Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 16:09
Static task
static1
Behavioral task
behavioral1
Sample
VioletClient_protected.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
VioletClient_protected.exe
Resource
win11-20250502-en
General
-
Target
VioletClient_protected.exe
-
Size
459KB
-
MD5
eaf9c62f7cdb70a7a58524d9e209ed92
-
SHA1
e287505193f0f4efef2a7aaa0d70ba86f4e30d03
-
SHA256
7304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca
-
SHA512
34264e68b007094ea68b25be43117075a9f806f85e61b4923fe4d124a7271eff1297231d981b7a884bd82f947307ded3f9cb05a3adf33a612baa761ad5e2f425
-
SSDEEP
12288:VOsZNsT9tIWr+qkM44sUxXqkSouWWmpBDP892t5nKYG/+C88WQvp6ZqofPx/1OBF:cC8
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VioletClient_protected.exe VioletClient_protected.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VioletClient_protected.exe VioletClient_protected.exe -
Executes dropped EXE 1 IoCs
pid Process 1368 VioletClient_protected.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\VioletClient_protected = "C:\\Users\\Admin\\AppData\\Roaming\\VioletClient_protected.exe" VioletClient_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 5884 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3580 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1604 VioletClient_protected.exe Token: SeDebugPrivilege 1368 VioletClient_protected.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1604 wrote to memory of 3580 1604 VioletClient_protected.exe 82 PID 1604 wrote to memory of 3580 1604 VioletClient_protected.exe 82 PID 4736 wrote to memory of 1368 4736 cmd.exe 87 PID 4736 wrote to memory of 1368 4736 cmd.exe 87 PID 1604 wrote to memory of 5708 1604 VioletClient_protected.exe 89 PID 1604 wrote to memory of 5708 1604 VioletClient_protected.exe 89 PID 1604 wrote to memory of 5432 1604 VioletClient_protected.exe 91 PID 1604 wrote to memory of 5432 1604 VioletClient_protected.exe 91 PID 5432 wrote to memory of 5884 5432 cmd.exe 93 PID 5432 wrote to memory of 5884 5432 cmd.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe"C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "VioletClient_protected" /tr "C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3580
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "VioletClient_protected"2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF5F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:5432 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exeC:\Users\Admin\AppData\Roaming\VioletClient_protected.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a01567f513143419390cb40e6abaf71
SHA1d0d714d6e526a652fc4e5de4e6040d6b0e7687ab
SHA2566efaeb6a1b391155453a57c7e437575bb18efc174f3099d984d9dea49eecebad
SHA512379fcb42d0f72d302482fadd4f25cbfa9c5f6a9c50222877d0eed91f237ec688eb52f65ee0d3fccfd017a6b14bd36f34fa0b77a388728fe3942a981322d7a4bc
-
Filesize
174B
MD54788c8214727bd55b129a3138d96886b
SHA13a5f8185ce339a5cb937ca9fcbf4ce09c6338365
SHA256e3d09e90cfea6240d132b6cab574483455a8ceb09f6fc058c541f3340a6dd1fc
SHA51280f63d90b4b61e3183def492139a35fbec73bbbcfaf05ec2c37f3489001dcedf710e5a70dd842520aebf611ab34bc1dc28aee857373ad921181b0de6481c862f
-
Filesize
459KB
MD5eaf9c62f7cdb70a7a58524d9e209ed92
SHA1e287505193f0f4efef2a7aaa0d70ba86f4e30d03
SHA2567304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca
SHA51234264e68b007094ea68b25be43117075a9f806f85e61b4923fe4d124a7271eff1297231d981b7a884bd82f947307ded3f9cb05a3adf33a612baa761ad5e2f425