5f26ba6ce5a487a3c9ec7663143f6d661c5500d0dd593274bd4ab6e78815d236

Analysis

max time kernel
60s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25/01/2023, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uiso9_pe.exe
Size

4.9MB
MD5

5a2000a241a6947c060ee63425d7ebef
SHA1

d80bbe4769b5e00886797d6f7c30063031eb5699
SHA256

5f26ba6ce5a487a3c9ec7663143f6d661c5500d0dd593274bd4ab6e78815d236
SHA512

cf4155b56d878d1d4c8b18669d6aa700c626fa5b2f67719bb8b2f8378059003046f437ae223a7aef6336d95cb82eeeb057910a432c135bbc4d94619a8bbfde1a
SSDEEP

98304:JUj8/4MycvvCf9uOj5zXSdcrRsMZtuS0xbN0yjqnolKIMPgZrx/CpSSMD/zCDK8:Oj3MychOBXSdclsotcYyEGMPqrxo0zCP

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2244	uiso9_pe.tmp
956	isocmd.exe
216	UltraISO.exe
4664	FileDlg.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ = "C:\\Program Files (x86)\\UltraISO\\isoshl64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 4 IoCs

pid	Process
2732	regsvr32.exe
216	UltraISO.exe
216	UltraISO.exe
216	UltraISO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraISO\lang\is-D6RII.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-N86AU.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-7C5JT.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-924LN.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\Common Files\EZB Systems\is-QPIFN.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-OQ34N.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-3K4HF.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-QOT5T.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-DHPS7.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-0ROCF.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-EL5HI.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-ESDRQ.tmp	uiso9_pe.tmp
File opened for modification	C:\Program Files (x86)\UltraISO\unins000.dat	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-KKJIR.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-6PPPJ.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-175S3.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-G1I7O.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-JI2H4.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-9V93T.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-59IDV.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-J8HGF.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-9F78L.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-GR1RL.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-MJ6R0.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-2NMAL.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-IBCBH.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\unins000.dat	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-PG5E5.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-JFIP9.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-R9E09.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-66HTL.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-KC99E.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-I487Q.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-BRGN9.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-USI3T.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-BD351.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-H5SFC.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-P9BKA.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UA23B.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-PE7RP.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-LOQ9G.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-I6HAA.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-GMK8F.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-DJ2TD.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-5BLIT.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-DADKN.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-MCE02.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-PBQ32.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-65LK5.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-JLFRH.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UTAEH.tmp	uiso9_pe.tmp
File opened for modification	C:\Program Files (x86)\UltraISO\backup	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-PBRLP.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-I56RH.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-2I229.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-BRK05.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-3EMVA.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-O34QO.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-0HQ27.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-FDNDI.tmp	uiso9_pe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon	uiso9_pe.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	FileDlg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	FileDlg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	FileDlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ProgID\ = "ISOShell.UIContextMenu.1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	FileDlg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	FileDlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\ = "UIContextMenu Class"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	FileDlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ = "UIContextMenu Class"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FileDlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\Convert to ISO\command	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ = "C:\\Program Files (x86)\\UltraISO\\isoshl64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	FileDlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\ = "Archivo UltraISO"	uiso9_pe.tmp
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	FileDlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	FileDlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\CLSID\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	FileDlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FileDlg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	FileDlg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	FileDlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CurVer\ = "ISOShell.UIContextMenu.1"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FileDlg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	FileDlg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	FileDlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "UltraISO"	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "binimage"	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\ = "BIN File"	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\UltraISO\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\ = "{1CD46142-F3D3-4E46-87BA-7CC019142F9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin	uiso9_pe.tmp
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FileDlg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	FileDlg.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
216	UltraISO.exe
4664	FileDlg.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4408	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2244	uiso9_pe.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4664	FileDlg.exe
4664	FileDlg.exe
4664	FileDlg.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 2244	4100	uiso9_pe.exe	79
PID 4100 wrote to memory of 2244	4100	uiso9_pe.exe	79
PID 4100 wrote to memory of 2244	4100	uiso9_pe.exe	79
PID 2244 wrote to memory of 2732	2244	uiso9_pe.tmp	82
PID 2244 wrote to memory of 2732	2244	uiso9_pe.tmp	82
PID 2244 wrote to memory of 956	2244	uiso9_pe.tmp	83
PID 2244 wrote to memory of 956	2244	uiso9_pe.tmp	83
PID 2244 wrote to memory of 956	2244	uiso9_pe.tmp	83
PID 2244 wrote to memory of 216	2244	uiso9_pe.tmp	86
PID 2244 wrote to memory of 216	2244	uiso9_pe.tmp	86
PID 2244 wrote to memory of 216	2244	uiso9_pe.tmp	86
PID 216 wrote to memory of 4664	216	UltraISO.exe	94
PID 216 wrote to memory of 4664	216	UltraISO.exe	94
PID 216 wrote to memory of 4664	216	UltraISO.exe	94

C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe
"C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\is-GK7PU.tmp\uiso9_pe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GK7PU.tmp\uiso9_pe.tmp" /SL5="$701C2,4629041,128512,C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\UltraISO\isoshl64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies registry class
    PID:2732
- - C:\Program Files (x86)\UltraISO\drivers\isocmd.exe
    "C:\Program Files (x86)\UltraISO\drivers\isocmd.exe" -i
    3⤵
    - Executes dropped EXE
    PID:956
- - C:\Program Files (x86)\UltraISO\UltraISO.exe
    "C:\Program Files (x86)\UltraISO\UltraISO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Program Files (x86)\UltraISO\drivers\FileDlg.exe
      "C:\Program Files (x86)\UltraISO\drivers\FileDlg.exe" -o -m00
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x454 0x2b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll

Filesize
962KB

MD5
b9e34ae6d6ecb1e19b36dc70e7ef406c

SHA1
014985ed2dab57e606e08788fc9177220dd2aed1

SHA256
3b8817fad300fd729d28ca4895d9fb131cf64e699fe5de658ae44c6d056dace4

SHA512
d2360eb205a7f8feb9d45237f0190ef3b2444b22225bead9eedfe5301cac0601741a7d849033d3b2b5cd2a39496edc86e1d4d4444110bafefcf4a8922c6bbff2

Download Submit
C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll

Filesize
962KB

MD5
b9e34ae6d6ecb1e19b36dc70e7ef406c

SHA1
014985ed2dab57e606e08788fc9177220dd2aed1

SHA256
3b8817fad300fd729d28ca4895d9fb131cf64e699fe5de658ae44c6d056dace4

SHA512
d2360eb205a7f8feb9d45237f0190ef3b2444b22225bead9eedfe5301cac0601741a7d849033d3b2b5cd2a39496edc86e1d4d4444110bafefcf4a8922c6bbff2

Download Submit
C:\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
63285e1d8a23ad23dd5b163feb715059

SHA1
67ee1910b3dd150a1297367dacdb4b272db01644

SHA256
116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

SHA512
d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

Download Submit
C:\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
63285e1d8a23ad23dd5b163feb715059

SHA1
67ee1910b3dd150a1297367dacdb4b272db01644

SHA256
116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

SHA512
d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

Download Submit
C:\Program Files (x86)\UltraISO\drivers\FileDlg.exe

Filesize
83KB

MD5
b1cd3f9e805d2225133ba99ca93d34bc

SHA1
44d16b2677eec775b99ac6c85a6a7f533e0d5550

SHA256
2fa5c3457aacb299886d27254a5da71d4b7715c41ed57f10a492b48e8f8f37c5

SHA512
1efdeec7194bd99697e27c1fa042a728ee3acc6e048ac0e1ce47ca21994ea4907c6ce901cfa8c757e08c06719da12171168d6f10d5b8f20c1d8942c49a3fb3a4

Download Submit
C:\Program Files (x86)\UltraISO\drivers\FileDlg.exe

Filesize
83KB

MD5
b1cd3f9e805d2225133ba99ca93d34bc

SHA1
44d16b2677eec775b99ac6c85a6a7f533e0d5550

SHA256
2fa5c3457aacb299886d27254a5da71d4b7715c41ed57f10a492b48e8f8f37c5

SHA512
1efdeec7194bd99697e27c1fa042a728ee3acc6e048ac0e1ce47ca21994ea4907c6ce901cfa8c757e08c06719da12171168d6f10d5b8f20c1d8942c49a3fb3a4

Download Submit
C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys

Filesize
132KB

MD5
bc81814b594286bef9913ec5ca1110d7

SHA1
523fc3b657fd3fb493e0fb14c0bbf39813d1e558

SHA256
9c22b6f77e929d319c5e891ee1510045dc5f486bdaf47a0696564d4d84d30379

SHA512
2b65dc57a4c83c1ef243396dabf15cf53faa145bd073ac89dbf9104519e7a2b97a303c96acfdbc992e9ac19efbe65b143dd27bb6c9f7ad3e76c5eacb1b9a1889

Download Submit
C:\Program Files (x86)\UltraISO\drivers\IsoCmd.exe

Filesize
28KB

MD5
55677a521dd34ce7a93ab3f1d12b2dfd

SHA1
4316dd2b5e4ebb48886955ec5365b2f40d4298b3

SHA256
fc506cb2ce0fa9a994db2e29a595f818fe93cae93dd2f8cca6f4b40944907c5c

SHA512
e4e05c49701865ba349f4c037c96539cfd3da1f8cd97f9668474ca50a50db0a50e59e7f21f7e0fbc44ca1f79f7cdb529f82bc70b2a7a34e861bb5350ee783dcc

Download Submit
C:\Program Files (x86)\UltraISO\drivers\isocmd.exe

Filesize
28KB

MD5
55677a521dd34ce7a93ab3f1d12b2dfd

SHA1
4316dd2b5e4ebb48886955ec5365b2f40d4298b3

SHA256
fc506cb2ce0fa9a994db2e29a595f818fe93cae93dd2f8cca6f4b40944907c5c

SHA512
e4e05c49701865ba349f4c037c96539cfd3da1f8cd97f9668474ca50a50db0a50e59e7f21f7e0fbc44ca1f79f7cdb529f82bc70b2a7a34e861bb5350ee783dcc

Download Submit
C:\Program Files (x86)\UltraISO\isoshl64.dll

Filesize
151KB

MD5
c0fc6c67bd9d9fbc4f8ad44232d49d11

SHA1
e5ad2b56cc20652401ee5c60fe118cf3fb474a7b

SHA256
50df2e7ba2ab1892dd1e8c03be51a1dfa9c1ecc501d5166cd5e69badb4a8c503

SHA512
74bc8d2d93c870f0449582b6de60ade9b0322a5cca945beac8842ccd4577569ea97a7089163dcff8b0115ebbaf2ae75d09ae5214efcb8ea6902c80a2cc0e5586

Download Submit
C:\Program Files (x86)\UltraISO\isoshl64.dll

Filesize
151KB

MD5
c0fc6c67bd9d9fbc4f8ad44232d49d11

SHA1
e5ad2b56cc20652401ee5c60fe118cf3fb474a7b

SHA256
50df2e7ba2ab1892dd1e8c03be51a1dfa9c1ecc501d5166cd5e69badb4a8c503

SHA512
74bc8d2d93c870f0449582b6de60ade9b0322a5cca945beac8842ccd4577569ea97a7089163dcff8b0115ebbaf2ae75d09ae5214efcb8ea6902c80a2cc0e5586

Download Submit
C:\Program Files (x86)\UltraISO\lang\lang_es.dll

Filesize
97KB

MD5
ec7a301cfad8f58bebe45d61f2943b07

SHA1
92762f1d791231e587fbde2b0a48170fe5189965

SHA256
7ce977e96f7b52367ed4219077a986db6e08d617067829d2836f2d80d70920af

SHA512
f3fef24763a31864228cec64d933585dc71db33f49fcff6a90796798708c1980c9d1910f084762da1cb9173905a67f8f511af7fe76ca01058e828fa133f98700

Download Submit
C:\Program Files (x86)\UltraISO\lang\lang_es.dll

Filesize
97KB

MD5
ec7a301cfad8f58bebe45d61f2943b07

SHA1
92762f1d791231e587fbde2b0a48170fe5189965

SHA256
7ce977e96f7b52367ed4219077a986db6e08d617067829d2836f2d80d70920af

SHA512
f3fef24763a31864228cec64d933585dc71db33f49fcff6a90796798708c1980c9d1910f084762da1cb9173905a67f8f511af7fe76ca01058e828fa133f98700

Download Submit
C:\Program Files (x86)\UltraISO\lang\lang_es.dll

Filesize
97KB

MD5
ec7a301cfad8f58bebe45d61f2943b07

SHA1
92762f1d791231e587fbde2b0a48170fe5189965

SHA256
7ce977e96f7b52367ed4219077a986db6e08d617067829d2836f2d80d70920af

SHA512
f3fef24763a31864228cec64d933585dc71db33f49fcff6a90796798708c1980c9d1910f084762da1cb9173905a67f8f511af7fe76ca01058e828fa133f98700

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GK7PU.tmp\uiso9_pe.tmp

Filesize
771KB

MD5
3de2992c86c78e781881e9c0db26a32f

SHA1
c26845ca7319a66432304a955cecdad4f977d040

SHA256
e9700438d88e5a5f54d6940a4129477e943dcd4b95b006d0b38ef1e2a566a642

SHA512
88d318e3265ac733408836592f87349a7bd2be1ae34e92ef7bd302926ff69b4a072300d5eac07cffdf91929b24ae08818c7cfb42cc825afaacd29250f7cae6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GK7PU.tmp\uiso9_pe.tmp

Filesize
771KB

MD5
3de2992c86c78e781881e9c0db26a32f

SHA1
c26845ca7319a66432304a955cecdad4f977d040

SHA256
e9700438d88e5a5f54d6940a4129477e943dcd4b95b006d0b38ef1e2a566a642

SHA512
88d318e3265ac733408836592f87349a7bd2be1ae34e92ef7bd302926ff69b4a072300d5eac07cffdf91929b24ae08818c7cfb42cc825afaacd29250f7cae6a6

Download Submit
memory/216-152-0x0000000003C10000-0x0000000003C2A000-memory.dmp

Filesize
104KB

Download
memory/4100-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4100-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4100-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4100-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download