Analysis

  • max time kernel
    101s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/05/2025, 16:09

General

  • Target

    VioletClient_protected.exe

  • Size

    459KB

  • MD5

    eaf9c62f7cdb70a7a58524d9e209ed92

  • SHA1

    e287505193f0f4efef2a7aaa0d70ba86f4e30d03

  • SHA256

    7304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca

  • SHA512

    34264e68b007094ea68b25be43117075a9f806f85e61b4923fe4d124a7271eff1297231d981b7a884bd82f947307ded3f9cb05a3adf33a612baa761ad5e2f425

  • SSDEEP

    12288:VOsZNsT9tIWr+qkM44sUxXqkSouWWmpBDP892t5nKYG/+C88WQvp6ZqofPx/1OBF:cC8

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "VioletClient_protected" /tr "C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3580
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "VioletClient_protected"
      2⤵
        PID:5708
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF5F.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5432
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:5884
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
        C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1368

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VioletClient_protected.exe.log

            Filesize

            1KB

            MD5

            4a01567f513143419390cb40e6abaf71

            SHA1

            d0d714d6e526a652fc4e5de4e6040d6b0e7687ab

            SHA256

            6efaeb6a1b391155453a57c7e437575bb18efc174f3099d984d9dea49eecebad

            SHA512

            379fcb42d0f72d302482fadd4f25cbfa9c5f6a9c50222877d0eed91f237ec688eb52f65ee0d3fccfd017a6b14bd36f34fa0b77a388728fe3942a981322d7a4bc

          • C:\Users\Admin\AppData\Local\Temp\tmpFF5F.tmp.bat

            Filesize

            174B

            MD5

            4788c8214727bd55b129a3138d96886b

            SHA1

            3a5f8185ce339a5cb937ca9fcbf4ce09c6338365

            SHA256

            e3d09e90cfea6240d132b6cab574483455a8ceb09f6fc058c541f3340a6dd1fc

            SHA512

            80f63d90b4b61e3183def492139a35fbec73bbbcfaf05ec2c37f3489001dcedf710e5a70dd842520aebf611ab34bc1dc28aee857373ad921181b0de6481c862f

          • C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe

            Filesize

            459KB

            MD5

            eaf9c62f7cdb70a7a58524d9e209ed92

            SHA1

            e287505193f0f4efef2a7aaa0d70ba86f4e30d03

            SHA256

            7304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca

            SHA512

            34264e68b007094ea68b25be43117075a9f806f85e61b4923fe4d124a7271eff1297231d981b7a884bd82f947307ded3f9cb05a3adf33a612baa761ad5e2f425

          • memory/1368-9-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp

            Filesize

            10.8MB

          • memory/1368-10-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp

            Filesize

            10.8MB

          • memory/1368-12-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp

            Filesize

            10.8MB

          • memory/1604-0-0x00007FFD2D973000-0x00007FFD2D975000-memory.dmp

            Filesize

            8KB

          • memory/1604-1-0x0000000000A70000-0x0000000000AEA000-memory.dmp

            Filesize

            488KB

          • memory/1604-2-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp

            Filesize

            10.8MB

          • memory/1604-13-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp

            Filesize

            10.8MB

          • memory/1604-14-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

            Filesize

            40KB

          • memory/1604-20-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp

            Filesize

            10.8MB