bc933697f2994c62e44b6faba9cb91eb5093b62db77ec02d6c27483b39d6b196

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UltraISO.exe
Size

1.7MB
MD5

e02b19ffd838eea083e9e8a83d516229
SHA1

1087c0bdc828bb8e273afc4deece67a4138d2780
SHA256

bc933697f2994c62e44b6faba9cb91eb5093b62db77ec02d6c27483b39d6b196
SHA512

d04e0a72fcff1a2a1bf9aa02985ef95547b223e80ea30ad7a163f1dde7b17b543b1bb92c2bea284f58d8d0914535ec9da45fe123b52f2611656b2f54ad395641
SSDEEP

49152:9e7Dnx9jsnQZSCXboOsg1RfKa4jeIPYM0:Q7d+nQZSCrZ1RfgeE2

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe	aspack_v212_v242
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe	aspack_v212_v242
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe	aspack_v212_v242
\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

IsoCmd.exeIsoCmd.exeUltraISO.exe

pid process

916 IsoCmd.exe
1868 IsoCmd.exe
1796 UltraISO.exe
Loads dropped DLL 9 IoCs

Processes:

UltraISO.execmd.execmd.exe

pid process

1668 UltraISO.exe
760 cmd.exe
760 cmd.exe
1668 UltraISO.exe
1668 UltraISO.exe
1096 cmd.exe
1668 UltraISO.exe
1668 UltraISO.exe
1668 UltraISO.exe
Drops file in Program Files directory 1 IoCs

Processes:

UltraISO.exe

description ioc process

File created C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll UltraISO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UltraISO.exe

pid process

1796 UltraISO.exe

pid	process
916	IsoCmd.exe
1868	IsoCmd.exe
1796	UltraISO.exe

pid	process
1668	UltraISO.exe
760	cmd.exe
760	cmd.exe
1668	UltraISO.exe
1668	UltraISO.exe
1096	cmd.exe
1668	UltraISO.exe
1668	UltraISO.exe
1668	UltraISO.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll	UltraISO.exe

pid	process
1796	UltraISO.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	792	AUDIODG.EXE
Token: 33	792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	792	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

UltraISO.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 760	1668	UltraISO.exe	cmd.exe
PID 1668 wrote to memory of 760	1668	UltraISO.exe	cmd.exe
PID 1668 wrote to memory of 760	1668	UltraISO.exe	cmd.exe
PID 1668 wrote to memory of 760	1668	UltraISO.exe	cmd.exe
PID 760 wrote to memory of 916	760	cmd.exe	IsoCmd.exe
PID 760 wrote to memory of 916	760	cmd.exe	IsoCmd.exe
PID 760 wrote to memory of 916	760	cmd.exe	IsoCmd.exe
PID 760 wrote to memory of 916	760	cmd.exe	IsoCmd.exe
PID 1668 wrote to memory of 1096	1668	UltraISO.exe	cmd.exe
PID 1668 wrote to memory of 1096	1668	UltraISO.exe	cmd.exe
PID 1668 wrote to memory of 1096	1668	UltraISO.exe	cmd.exe
PID 1668 wrote to memory of 1096	1668	UltraISO.exe	cmd.exe
PID 1096 wrote to memory of 1868	1096	cmd.exe	IsoCmd.exe
PID 1096 wrote to memory of 1868	1096	cmd.exe	IsoCmd.exe
PID 1096 wrote to memory of 1868	1096	cmd.exe	IsoCmd.exe
PID 1096 wrote to memory of 1868	1096	cmd.exe	IsoCmd.exe
PID 1668 wrote to memory of 1796	1668	UltraISO.exe	UltraISO.exe
PID 1668 wrote to memory of 1796	1668	UltraISO.exe	UltraISO.exe
PID 1668 wrote to memory of 1796	1668	UltraISO.exe	UltraISO.exe
PID 1668 wrote to memory of 1796	1668	UltraISO.exe	UltraISO.exe

C:\Users\Admin\AppData\Local\Temp\UltraISO.exe
"C:\Users\Admin\AppData\Local\Temp\UltraISO.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -i
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -i
3⤵
- Executes dropped EXE
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -s
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe -s
3⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe
Filesize
1.1MB

MD5
7fddd114d33c2e2a8f98dc3117d29666

SHA1
4a6c74cfca4cfb493a13cbe9470ab28c4d596583

SHA256
6da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1

SHA512
43acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe
Filesize
1.1MB

MD5
7fddd114d33c2e2a8f98dc3117d29666

SHA1
4a6c74cfca4cfb493a13cbe9470ab28c4d596583

SHA256
6da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1

SHA512
43acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
Filesize
20KB

MD5
70c3729e1a3558909566344ebb45fd4a

SHA1
825157cf4165736820a979be410d6bd1d60a3274

SHA256
c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e

SHA512
5315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
Filesize
20KB

MD5
70c3729e1a3558909566344ebb45fd4a

SHA1
825157cf4165736820a979be410d6bd1d60a3274

SHA256
c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e

SHA512
5315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
Filesize
20KB

MD5
70c3729e1a3558909566344ebb45fd4a

SHA1
825157cf4165736820a979be410d6bd1d60a3274

SHA256
c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e

SHA512
5315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\uikey.ini
Filesize
51B

MD5
9949e48c88eda86f558ef6d39e1c2a7c

SHA1
7e9fff5e2ebfd49e8b56ad352c05678afeca4c41

SHA256
a46a6fdf049f50843b59f3c9dc4289f050ff44349131762a80c3980f4fcbc9d9

SHA512
a2bacfcf9a9d255bd7832a2f405dfed8603aec4785c7cce62de920bdfdd7057edf1db2485cad8a7f6f587beb7e9ef7af75fb5269cb38d2fd7da0a975238fdf5c

Download Submit
C:\Users\Admin\AppData\Roaming\UltraISO\ultraiso.ini
Filesize
1KB

MD5
fc3bad7de95c67bcb246630a7f15cec8

SHA1
20b2f7afc0be34dc26b051ac8437f8eb17e7e1fa

SHA256
da65c6109ed59670a2e4e06a3325919b01ce37ee77de18b051329b3f51f50890

SHA512
d5b40577854776a064cdafb9dd991a435638fdcb1be0e438cffb8a5222dbab1eb152abed54a7b6e9b72b318702e73028b3da377f3fc493c76201a5295cf87283

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB59.tmp\ExecCmd.dll
Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe
Filesize
1.1MB

MD5
7fddd114d33c2e2a8f98dc3117d29666

SHA1
4a6c74cfca4cfb493a13cbe9470ab28c4d596583

SHA256
6da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1

SHA512
43acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823

Download Submit
\Users\Admin\AppData\Roaming\UltraISO\UltraISO.exe
Filesize
1.1MB

MD5
7fddd114d33c2e2a8f98dc3117d29666

SHA1
4a6c74cfca4cfb493a13cbe9470ab28c4d596583

SHA256
6da8342e626ce8181d753a80e461f068562271042a953f34bc93314ceffc40b1

SHA512
43acb6894125ec19cf507466e7305d3f195672a0d3e5a71c1a88b3a9adfab57d1b2f3264fe4a070e93c29a60e9f1d19444307a4a174ea72700b271a46af9d823

Download Submit
\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
Filesize
20KB

MD5
70c3729e1a3558909566344ebb45fd4a

SHA1
825157cf4165736820a979be410d6bd1d60a3274

SHA256
c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e

SHA512
5315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3

Download Submit
\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
Filesize
20KB

MD5
70c3729e1a3558909566344ebb45fd4a

SHA1
825157cf4165736820a979be410d6bd1d60a3274

SHA256
c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e

SHA512
5315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3

Download Submit
\Users\Admin\AppData\Roaming\UltraISO\drivers\IsoCmd.exe
Filesize
20KB

MD5
70c3729e1a3558909566344ebb45fd4a

SHA1
825157cf4165736820a979be410d6bd1d60a3274

SHA256
c01f5e3cdcf4478c8d02ebee3b65a0dab950cfeac9ebfb704d6087a191ffeb7e

SHA512
5315a5a1facbddd3b8d46b1aaa5511334a3639240e6546151c58638ee845b8e78cae9f340824bbff9214167f96dcfb02c1fd277b99a7669e42d7738d048d08c3

Download Submit
memory/1668-101-0x0000000004480000-0x0000000004CA0000-memory.dmp

Filesize
8.1MB

Download
memory/1668-102-0x0000000004480000-0x0000000004CA0000-memory.dmp

Filesize
8.1MB

Download
memory/1796-103-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download
memory/1796-104-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1796-106-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1796-107-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads