Analysis
-
max time kernel
147s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14-06-2023 07:19
Static task
static1
Behavioral task
behavioral1
Sample
UltraISO.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
UltraISO.exe
Resource
win10v2004-20230220-en
General
-
Target
UltraISO.exe
-
Size
1.7MB
-
MD5
e02b19ffd838eea083e9e8a83d516229
-
SHA1
1087c0bdc828bb8e273afc4deece67a4138d2780
-
SHA256
bc933697f2994c62e44b6faba9cb91eb5093b62db77ec02d6c27483b39d6b196
-
SHA512
d04e0a72fcff1a2a1bf9aa02985ef95547b223e80ea30ad7a163f1dde7b17b543b1bb92c2bea284f58d8d0914535ec9da45fe123b52f2611656b2f54ad395641
-
SSDEEP
49152:9e7Dnx9jsnQZSCXboOsg1RfKa4jeIPYM0:Q7d+nQZSCrZ1RfgeE2
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe aspack_v212_v242 C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe aspack_v212_v242 C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe aspack_v212_v242 \Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe aspack_v212_v242 -
Executes dropped EXE 3 IoCs
Processes:
IsoCmd.exeIsoCmd.exeUltraISO.exepid process 916 IsoCmd.exe 1868 IsoCmd.exe 1796 UltraISO.exe -
Loads dropped DLL 9 IoCs
Processes:
UltraISO.execmd.execmd.exepid process 1668 UltraISO.exe 760 cmd.exe 760 cmd.exe 1668 UltraISO.exe 1668 UltraISO.exe 1096 cmd.exe 1668 UltraISO.exe 1668 UltraISO.exe 1668 UltraISO.exe -
Drops file in Program Files directory 1 IoCs
Processes:
UltraISO.exedescription ioc process File created C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll UltraISO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
UltraISO.exepid process 1796 UltraISO.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 792 AUDIODG.EXE Token: 33 792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 792 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
UltraISO.execmd.execmd.exedescription pid process target process PID 1668 wrote to memory of 760 1668 UltraISO.exe cmd.exe PID 1668 wrote to memory of 760 1668 UltraISO.exe cmd.exe PID 1668 wrote to memory of 760 1668 UltraISO.exe cmd.exe PID 1668 wrote to memory of 760 1668 UltraISO.exe cmd.exe PID 760 wrote to memory of 916 760 cmd.exe IsoCmd.exe PID 760 wrote to memory of 916 760 cmd.exe IsoCmd.exe PID 760 wrote to memory of 916 760 cmd.exe IsoCmd.exe PID 760 wrote to memory of 916 760 cmd.exe IsoCmd.exe PID 1668 wrote to memory of 1096 1668 UltraISO.exe cmd.exe PID 1668 wrote to memory of 1096 1668 UltraISO.exe cmd.exe PID 1668 wrote to memory of 1096 1668 UltraISO.exe cmd.exe PID 1668 wrote to memory of 1096 1668 UltraISO.exe cmd.exe PID 1096 wrote to memory of 1868 1096 cmd.exe IsoCmd.exe PID 1096 wrote to memory of 1868 1096 cmd.exe IsoCmd.exe PID 1096 wrote to memory of 1868 1096 cmd.exe IsoCmd.exe PID 1096 wrote to memory of 1868 1096 cmd.exe IsoCmd.exe PID 1668 wrote to memory of 1796 1668 UltraISO.exe UltraISO.exe PID 1668 wrote to memory of 1796 1668 UltraISO.exe UltraISO.exe PID 1668 wrote to memory of 1796 1668 UltraISO.exe UltraISO.exe PID 1668 wrote to memory of 1796 1668 UltraISO.exe UltraISO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UltraISO.exe"C:\Users\Admin\AppData\Local\Temp\UltraISO.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -i2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeC:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -i3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -s2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeC:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -s3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exeC:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dllFilesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exeFilesize
1.1MB
MD57fddd114d33c2e2a8f98dc3117d29666
SHA14a6c74cfca4cfb493a13cbe9470ab28c4d596583
SHA2566da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1
SHA51243acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823
-
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exeFilesize
1.1MB
MD57fddd114d33c2e2a8f98dc3117d29666
SHA14a6c74cfca4cfb493a13cbe9470ab28c4d596583
SHA2566da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1
SHA51243acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823
-
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeFilesize
20KB
MD570c3729e1a3558909566344ebb45fd4a
SHA1825157cf4165736820a979be410d6bd1d60a3274
SHA256c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e
SHA5125315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3
-
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeFilesize
20KB
MD570c3729e1a3558909566344ebb45fd4a
SHA1825157cf4165736820a979be410d6bd1d60a3274
SHA256c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e
SHA5125315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3
-
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeFilesize
20KB
MD570c3729e1a3558909566344ebb45fd4a
SHA1825157cf4165736820a979be410d6bd1d60a3274
SHA256c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e
SHA5125315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3
-
C:\Users\Admin\AppData\Roaming\UltraISO\uikey.iniFilesize
51B
MD59949e48c88eda86f558ef6d39e1c2a7c
SHA17e9fff5e2ebfd49e8b56ad352c05678afeca4c41
SHA256a46a6fdf049f50843b59f3c9dc4289f050ff44349131762a80c3980f4fcbc9d9
SHA512a2bacfcf9a9d255bd7832a2f405dfed8603aec4785c7cce62de920bdfdd7057edf1db2485cad8a7f6f587beb7e9ef7af75fb5269cb38d2fd7da0a975238fdf5c
-
C:\Users\Admin\AppData\Roaming\UltraISO\ultraiso.iniFilesize
1KB
MD5fc3bad7de95c67bcb246630a7f15cec8
SHA120b2f7afc0be34dc26b051ac8437f8eb17e7e1fa
SHA256da65c6109ed59670a2e4e06a3325919b01ce37ee77de18b051329b3f51f50890
SHA512d5b40577854776a064cdafb9dd991a435638fdcb1be0e438cffb8a5222dbab1eb152abed54a7b6e9b72b318702e73028b3da377f3fc493c76201a5295cf87283
-
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dllFilesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dllFilesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dllFilesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dllFilesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exeFilesize
1.1MB
MD57fddd114d33c2e2a8f98dc3117d29666
SHA14a6c74cfca4cfb493a13cbe9470ab28c4d596583
SHA2566da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1
SHA51243acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823
-
\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exeFilesize
1.1MB
MD57fddd114d33c2e2a8f98dc3117d29666
SHA14a6c74cfca4cfb493a13cbe9470ab28c4d596583
SHA2566da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1
SHA51243acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823
-
\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeFilesize
20KB
MD570c3729e1a3558909566344ebb45fd4a
SHA1825157cf4165736820a979be410d6bd1d60a3274
SHA256c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e
SHA5125315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3
-
\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeFilesize
20KB
MD570c3729e1a3558909566344ebb45fd4a
SHA1825157cf4165736820a979be410d6bd1d60a3274
SHA256c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e
SHA5125315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3
-
\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exeFilesize
20KB
MD570c3729e1a3558909566344ebb45fd4a
SHA1825157cf4165736820a979be410d6bd1d60a3274
SHA256c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e
SHA5125315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3
-
memory/1668-101-0x0000000004480000-0x0000000004CA0000-memory.dmpFilesize
8.1MB
-
memory/1668-102-0x0000000004480000-0x0000000004CA0000-memory.dmpFilesize
8.1MB
-
memory/1796-103-0x0000000000400000-0x0000000000C20000-memory.dmpFilesize
8.1MB
-
memory/1796-104-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1796-106-0x0000000003500000-0x0000000003501000-memory.dmpFilesize
4KB
-
memory/1796-107-0x0000000000400000-0x0000000000C20000-memory.dmpFilesize
8.1MB