Chair.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Perm Woofer.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Perm Woofer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Privacy Protector.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Privacy Protector.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/Byr723V3Cq1.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/Byr723V3Cq1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/bsod fix.bat
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/bsod fix.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/w11 fix.bat
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Silent Chair/w11 fix.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/bsod fix.bat
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/bsod fix.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/nRi28Wtqb1.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/nRi28Wtqb1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/w11 fix.bat
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Downloads 12.6.24/Downloads 12.6.24/Downloads/Unlock All/w11 fix.bat
Resource
win10v2004-20240802-en
General
-
Target
Downloads 12.6.24/Downloads 12.6.24/Downloads/Loud Chair.exe
-
Size
18.9MB
-
MD5
e85d8cd73a221953c10c6ae719c4daae
-
SHA1
a78ad50dd874b8a159c1300035927ffae558930f
-
SHA256
320d56906b73e07663ae65f53e6ee1008042e3ecdd640f34d60e48c035fa7eb5
-
SHA512
10c36ff7963159f6b76e80105aefefef3d6a075ad6d9d9a79397ce4f24f9f2f8deed59033543b0722614340ac9a9524c466509c609458b0160d826bc8e77fcd2
-
SSDEEP
393216:Infyt2vkj2gwfhbjlZDnJAKqnPg69iG4C7NH:tt2Q2XtRtnmVFJp
Malware Config
Signatures
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
Loud Chair.exeldr_YuZkgLm.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Loud Chair.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools ldr_YuZkgLm.exe -
Deletes itself 1 IoCs
Processes:
Loud Chair.exepid process 4152 Loud Chair.exe -
Executes dropped EXE 1 IoCs
Processes:
ldr_YuZkgLm.exepid process 1860 ldr_YuZkgLm.exe -
Loads dropped DLL 1 IoCs
Processes:
ldr_YuZkgLm.exepid process 1860 ldr_YuZkgLm.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
Loud Chair.exeldr_YuZkgLm.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN Loud Chair.exe File opened (read-only) \??\VBoxMiniRdrDN ldr_YuZkgLm.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Loud Chair.exeldr_YuZkgLm.exepid process 4152 Loud Chair.exe 4152 Loud Chair.exe 4152 Loud Chair.exe 4152 Loud Chair.exe 4152 Loud Chair.exe 4152 Loud Chair.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe 1860 ldr_YuZkgLm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ldr_YuZkgLm.exepid process 1860 ldr_YuZkgLm.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Loud Chair.exepid process 4152 Loud Chair.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ldr_YuZkgLm.exepid process 1860 ldr_YuZkgLm.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Loud Chair.exedescription pid process target process PID 4152 wrote to memory of 1860 4152 Loud Chair.exe ldr_YuZkgLm.exe PID 4152 wrote to memory of 1860 4152 Loud Chair.exe ldr_YuZkgLm.exe -
cURL User-Agent 3 IoCs
Uses User-Agent string associated with cURL utility.
Processes:
description flow ioc HTTP User-Agent header 35 curl/8.4.0-DEV HTTP User-Agent header 25 curl/8.4.0-DEV HTTP User-Agent header 27 curl/8.4.0-DEV
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads 12.6.24\Downloads 12.6.24\Downloads\Loud Chair.exe"C:\Users\Admin\AppData\Local\Temp\Downloads 12.6.24\Downloads 12.6.24\Downloads\Loud Chair.exe"1⤵
- Looks for VMWare Tools registry key
- Deletes itself
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\Downloads 12.6.24\Downloads 12.6.24\Downloads\ldr_YuZkgLm.exe"ldr_YuZkgLm.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads 12.6.24\Downloads 12.6.24\Downloads\Loud Chair.exe"2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.7MB
MD5be91f737d091cefe7e9a2b5ff5977940
SHA1e91eee49cc72f60b1e508f223325930d49279017
SHA2563499a62a6d2925919c64129ed353a87b7ad81ca136eac6e69e411f2018ceb3eb
SHA512953bce8ff0fdb9b8da371b1747e6c8278bd36f042816f0777a15ad12f4799524576090901024362aaf34e99ec3163563622202f27996fa4a47a41527f60c1ade