5f26ba6ce5a487a3c9ec7663143f6d661c5500d0dd593274bd4ab6e78815d236

Analysis

max time kernel
40s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/02/2023, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uiso9_pe.exe
Size

4.9MB
MD5

5a2000a241a6947c060ee63425d7ebef
SHA1

d80bbe4769b5e00886797d6f7c30063031eb5699
SHA256

5f26ba6ce5a487a3c9ec7663143f6d661c5500d0dd593274bd4ab6e78815d236
SHA512

cf4155b56d878d1d4c8b18669d6aa700c626fa5b2f67719bb8b2f8378059003046f437ae223a7aef6336d95cb82eeeb057910a432c135bbc4d94619a8bbfde1a
SSDEEP

98304:JUj8/4MycvvCf9uOj5zXSdcrRsMZtuS0xbN0yjqnolKIMPgZrx/CpSSMD/zCDK8:Oj3MychOBXSdclsotcYyEGMPqrxo0zCP

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
944	uiso9_pe.tmp
852	isocmd.exe
1824	UltraISO.exe

Loads dropped DLL 9 IoCs

pid	Process
1724	uiso9_pe.exe
944	uiso9_pe.tmp
944	uiso9_pe.tmp
944	uiso9_pe.tmp
1380	regsvr32.exe
944	uiso9_pe.tmp
944	uiso9_pe.tmp
944	uiso9_pe.tmp
1824	UltraISO.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ = "C:\\Program Files (x86)\\UltraISO\\isoshl64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraISO\is-LLIAI.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UKLH5.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-GFN98.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-GIP5M.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-5RUBF.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-DEIRO.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-M4NQP.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-AG2TL.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\Common Files\EZB Systems\is-A29QU.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-BUPAH.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-785TP.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-R5VQJ.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\unins000.dat	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-4N7OF.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-F0Q75.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-7KLLU.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-OTDFD.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-KAA2S.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-TQT28.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-9FMFQ.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-38CI4.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-HNODH.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-COKQE.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-H5FCC.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-SSLHL.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-098H8.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-GNOQ2.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-N378D.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-PT0QL.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-VQMCF.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-VD69R.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UGVQ2.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-L6KBS.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-2BIMT.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-AUNU9.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-VRU65.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-JJ8LU.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-EP9C0.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-FJ7IE.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-KDC8P.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-4BP33.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-OSSKK.tmp	uiso9_pe.tmp
File opened for modification	C:\Program Files (x86)\UltraISO\backup	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-Q8T08.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-1HPQP.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-RR8B9.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-9S88E.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-8VQAM.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-8IMA2.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-RJELI.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-1O0J1.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-J1I79.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-325H1.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-LABKU.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-N237T.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-A2O0O.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\is-ELK4T.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-PBGUA.tmp	uiso9_pe.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-P2MA1.tmp	uiso9_pe.tmp
File opened for modification	C:\Program Files (x86)\UltraISO\unins000.dat	uiso9_pe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\Convert to ISO	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ui	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\open\command\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\" \"%1\""	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UltraISO\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\UltraISO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ = "IUIContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\open	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\ = "{1CD46142-F3D3-4E46-87BA-7CC019142F9D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shellex\ContextMenuHandlers\ISOShell\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CurVer\ = "ISOShell.UIContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\open\command	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\VersionIndependentProgID\ = "ISOShell.UIContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\Convert to ISO\command\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\" -bin2iso \"%1\""	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shellex\ContextMenuHandlers\ISOShell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\CLSID\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ProgID\ = "ISOShell.UIContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\ = "ISOShell 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "UltraISO"	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\ = "UltraISO File"	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\ = "Open with &UltraISO"	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "binimage"	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\ = "UIContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CLSID\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\",0"	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\UltraISO\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shellex\ContextMenuHandlers\ISOShell\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\command	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\DefaultIcon\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\",0"	uiso9_pe.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\command\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\" \"%1\""	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO	uiso9_pe.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell	uiso9_pe.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1824	UltraISO.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
944	uiso9_pe.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 1724 wrote to memory of 944	1724	uiso9_pe.exe	28
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 1380	944	uiso9_pe.tmp	29
PID 944 wrote to memory of 852	944	uiso9_pe.tmp	31
PID 944 wrote to memory of 852	944	uiso9_pe.tmp	31
PID 944 wrote to memory of 852	944	uiso9_pe.tmp	31
PID 944 wrote to memory of 852	944	uiso9_pe.tmp	31
PID 944 wrote to memory of 2044	944	uiso9_pe.tmp	33
PID 944 wrote to memory of 2044	944	uiso9_pe.tmp	33
PID 944 wrote to memory of 2044	944	uiso9_pe.tmp	33
PID 944 wrote to memory of 2044	944	uiso9_pe.tmp	33
PID 944 wrote to memory of 1824	944	uiso9_pe.tmp	34
PID 944 wrote to memory of 1824	944	uiso9_pe.tmp	34
PID 944 wrote to memory of 1824	944	uiso9_pe.tmp	34
PID 944 wrote to memory of 1824	944	uiso9_pe.tmp	34

C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe
"C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\is-OJHFP.tmp\uiso9_pe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OJHFP.tmp\uiso9_pe.tmp" /SL5="$70126,4629041,128512,C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\UltraISO\isoshl64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1380
- - C:\Program Files (x86)\UltraISO\drivers\isocmd.exe
    "C:\Program Files (x86)\UltraISO\drivers\isocmd.exe" -i
    3⤵
    - Executes dropped EXE
    PID:852
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\UltraISO\Readme.txt
    3⤵
    PID:2044
- - C:\Program Files (x86)\UltraISO\UltraISO.exe
    "C:\Program Files (x86)\UltraISO\UltraISO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll

Filesize
962KB

MD5
b9e34ae6d6ecb1e19b36dc70e7ef406c

SHA1
014985ed2dab57e606e08788fc9177220dd2aed1

SHA256
3b8817fad300fd729d28ca4895d9fb131cf64e699fe5de658ae44c6d056dace4

SHA512
d2360eb205a7f8feb9d45237f0190ef3b2444b22225bead9eedfe5301cac0601741a7d849033d3b2b5cd2a39496edc86e1d4d4444110bafefcf4a8922c6bbff2

Download Submit
C:\Program Files (x86)\UltraISO\Readme.txt

Filesize
2KB

MD5
bff30d893fc39cf16544a3ae18e72d33

SHA1
027219b92ade452de2757d5460618a73c3ab7aa7

SHA256
904e402e59d1b093378516064bffb2a7d06fb53c1422615724292640cb2f7c0a

SHA512
f56cc68b15b0e17fa15e4d8cf4c22995a2a3dc46c2201143fa86195088a64fa2c3b54d587b481d1f219ea894c1e09d9ecd254f2189dede94bdb7a6d4348a6945

Download Submit
C:\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
63285e1d8a23ad23dd5b163feb715059

SHA1
67ee1910b3dd150a1297367dacdb4b272db01644

SHA256
116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

SHA512
d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

Download Submit
C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys

Filesize
112KB

MD5
e489d12ff435aeef4a5474c47d329590

SHA1
17c353b5748ecd3e8eedd9de347da313085087dc

SHA256
66a01f63ee4f66c0cd5bb9bf20e1722d57cc8252ac126780800806b536f4cea9

SHA512
26582a140080e64d7f46b83435a8f2444c509e6a5dfaa1fd4adc190824daecfc5464e56ca89cb0518bcec780a1a16700199e567543cea32f32c5ca3e47add2fc

Download Submit
C:\Program Files (x86)\UltraISO\drivers\IsoCmd.exe

Filesize
28KB

MD5
55677a521dd34ce7a93ab3f1d12b2dfd

SHA1
4316dd2b5e4ebb48886955ec5365b2f40d4298b3

SHA256
fc506cb2ce0fa9a994db2e29a595f818fe93cae93dd2f8cca6f4b40944907c5c

SHA512
e4e05c49701865ba349f4c037c96539cfd3da1f8cd97f9668474ca50a50db0a50e59e7f21f7e0fbc44ca1f79f7cdb529f82bc70b2a7a34e861bb5350ee783dcc

Download Submit
C:\Program Files (x86)\UltraISO\isoshl64.dll

Filesize
151KB

MD5
c0fc6c67bd9d9fbc4f8ad44232d49d11

SHA1
e5ad2b56cc20652401ee5c60fe118cf3fb474a7b

SHA256
50df2e7ba2ab1892dd1e8c03be51a1dfa9c1ecc501d5166cd5e69badb4a8c503

SHA512
74bc8d2d93c870f0449582b6de60ade9b0322a5cca945beac8842ccd4577569ea97a7089163dcff8b0115ebbaf2ae75d09ae5214efcb8ea6902c80a2cc0e5586

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OJHFP.tmp\uiso9_pe.tmp

Filesize
771KB

MD5
3de2992c86c78e781881e9c0db26a32f

SHA1
c26845ca7319a66432304a955cecdad4f977d040

SHA256
e9700438d88e5a5f54d6940a4129477e943dcd4b95b006d0b38ef1e2a566a642

SHA512
88d318e3265ac733408836592f87349a7bd2be1ae34e92ef7bd302926ff69b4a072300d5eac07cffdf91929b24ae08818c7cfb42cc825afaacd29250f7cae6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OJHFP.tmp\uiso9_pe.tmp

Filesize
771KB

MD5
3de2992c86c78e781881e9c0db26a32f

SHA1
c26845ca7319a66432304a955cecdad4f977d040

SHA256
e9700438d88e5a5f54d6940a4129477e943dcd4b95b006d0b38ef1e2a566a642

SHA512
88d318e3265ac733408836592f87349a7bd2be1ae34e92ef7bd302926ff69b4a072300d5eac07cffdf91929b24ae08818c7cfb42cc825afaacd29250f7cae6a6

Download Submit
\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll

Filesize
962KB

MD5
b9e34ae6d6ecb1e19b36dc70e7ef406c

SHA1
014985ed2dab57e606e08788fc9177220dd2aed1

SHA256
3b8817fad300fd729d28ca4895d9fb131cf64e699fe5de658ae44c6d056dace4

SHA512
d2360eb205a7f8feb9d45237f0190ef3b2444b22225bead9eedfe5301cac0601741a7d849033d3b2b5cd2a39496edc86e1d4d4444110bafefcf4a8922c6bbff2

Download Submit
\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
63285e1d8a23ad23dd5b163feb715059

SHA1
67ee1910b3dd150a1297367dacdb4b272db01644

SHA256
116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

SHA512
d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

Download Submit
\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
63285e1d8a23ad23dd5b163feb715059

SHA1
67ee1910b3dd150a1297367dacdb4b272db01644

SHA256
116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

SHA512
d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

Download Submit
\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
63285e1d8a23ad23dd5b163feb715059

SHA1
67ee1910b3dd150a1297367dacdb4b272db01644

SHA256
116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

SHA512
d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

Download Submit
\Program Files (x86)\UltraISO\drivers\IsoCmd.exe

Filesize
28KB

MD5
55677a521dd34ce7a93ab3f1d12b2dfd

SHA1
4316dd2b5e4ebb48886955ec5365b2f40d4298b3

SHA256
fc506cb2ce0fa9a994db2e29a595f818fe93cae93dd2f8cca6f4b40944907c5c

SHA512
e4e05c49701865ba349f4c037c96539cfd3da1f8cd97f9668474ca50a50db0a50e59e7f21f7e0fbc44ca1f79f7cdb529f82bc70b2a7a34e861bb5350ee783dcc

Download Submit
\Program Files (x86)\UltraISO\drivers\IsoCmd.exe

Filesize
28KB

MD5
55677a521dd34ce7a93ab3f1d12b2dfd

SHA1
4316dd2b5e4ebb48886955ec5365b2f40d4298b3

SHA256
fc506cb2ce0fa9a994db2e29a595f818fe93cae93dd2f8cca6f4b40944907c5c

SHA512
e4e05c49701865ba349f4c037c96539cfd3da1f8cd97f9668474ca50a50db0a50e59e7f21f7e0fbc44ca1f79f7cdb529f82bc70b2a7a34e861bb5350ee783dcc

Download Submit
\Program Files (x86)\UltraISO\isoshl64.dll

Filesize
151KB

MD5
c0fc6c67bd9d9fbc4f8ad44232d49d11

SHA1
e5ad2b56cc20652401ee5c60fe118cf3fb474a7b

SHA256
50df2e7ba2ab1892dd1e8c03be51a1dfa9c1ecc501d5166cd5e69badb4a8c503

SHA512
74bc8d2d93c870f0449582b6de60ade9b0322a5cca945beac8842ccd4577569ea97a7089163dcff8b0115ebbaf2ae75d09ae5214efcb8ea6902c80a2cc0e5586

Download Submit
\Program Files (x86)\UltraISO\unins000.exe

Filesize
782KB

MD5
f92f7190cab7f80cbd7f5e419c27e37d

SHA1
8b26411b33a8727353ac615c11acdfebc34fad80

SHA256
82190e1bfe62f4549f3ca2dd76261cc6213968d4f599349d3b07274499223ece

SHA512
922ead325d49738ecd3ad93aec573649da5a9082892aeeb63cfdaa0f0c5141844a86bae666b3279303b0b1684e93433b62f734c52c77c94633bd6a508f7480dc

Download Submit
\Users\Admin\AppData\Local\Temp\is-OJHFP.tmp\uiso9_pe.tmp

Filesize
771KB

MD5
3de2992c86c78e781881e9c0db26a32f

SHA1
c26845ca7319a66432304a955cecdad4f977d040

SHA256
e9700438d88e5a5f54d6940a4129477e943dcd4b95b006d0b38ef1e2a566a642

SHA512
88d318e3265ac733408836592f87349a7bd2be1ae34e92ef7bd302926ff69b4a072300d5eac07cffdf91929b24ae08818c7cfb42cc825afaacd29250f7cae6a6

Download Submit
memory/944-62-0x00000000744F1000-0x00000000744F3000-memory.dmp

Filesize
8KB

Download
memory/1380-68-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1724-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1724-83-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download