044c16cdbc6ec18f58bfecaacf4d4e21150a19d8d10c694c4a4c3085697499a2

Analysis

max time kernel
136s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
04-01-2021 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DTEPlanoWS.exe

pid process

1476 DTEPlanoWS.exe

pid	process
1476	DTEPlanoWS.exe

Drops startup file 1 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTEPlanoWS.lnk	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

Loads dropped DLL 13 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exeDTEPlanoWS.exe

pid	process
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
1476	DTEPlanoWS.exe
1476	DTEPlanoWS.exe
1476	DTEPlanoWS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

description	ioc	process
File created	C:\Program Files (x86)\DTEPlanoWS\ImprimirTicket.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\WSClient.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\SIIPLANO.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\DTEUtils.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\Util\Config.xml	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\SumatraPDF.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\Update.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\Util\Config_linux.xml	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\uninst.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\sumatrapdfprefs.dat	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe.config	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\FTPClient.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\BOLETA.xsd	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\FacturacionCLPrint_App.jar	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File opened for modification	C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.url	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DTEPlanoWS.exe

pid process

1476 DTEPlanoWS.exe
1476 DTEPlanoWS.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

DTEPlanoWS.exe

pid process

1476 DTEPlanoWS.exe
1476 DTEPlanoWS.exe

pid	process
1476	DTEPlanoWS.exe
1476	DTEPlanoWS.exe

pid	process
1476	DTEPlanoWS.exe
1476	DTEPlanoWS.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exeDTEPlanoWS.execsc.exe

description	pid	process	target process
PID 1864 wrote to memory of 1476	1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 1864 wrote to memory of 1476	1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 1864 wrote to memory of 1476	1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 1864 wrote to memory of 1476	1864	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 1476 wrote to memory of 1788	1476	DTEPlanoWS.exe	csc.exe
PID 1476 wrote to memory of 1788	1476	DTEPlanoWS.exe	csc.exe
PID 1476 wrote to memory of 1788	1476	DTEPlanoWS.exe	csc.exe
PID 1476 wrote to memory of 1788	1476	DTEPlanoWS.exe	csc.exe
PID 1788 wrote to memory of 1588	1788	csc.exe	cvtres.exe
PID 1788 wrote to memory of 1588	1788	csc.exe	cvtres.exe
PID 1788 wrote to memory of 1588	1788	csc.exe	cvtres.exe
PID 1788 wrote to memory of 1588	1788	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
"C:\Users\Admin\AppData\Local\Temp\b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
"C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uyaezvik.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9741.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9731.tmp"
4⤵
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe.config
MD5
5b8078db7c819d633c2b9726224d9a37

SHA1
d55ea5acd345e408f2ecdb40e984cc6b1d7b4bbc

SHA256
fbefd909d73eb28d202f950c7f3766b7035a1fe31f71a540bc66061891021ffe

SHA512
f47ff215686d23b49a6000beda5c16c7b2bef7436da8df298cf63d0c57bcd6ae4f4b09f9b101feab48d49f0b1ec3eb8833e2e4fc16bf880c9dc09e8cd9ca07dd

Download Submit
C:\Program Files (x86)\DTEPlanoWS\Util\Config.xml
MD5
77552ae77fc0f36575212a152f46fcea

SHA1
8d25b828eeccc315e63678ee4fbaaea8de04990b

SHA256
69436fe3ca9173203bb7098ceaeea08cd83bebb148c9b86ded2689a38156365f

SHA512
2a4575ba335833b3180ba94f964909a4396a1fb38d8b1a1432ca9670e32794b58d08dbea1f1b93f91354e7f559f3238b44a011bd4515934137d193c9946c4d8c

Download Submit
C:\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9741.tmp
MD5
6ea8024734b13d5d9514f93123c4dc66

SHA1
57b80c60d3a5a8e9f226180d51f1e5652a705a2f

SHA256
613fbe547ecf8b9e570de4d4d2bad1d81af2dbd099e5a6f26084ae2e65b35249

SHA512
446dcba9098761f71ed4539b69ac2325ac41b1d5c5c6e2eb8e98ecbacf00644d83e9d6f812a54d417069aeb78123621944e58811e9c013c4a0309b8bf38850c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyaezvik.dll
MD5
84e86f980f637e5c015500927d11f20c

SHA1
30e82205083a0d27bc02207bf829adc68ac29743

SHA256
eab99f0c34b97fdc83625c93abd28b82a571762971e9331c27a5de11bf36c492

SHA512
f0db90644416128bdb8466ece262d6d21dbd949512dc55c7774bfce773228e512a3cb1d7be2c1c96fd75010c431d78f35ea79c1ded06cb5c77c10311d0f07ffa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9731.tmp
MD5
190c6270b312f4f30948f246f4ccfee8

SHA1
26db060fa679ca2f9978d42e2c1393b52a983e93

SHA256
e772b45ce1e89785fb7717eacd5b002cc534f8cb27bf9be7e595408fca21486b

SHA512
3f83c636f5a10cca73b8d902acd1c9c7b0ad519b6223d5864817d64f5f00b7c886a4206d8fcbc4a3c6f49c5aa263f36ad3ce782cfea19df3656d232204eea47d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uyaezvik.0.cs
MD5
9f420e0fc011e100a43c189f2b5f1123

SHA1
c32745f3e4287d160beca37a3d17c675e70783b5

SHA256
f271a46e35ee2c15148794ca13f3bf19539c9014eac77c97c71b659f514cb28d

SHA512
cfc145f420278670b1d830740ca84714fee2ed5ab9d8f71541e63182dff61044efc38e3e6589123aa63637ac21c51d2e4e113743a5e1653f5c6b96919af2152c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uyaezvik.cmdline
MD5
6c2a56ace0606ec18529130ff78f3584

SHA1
e9c074cfd0f49e8ec511ee458d781832dba3a480

SHA256
8fdd9796b9b69bb079db4a65435c2d28503ddfe57ea567024ccb04340b8c6422

SHA512
a07c4d4e1f2d6fbf90a55631aabbc7d9e87cef24996dfa29f0f1541cb83f1420e9d4f7df81a051e135f746498cdf8602c376b27816433e6b8f25e58c99cd0435

Download Submit
\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7927.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7927.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7927.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7927.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7927.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/1476-12-0x0000000000000000-mapping.dmp

Download
memory/1588-23-0x0000000000000000-mapping.dmp

Download
memory/1788-20-0x0000000000000000-mapping.dmp

Download