Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

uiso9_pe.exe

windows11-21h2-x64

5

Analysis

  • max time kernel
    203s
  • max time network
    202s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/05/2024, 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uiso9_pe.exe

  • Size

    4.9MB

  • MD5

    5a2000a241a6947c060ee63425d7ebef

  • SHA1

    d80bbe4769b5e00886797d6f7c30063031eb5699

  • SHA256

    5f26ba6ce5a487a3c9ec7663143f6d661c5500d0dd593274bd4ab6e78815d236

  • SHA512

    cf4155b56d878d1d4c8b18669d6aa700c626fa5b2f67719bb8b2f8378059003046f437ae223a7aef6336d95cb82eeeb057910a432c135bbc4d94619a8bbfde1a

  • SSDEEP

    98304:JUj8/4MycvvCf9uOj5zXSdcrRsMZtuS0xbN0yjqnolKIMPgZrx/CpSSMD/zCDK8:Oj3MychOBXSdclsotcYyEGMPqrxo0zCP

Score
5/10
discoverypersistence

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 60 IoCs
  • Drops file in Windows directory 64 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 38 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe
    "C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\is-GLSRI.tmp\uiso9_pe.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GLSRI.tmp\uiso9_pe.tmp" /SL5="$40234,4629041,128512,C:\Users\Admin\AppData\Local\Temp\uiso9_pe.exe"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\UltraISO\isoshl64.dll"
        3⤵
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:5000
      • C:\Program Files (x86)\UltraISO\drivers\isocmd.exe
        "C:\Program Files (x86)\UltraISO\drivers\isocmd.exe" -i
        3⤵
        • Executes dropped EXE
        PID:3932
      • C:\Program Files (x86)\UltraISO\UltraISO.exe
        "C:\Program Files (x86)\UltraISO\UltraISO.exe"
        3⤵
        • Executes dropped EXE
        PID:5112
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:1292
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:4232
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
        PID:2212
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:484
        • C:\Windows\system32\mmc.exe
          "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
          1⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2192
        • C:\Program Files (x86)\UltraISO\UltraISO.exe
          "C:\Program Files (x86)\UltraISO\UltraISO.exe"
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: GetForegroundWindowSpam
          PID:4656
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004B8
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3924
        • C:\Windows\system32\msinfo32.exe
          "C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\UndoUninstall.nfo"
          1⤵
          • Checks SCSI registry key(s)
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2092
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\CloseConvert.vbe"
          1⤵
            PID:460
          • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SyncImport.xls"
            1⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:4484
          • C:\Windows\System32\oobe\UserOOBEBroker.exe
            C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
            1⤵
            • Drops file in Windows directory
            PID:4452
          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
            C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
            1⤵
              PID:5052
            • C:\Windows\system32\OpenWith.exe
              C:\Windows\system32\OpenWith.exe -Embedding
              1⤵
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              PID:768
            • C:\Windows\system32\OpenWith.exe
              C:\Windows\system32\OpenWith.exe -Embedding
              1⤵
              • Suspicious use of SetWindowsHookEx
              PID:664
            • C:\Windows\system32\OpenWith.exe
              C:\Windows\system32\OpenWith.exe -Embedding
              1⤵
              • Suspicious use of SetWindowsHookEx
              PID:2356
            • C:\Program Files (x86)\UltraISO\UltraISO.exe
              "C:\Program Files (x86)\UltraISO\UltraISO.exe"
              1⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1428

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Common Files\EZB Systems\lame_enc.dll
              Filesize

              962KB

              MD5

              b9e34ae6d6ecb1e19b36dc70e7ef406c

              SHA1

              014985ed2dab57e606e08788fc9177220dd2aed1

              SHA256

              3b8817fad300fd729d28ca4895d9fb131cf64e699fe5de658ae44c6d056dace4

              SHA512

              d2360eb205a7f8feb9d45237f0190ef3b2444b22225bead9eedfe5301cac0601741a7d849033d3b2b5cd2a39496edc86e1d4d4444110bafefcf4a8922c6bbff2

              Download Submit

            • C:\Program Files (x86)\UltraISO\UltraISO.exe
              Filesize

              5.2MB

              MD5

              63285e1d8a23ad23dd5b163feb715059

              SHA1

              67ee1910b3dd150a1297367dacdb4b272db01644

              SHA256

              116033b8e66845a6db4c97a134464254034228ad937e2610066e1b6a759018be

              SHA512

              d296a019aa558e7678188277e4e83fa451add9a9e3629e0a4665565764de26e6a9806feb6d69534308907556421c94cbc4c802db04f2cf87a3a1fb3765e09fe7

              Download Submit

            • C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys
              Filesize

              132KB

              MD5

              bc81814b594286bef9913ec5ca1110d7

              SHA1

              523fc3b657fd3fb493e0fb14c0bbf39813d1e558

              SHA256

              9c22b6f77e929d319c5e891ee1510045dc5f486bdaf47a0696564d4d84d30379

              SHA512

              2b65dc57a4c83c1ef243396dabf15cf53faa145bd073ac89dbf9104519e7a2b97a303c96acfdbc992e9ac19efbe65b143dd27bb6c9f7ad3e76c5eacb1b9a1889

              Download Submit

            • C:\Program Files (x86)\UltraISO\drivers\IsoCmd.exe
              Filesize

              28KB

              MD5

              55677a521dd34ce7a93ab3f1d12b2dfd

              SHA1

              4316dd2b5e4ebb48886955ec5365b2f40d4298b3

              SHA256

              fc506cb2ce0fa9a994db2e29a595f818fe93cae93dd2f8cca6f4b40944907c5c

              SHA512

              e4e05c49701865ba349f4c037c96539cfd3da1f8cd97f9668474ca50a50db0a50e59e7f21f7e0fbc44ca1f79f7cdb529f82bc70b2a7a34e861bb5350ee783dcc

              Download Submit

            • C:\Program Files (x86)\UltraISO\isoshl64.dll
              Filesize

              151KB

              MD5

              c0fc6c67bd9d9fbc4f8ad44232d49d11

              SHA1

              e5ad2b56cc20652401ee5c60fe118cf3fb474a7b

              SHA256

              50df2e7ba2ab1892dd1e8c03be51a1dfa9c1ecc501d5166cd5e69badb4a8c503

              SHA512

              74bc8d2d93c870f0449582b6de60ade9b0322a5cca945beac8842ccd4577569ea97a7089163dcff8b0115ebbaf2ae75d09ae5214efcb8ea6902c80a2cc0e5586

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-5-21.190.2212.1.odl
              Filesize

              706B

              MD5

              4675399b02b236cc1c372557c6cb645e

              SHA1

              6e1bbd82402f0f6faa4a80baca6ecda226230ba2

              SHA256

              ff2bcc4417a035df177b51e79ec5c5ffc03b7b9a23bfc96a6f0554a6d18d2508

              SHA512

              420b141eb7aaabf92628e0938133b4d5e3e38a26195bb32cc8211f63135668aa00e8cb8fe6645a6e30cb56dfd486ad5f1cb3771e780976528d577ba89b246866

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-GLSRI.tmp\uiso9_pe.tmp
              Filesize

              771KB

              MD5

              3de2992c86c78e781881e9c0db26a32f

              SHA1

              c26845ca7319a66432304a955cecdad4f977d040

              SHA256

              e9700438d88e5a5f54d6940a4129477e943dcd4b95b006d0b38ef1e2a566a642

              SHA512

              88d318e3265ac733408836592f87349a7bd2be1ae34e92ef7bd302926ff69b4a072300d5eac07cffdf91929b24ae08818c7cfb42cc825afaacd29250f7cae6a6

              Download Submit

            • memory/1428-256-0x0000000000400000-0x0000000000E31000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/2108-157-0x0000000000400000-0x00000000004D0000-memory.dmp

              Filesize

              832KB

              Download

            • memory/2108-11-0x0000000000400000-0x00000000004D0000-memory.dmp

              Filesize

              832KB

              Download

            • memory/2108-9-0x0000000000400000-0x00000000004D0000-memory.dmp

              Filesize

              832KB

              Download

            • memory/2108-152-0x0000000000400000-0x00000000004D0000-memory.dmp

              Filesize

              832KB

              Download

            • memory/2108-7-0x0000000000400000-0x00000000004D0000-memory.dmp

              Filesize

              832KB

              Download

            • memory/2712-0-0x0000000000400000-0x0000000000426000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2712-158-0x0000000000400000-0x0000000000426000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2712-8-0x0000000000400000-0x0000000000426000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2712-2-0x0000000000401000-0x000000000040C000-memory.dmp

              Filesize

              44KB

              Download

            • memory/4484-230-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-227-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-228-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-229-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-226-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-231-0x00007FFB61890000-0x00007FFB618A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-232-0x00007FFB61890000-0x00007FFB618A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-246-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-247-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-249-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-248-0x00007FFB64310000-0x00007FFB64320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4656-225-0x0000000000400000-0x0000000000E31000-memory.dmp

              Filesize

              10.2MB

              Download

            • memory/5112-159-0x0000000000400000-0x0000000000E31000-memory.dmp

              Filesize

              10.2MB

              Download