044c16cdbc6ec18f58bfecaacf4d4e21150a19d8d10c694c4a4c3085697499a2

Analysis

max time kernel
12s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
04-01-2021 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DTEPlanoWS.exe

pid process

4272 DTEPlanoWS.exe

pid	process
4272	DTEPlanoWS.exe

Drops startup file 1 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTEPlanoWS.lnk	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

Loads dropped DLL 9 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exeDTEPlanoWS.exe

pid	process
4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
4272	DTEPlanoWS.exe
4272	DTEPlanoWS.exe
4272	DTEPlanoWS.exe
4272	DTEPlanoWS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

DTEPlanoWS.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	DTEPlanoWS.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	DTEPlanoWS.exe

Drops file in Program Files directory 16 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

description	ioc	process
File created	C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe.config	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\WSClient.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\DTEUtils.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\FTPClient.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\BOLETA.xsd	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File opened for modification	C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.url	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\uninst.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\ImprimirTicket.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\FacturacionCLPrint_App.jar	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\SumatraPDF.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\SIIPLANO.dll	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\Util\Config_linux.xml	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\sumatrapdfprefs.dat	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\Update.exe	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
File created	C:\Program Files (x86)\DTEPlanoWS\Util\Config.xml	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe

Drops file in Windows directory 3 IoCs

Processes:

DTEPlanoWS.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	DTEPlanoWS.exe
File created	C:\Windows\assembly\Desktop.ini	DTEPlanoWS.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	DTEPlanoWS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DTEPlanoWS.exe

pid process

4272 DTEPlanoWS.exe
4272 DTEPlanoWS.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

DTEPlanoWS.exe

pid process

4272 DTEPlanoWS.exe
4272 DTEPlanoWS.exe

pid	process
4272	DTEPlanoWS.exe
4272	DTEPlanoWS.exe

pid	process
4272	DTEPlanoWS.exe
4272	DTEPlanoWS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exeDTEPlanoWS.execsc.exe

description	pid	process	target process
PID 4764 wrote to memory of 4272	4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 4764 wrote to memory of 4272	4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 4764 wrote to memory of 4272	4764	b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe	DTEPlanoWS.exe
PID 4272 wrote to memory of 4200	4272	DTEPlanoWS.exe	csc.exe
PID 4272 wrote to memory of 4200	4272	DTEPlanoWS.exe	csc.exe
PID 4272 wrote to memory of 4200	4272	DTEPlanoWS.exe	csc.exe
PID 4200 wrote to memory of 1932	4200	csc.exe	cvtres.exe
PID 4200 wrote to memory of 1932	4200	csc.exe	cvtres.exe
PID 4200 wrote to memory of 1932	4200	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
"C:\Users\Admin\AppData\Local\Temp\b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4764

C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
"C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fui4l3xo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7863.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7862.tmp"
4⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe
MD5
6d7a348182b2884e49ee6da4f6802e84

SHA1
79aff821af6c019990a2963261705358842747ef

SHA256
33ecae88f892fe38cc3d4f9d87aca3a5d70834cc52282b4d3c08023cc1877ffc

SHA512
9bc2cd18325e570b0bfcf9b3b2ee729f34a3d04f8d44e010fd599d95e2d796fe5568ade9afbe7f70817a2d5a12441a37a4abb5836a7abed8528b75cc6c02f7af

Download Submit
C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe.config
MD5
5b8078db7c819d633c2b9726224d9a37

SHA1
d55ea5acd345e408f2ecdb40e984cc6b1d7b4bbc

SHA256
fbefd909d73eb28d202f950c7f3766b7035a1fe31f71a540bc66061891021ffe

SHA512
f47ff215686d23b49a6000beda5c16c7b2bef7436da8df298cf63d0c57bcd6ae4f4b09f9b101feab48d49f0b1ec3eb8833e2e4fc16bf880c9dc09e8cd9ca07dd

Download Submit
C:\Program Files (x86)\DTEPlanoWS\Util\Config.xml
MD5
77552ae77fc0f36575212a152f46fcea

SHA1
8d25b828eeccc315e63678ee4fbaaea8de04990b

SHA256
69436fe3ca9173203bb7098ceaeea08cd83bebb148c9b86ded2689a38156365f

SHA512
2a4575ba335833b3180ba94f964909a4396a1fb38d8b1a1432ca9670e32794b58d08dbea1f1b93f91354e7f559f3238b44a011bd4515934137d193c9946c4d8c

Download Submit
C:\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7863.tmp
MD5
507400c5e973a7e4313b8bbb8459baea

SHA1
549ca7d5da43ee987acb13bcfec440aaf0973a0d

SHA256
1fbc82a866d47045d7ba04647335e42881d3c53e6fe0bfebf4004ccdc9ae6a81

SHA512
20d2892fde534e2b01e84394c5d164b2880020c42326df24c03abecca4a750ebd07ee6a22d8609024af393fcf71d47af61d55951979c8653972227eb8a9b408d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fui4l3xo.dll
MD5
2c511c00abd3290eb9b0a66b32afe61b

SHA1
348c0b33ba5514264d21da60ba40f90bbd6e02ca

SHA256
6f5f356a5df8b0d1cbe7206d64ffbf67589badce4947d9a83bfc736cdf9edea6

SHA512
2bfffaaece09cc3ec78d43369fc12b121a1b80b25f32460abc7337c4bffcd7862338de794bacb5af5059a6adacefaba462288d87a5fd8b5767bf96e08c9cb290

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7862.tmp
MD5
326840bc252edd83eb7850685bc6f3f2

SHA1
c0fc2d62d84cab1a40700ea7dcc5c156e94f2e0a

SHA256
865261cf63270b63df7af5f5c1513f04d956d962c278ca23eb95e051d295009f

SHA512
ccb28b020737a5841e2b3454bcb9fc24bc678fd8dd4ada419372772edb36ab2706bc27a2635b5d240402e00077743f30dd3e5ec2a6b109decbf1ff3c5604cf61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fui4l3xo.0.cs
MD5
9f420e0fc011e100a43c189f2b5f1123

SHA1
c32745f3e4287d160beca37a3d17c675e70783b5

SHA256
f271a46e35ee2c15148794ca13f3bf19539c9014eac77c97c71b659f514cb28d

SHA512
cfc145f420278670b1d830740ca84714fee2ed5ab9d8f71541e63182dff61044efc38e3e6589123aa63637ac21c51d2e4e113743a5e1653f5c6b96919af2152c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fui4l3xo.cmdline
MD5
45f0eb680e8da5172c029812bce13105

SHA1
00924c9668bf95ad41e2143949be2a4d51bab5d7

SHA256
424e968c3e3efe59c6fd71cfc8ff8baf8d0c6d313f3428583adbe86f01f14fce

SHA512
c7adaeb6004549287091cc979348cee22a97f25eb691c5f6007966f96d5d0827948e86359a1934c3f2764f847fdeeba54888d6505171649e2e6eac5a6b572bef

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Program Files (x86)\DTEPlanoWS\WSClient.dll
MD5
3697298639d843dff31428e7fa1574a4

SHA1
72cae96d80623ca32af7110daba9fb19d3c469ef

SHA256
ed8420b97f9f711da6f0ac0e8933456fe54721f830064a7770221258478846e1

SHA512
ae7de7dcd7d61d4ed24f171c2c19bd6d4619548aeba0dea772af61e9e80eebaf342269b79a3b143e43102483835d0a9b52613ca924aa72323fec34e02c28a1e8

Download Submit
\Users\Admin\AppData\Local\Temp\nsu6B15.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsu6B15.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsu6B15.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsu6B15.tmp\AccessControl.dll
MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
\Users\Admin\AppData\Local\Temp\nsu6B15.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/1932-19-0x0000000000000000-mapping.dmp

Download
memory/4200-16-0x0000000000000000-mapping.dmp

Download
memory/4272-7-0x0000000000000000-mapping.dmp

Download