Analysis

  • max time kernel
    120s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 01:41

General

  • Target

    SetupDTSB.exe

  • Size

    120KB

  • MD5

    f123981c00295ae5fa1e16b781ffb435

  • SHA1

    4c62e0f9234b215a77ecb2bd4c7f7c254982cb7b

  • SHA256

    f2560b0e66b9a629ee7184997f25f27786448ef9cc17df56b69c94b39d43da5c

  • SHA512

    766f9039c8fb0df9bc4e42611e545b4902ea97e3ee9d9208da4a7e09835f269bfbd5a3a9e95a5e26a60d3f78fe69d58871a8557d65390195ea70edc2a5573dc3

  • SSDEEP

    3072:lny3UW0DorSWuZLNCknVPtKcstLDJxaE5XU3qdsslyIU:Z5/fWShjZqtLDOE5XnX

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SetupDTSB.exe
    "C:\Users\Admin\AppData\Local\Temp\SetupDTSB.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
      "C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe" /cfg:DAEM040601
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\SETB14E.tmp

    Filesize

    145KB

    MD5

    ac3ca8dbdf80e7b92b453b06ee7605e8

    SHA1

    60f7c3675c6ab4091cd6ef28cc7ba0521c25856a

    SHA256

    d010abc6e90faaa66cadd443006b809500e4409abc88d8ac04b04a6d3ab03aef

    SHA512

    ddfb24240415eaf5dc502af4332f9a56a8b6545a0362ef95dfaa358c19d498ecdfeabb7e0f7f303818c53aa41e788df775b5911588f499291e64111db2d04d91

  • C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\vvsn.cfg

    Filesize

    232B

    MD5

    73f5de3bcb5f2386db6e24e1950d2112

    SHA1

    591a1d24d79befa5dc01c3703a2ba2b26a6048eb

    SHA256

    c561d3af2aac4324598519f57d2efadfcec65d52d7108c5dedf93be8fbae7bf9

    SHA512

    afa985f165067890554a4c34618654da1a9d5f42c03110e491c9d88e9a2008a25d392591784b9fc37148570276651d3f56b3b8af517ab69f0d424fb6be548e87

  • C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\vvsn.cfg

    Filesize

    276B

    MD5

    39e4171130c47cf8f9727bfd1c0311ac

    SHA1

    fa8be1fa15ed98e81017d31fadb6ca0000be12b4

    SHA256

    4895509f0ed7cc2233a59188a1802febd52719555ab9808496b00154a13bae9c

    SHA512

    b79a025b9b0128725f870d7f5648b255726f75ff8ff64fc92bba75b0a469ac27dc82e3b2e7625a11259e17e771de10a5ff9bd8cf3620e8825dba595db023f16e