Analysis
-
max time kernel
52s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:04
Static task
static1
Behavioral task
behavioral1
Sample
violett/violett_checker.exe
Resource
win10v2004-20220812-en
General
-
Target
violett/violett_checker.exe
-
Size
16.7MB
-
MD5
8b19826d2a8fb9801d8e33b668fbb435
-
SHA1
940b8ef66a98f89ac19b40bd738e4f4efedf5445
-
SHA256
3cd716bb2a413584ddd75c8dbc813e337c77e8ae424353f9ade226f25de81813
-
SHA512
3dd6da80af4617ad2f8755773ad719455138a6b4d612061755e4ab5d278cfee936d57bf6bc770ee74bdd1313640b33043d4c9e52258b4d33532453c1619c62bd
-
SSDEEP
393216:5naV9L0TrymvAHgUMJv39kRe5FMMpjAMhVuVOPW:U9L06mpbv3nvpjAMhV8O
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
violettchecker.exesvchost.exepid process 4364 violettchecker.exe 1836 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
violett_checker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation violett_checker.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
violettchecker.exepid process 4364 violettchecker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
violettchecker.exepid process 4364 violettchecker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
violettchecker.exepid process 4364 violettchecker.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
violett_checker.exedescription pid process target process PID 1828 wrote to memory of 4364 1828 violett_checker.exe violettchecker.exe PID 1828 wrote to memory of 4364 1828 violett_checker.exe violettchecker.exe PID 1828 wrote to memory of 1836 1828 violett_checker.exe svchost.exe PID 1828 wrote to memory of 1836 1828 violett_checker.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\violett\violett_checker.exe"C:\Users\Admin\AppData\Local\Temp\violett\violett_checker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\violettchecker.exe"C:\Users\Admin\AppData\Local\Temp\violettchecker.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
40KB
MD570e4d5e6bb47542d9a03d2c9992bcce2
SHA11f96ccb5df4defcfd4ab433d71d8f08500c8fcd2
SHA2566f5d468a66247b4c88d3750f6478720ddd7058b2d49b3b08e2d176a1bb5a5f84
SHA5122513dba8a843d841a8d4b2ebdf0220b853e8e90e37b986dffe856fb874f713b08369318b55e0981212c9924d1c156bf35470c472f8e36327b92842d0e3f4a0aa
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
40KB
MD570e4d5e6bb47542d9a03d2c9992bcce2
SHA11f96ccb5df4defcfd4ab433d71d8f08500c8fcd2
SHA2566f5d468a66247b4c88d3750f6478720ddd7058b2d49b3b08e2d176a1bb5a5f84
SHA5122513dba8a843d841a8d4b2ebdf0220b853e8e90e37b986dffe856fb874f713b08369318b55e0981212c9924d1c156bf35470c472f8e36327b92842d0e3f4a0aa
-
C:\Users\Admin\AppData\Local\Temp\violettchecker.exeFilesize
16.6MB
MD500c9e8a4703997c615d8d8d57fff3671
SHA17fef4fc99d931f907b60fad34eba9b2eaee83b7e
SHA256ba8d2e5e2dfb39afcbba1b7be45237b22715f14f19ec1dacb17d083a3fe3c236
SHA51240d703d58f9e49758aa56bba318375291a3e4cf1f96531d5e088eeb133667ee43a45f8794accdb76fe266d532ad93b4a3d2fb59c19e8adff1686325d37a68fbe
-
C:\Users\Admin\AppData\Local\Temp\violettchecker.exeFilesize
16.6MB
MD500c9e8a4703997c615d8d8d57fff3671
SHA17fef4fc99d931f907b60fad34eba9b2eaee83b7e
SHA256ba8d2e5e2dfb39afcbba1b7be45237b22715f14f19ec1dacb17d083a3fe3c236
SHA51240d703d58f9e49758aa56bba318375291a3e4cf1f96531d5e088eeb133667ee43a45f8794accdb76fe266d532ad93b4a3d2fb59c19e8adff1686325d37a68fbe
-
memory/1836-135-0x0000000000000000-mapping.dmp
-
memory/1836-138-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1836-139-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1836-140-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4364-132-0x0000000000000000-mapping.dmp