Overview
overview
10Static
static
8146bcd0d72...26.exe
windows7_x64
10146bcd0d72...26.exe
windows10_x64
1021c3fb1754...59.exe
windows7_x64
1021c3fb1754...59.exe
windows10_x64
102a800cff45...68.exe
windows7_x64
72a800cff45...68.exe
windows10_x64
7332d5c33b7...d0.exe
windows7_x64
1332d5c33b7...d0.exe
windows10_x64
13571d9db00...bb.exe
windows7_x64
73571d9db00...bb.exe
windows10_x64
742fe522179...78.exe
windows7_x64
742fe522179...78.exe
windows10_x64
74bb0c1eec2...af.exe
windows7_x64
14bb0c1eec2...af.exe
windows10_x64
19d1871a7a1...26.exe
windows7_x64
39d1871a7a1...26.exe
windows10_x64
3a2d4e5d989...26.exe
windows7_x64
10a2d4e5d989...26.exe
windows10_x64
10aa7cce2f9f...61.exe
windows7_x64
8aa7cce2f9f...61.exe
windows10_x64
8b27ee400dd...33.exe
windows7_x64
7b27ee400dd...33.exe
windows10_x64
7b6559bb03a...99.exe
windows7_x64
8b6559bb03a...99.exe
windows10_x64
8b6c343fd90...6f.exe
windows7_x64
8b6c343fd90...6f.exe
windows10_x64
8cfc91db924...d1.exe
windows7_x64
8cfc91db924...d1.exe
windows10_x64
8e2bbb71fe6...c6.exe
windows7_x64
7e2bbb71fe6...c6.exe
windows10_x64
7fb812a3c96...ed.exe
windows7_x64
1fb812a3c96...ed.exe
windows10_x64
1Analysis
-
max time kernel
12s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-01-2021 02:13
Static task
static1
Behavioral task
behavioral1
Sample
146bcd0d720f43d289c66d3a3cdc77e5e5a3d924174ee1993ac6db2cb0ca8026.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral2
Sample
146bcd0d720f43d289c66d3a3cdc77e5e5a3d924174ee1993ac6db2cb0ca8026.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral3
Sample
21c3fb175492561c6527cdefc46fde66ba2bc11ca4b50edf887423654ab8b259.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral4
Sample
21c3fb175492561c6527cdefc46fde66ba2bc11ca4b50edf887423654ab8b259.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral5
Sample
2a800cff4584740ee43108e122f4797c455e5b6097774aeb33ebe666170b4968.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral6
Sample
2a800cff4584740ee43108e122f4797c455e5b6097774aeb33ebe666170b4968.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral7
Sample
332d5c33b76318e30c94601d5fcca3dfe49c0a4a7c9f444681785e80d7c882d0.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral8
Sample
332d5c33b76318e30c94601d5fcca3dfe49c0a4a7c9f444681785e80d7c882d0.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral9
Sample
3571d9db0064c7e2ec8d856e9b9bd80f30ea45a3dabd811176c80863a85205bb.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral10
Sample
3571d9db0064c7e2ec8d856e9b9bd80f30ea45a3dabd811176c80863a85205bb.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral11
Sample
42fe5221797668a788756bb9995792ff47ddcb1ec9582a0f325535bcef1fa078.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral12
Sample
42fe5221797668a788756bb9995792ff47ddcb1ec9582a0f325535bcef1fa078.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral13
Sample
4bb0c1eec232aac63365ee4b30b1b567025b020d62fcd2c1e8321f2408b2bfaf.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral14
Sample
4bb0c1eec232aac63365ee4b30b1b567025b020d62fcd2c1e8321f2408b2bfaf.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral15
Sample
9d1871a7a1315b8c535fa1b673a427640cb4e75b03f1616cdd677345e82dce26.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral16
Sample
9d1871a7a1315b8c535fa1b673a427640cb4e75b03f1616cdd677345e82dce26.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral17
Sample
a2d4e5d989f091cc30e88e850af43ba620c893946a891217c0322f0ff29c2926.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral18
Sample
a2d4e5d989f091cc30e88e850af43ba620c893946a891217c0322f0ff29c2926.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral19
Sample
aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral20
Sample
aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral21
Sample
b27ee400ddd033d6ee17b294ca0c9077c1ababe60c79ae3c7b0555179689d333.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral22
Sample
b27ee400ddd033d6ee17b294ca0c9077c1ababe60c79ae3c7b0555179689d333.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral23
Sample
b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral24
Sample
b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral25
Sample
b6c343fd90ce107bd1e0ea2fec6b5d3a33637f0a6daa251256a533e426aa796f.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral26
Sample
b6c343fd90ce107bd1e0ea2fec6b5d3a33637f0a6daa251256a533e426aa796f.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral27
Sample
cfc91db9240c75b636480e7dfaef4daaa754e787d2ecb32f55d74c5a20c9dfd1.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral28
Sample
cfc91db9240c75b636480e7dfaef4daaa754e787d2ecb32f55d74c5a20c9dfd1.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral29
Sample
e2bbb71fe65dd6ffb22fcb05e99a687711d3d429c22d512a2a49166b69ffe3c6.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral30
Sample
e2bbb71fe65dd6ffb22fcb05e99a687711d3d429c22d512a2a49166b69ffe3c6.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral31
Sample
fb812a3c965da5044860794686ce9656db3c37be16794ab7c771c32567514fed.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral32
Sample
fb812a3c965da5044860794686ce9656db3c37be16794ab7c771c32567514fed.exe
Resource
win10v20201028
windows10_x64
General
-
Target
b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4272 DTEPlanoWS.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DTEPlanoWS.lnk b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe -
Loads dropped DLL 9 IoCs
pid Process 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 4272 DTEPlanoWS.exe 4272 DTEPlanoWS.exe 4272 DTEPlanoWS.exe 4272 DTEPlanoWS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini DTEPlanoWS.exe File opened for modification C:\Windows\assembly\Desktop.ini DTEPlanoWS.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe.config b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\WSClient.dll b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\DTEUtils.dll b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\FTPClient.dll b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\BOLETA.xsd b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File opened for modification C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.url b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\uninst.exe b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\ImprimirTicket.dll b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\FacturacionCLPrint_App.jar b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\SumatraPDF.exe b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\SIIPLANO.dll b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\Util\Config_linux.xml b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\sumatrapdfprefs.dat b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\Update.exe b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe File created C:\Program Files (x86)\DTEPlanoWS\Util\Config.xml b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly DTEPlanoWS.exe File created C:\Windows\assembly\Desktop.ini DTEPlanoWS.exe File opened for modification C:\Windows\assembly\Desktop.ini DTEPlanoWS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4272 DTEPlanoWS.exe 4272 DTEPlanoWS.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4272 DTEPlanoWS.exe 4272 DTEPlanoWS.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4272 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 75 PID 4764 wrote to memory of 4272 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 75 PID 4764 wrote to memory of 4272 4764 b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe 75 PID 4272 wrote to memory of 4200 4272 DTEPlanoWS.exe 76 PID 4272 wrote to memory of 4200 4272 DTEPlanoWS.exe 76 PID 4272 wrote to memory of 4200 4272 DTEPlanoWS.exe 76 PID 4200 wrote to memory of 1932 4200 csc.exe 78 PID 4200 wrote to memory of 1932 4200 csc.exe 78 PID 4200 wrote to memory of 1932 4200 csc.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe"C:\Users\Admin\AppData\Local\Temp\b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe"C:\Program Files (x86)\DTEPlanoWS\DTEPlanoWS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fui4l3xo.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7863.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7862.tmp"4⤵PID:1932
-
-
-