a0e214bc4240efc48409736ef85606397ef7a38d4d1abb2431f6abcfc0697fcf

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UltraISO Premium Edition v9.7.3.3629 Retail Ml_Rus DC 17.07.2020/uiso97pes.exe
Size

4.6MB
MD5

a1d6e9895f67694580016c6a07793bc2
SHA1

29ba651096f6a94b2aec3f3b94909748a259753e
SHA256

3204a6b52e4698fddf35a8e67bf3af5f924c1ccef75da7c48d95be1226b554ff
SHA512

3c3da1dda2aafbb951b15c2e1751d1c71ceeb4f46ff77e5be6d10cb7c760fd1c8358ba4dd11a13ea618b91f525e49f35ef2041a1f9288062b1ead0f84d3d38c6
SSDEEP

98304:U5Yjo3qYXNRnxofbalqVHzSesntuS0xK0yjqio3KIMYZrx7ICCpSSMD6OqljCvl:djsvRxofbAq9zSesntcjyNkMyrx7IzjA

Score

4^/10

discovery persistence

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraISO\drivers\is-SEFD2.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-L1Q3K.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-E7P18.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-S2790.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-7K859.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-9907C.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-U6ETS.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-3EE7R.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-JREOK.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-RU7QF.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-EETO5.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-OH0CL.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-I28K3.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-ACBJ6.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-HPU76.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-H5AIE.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-GJKI4.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-QTBGR.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-ECE56.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-NKJIO.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-4DCJ2.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-2UDVQ.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-CUAL6.tmp	uiso97pes.tmp
File opened for modification	C:\Program Files (x86)\UltraISO\unins000.dat	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-FRG06.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-F7ODL.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-3CK4H.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UC7VN.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-328KD.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-1NGR8.tmp	uiso97pes.tmp
File opened for modification	C:\Program Files (x86)\UltraISO\backup	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\unins000.dat	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-I05I1.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-D6IK6.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-0LKLA.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-PKTEP.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-A11E4.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-QHC0G.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-4KD3I.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\drivers\is-4SVB3.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-KOSI6.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-3VBG3.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-SEQG6.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-50ELE.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-1O408.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-KOOEG.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UASNT.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-DC4K1.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-0B1E4.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-UDQ08.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\Common Files\EZB Systems\is-9DGSN.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-525ET.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-C8DCS.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-UTUNK.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\is-M89SH.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-0HHT2.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-4NOEQ.tmp	uiso97pes.tmp
File created	C:\Program Files (x86)\UltraISO\lang\is-BP78M.tmp	uiso97pes.tmp

Executes dropped EXE 3 IoCs

pid	Process
2036	uiso97pes.tmp
1376	isocmd.exe
2260	UltraISO.exe

Loads dropped DLL 8 IoCs

pid	Process
1644	uiso97pes.exe
2036	uiso97pes.tmp
2036	uiso97pes.tmp
2036	uiso97pes.tmp
1576	regsvr32.exe
2036	uiso97pes.tmp
2036	uiso97pes.tmp
2036	uiso97pes.tmp

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ = "C:\\Program Files (x86)\\UltraISO\\isoshl64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\ = "{1CD46142-F3D3-4E46-87BA-7CC019142F9D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\ = "Open with &UltraISO"	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ui	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\Convert to ISO\command	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\TypeLib\ = "{1CD46142-F3D3-4E46-87BA-7CC019142F9D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\UltraISO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "UltraISO"	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\open\command	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CLSID\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu.1\CLSID\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ = "IUIContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\Convert to ISO\command\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\" -bin2iso \"%1\""	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\open\command\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\" \"%1\""	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\UltraISO\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "UltraISO"	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ui\ = "UltraISO"	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shell\Convert to ISO	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\ = "ISOShell 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\ = "UltraISO File"	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\DefaultIcon	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shellex\ContextMenuHandlers\ISOShell\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ = "UIContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\command\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\" \"%1\""	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\ = "{1CD46142-F3D3-4E46-87BA-7CC019142F9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shellex\ContextMenuHandlers\ISOShell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ISOShell.UIContextMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ProgID\ = "ISOShell.UIContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9653DE66-C5E0-4AEE-ADE5-0197BA68CE2B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\",0"	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\DefaultIcon\ = "\"C:\\Program Files (x86)\\UltraISO\\UltraISO.exe\",0"	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\UltraISO\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\UltraISO\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shellex\ContextMenuHandlers\ISOShell\ = "{AD392E40-428C-459F-961E-9B147782D099}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD46142-F3D3-4E46-87BA-7CC019142F9D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "binimage"	uiso97pes.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\binimage\ = "BIN File"	uiso97pes.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\UltraISO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD392E40-428C-459F-961E-9B147782D099}\InprocServer32\ = "C:\\Program Files (x86)\\UltraISO\\isoshl64.dll"	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2260	UltraISO.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2036	uiso97pes.tmp
2260	UltraISO.exe
2260	UltraISO.exe
2004	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 1644 wrote to memory of 2036	1644	uiso97pes.exe	28
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1576	2036	uiso97pes.tmp	29
PID 2036 wrote to memory of 1376	2036	uiso97pes.tmp	30
PID 2036 wrote to memory of 1376	2036	uiso97pes.tmp	30
PID 2036 wrote to memory of 1376	2036	uiso97pes.tmp	30
PID 2036 wrote to memory of 1376	2036	uiso97pes.tmp	30
PID 2036 wrote to memory of 2004	2036	uiso97pes.tmp	35
PID 2036 wrote to memory of 2004	2036	uiso97pes.tmp	35
PID 2036 wrote to memory of 2004	2036	uiso97pes.tmp	35
PID 2036 wrote to memory of 2004	2036	uiso97pes.tmp	35
PID 2036 wrote to memory of 2260	2036	uiso97pes.tmp	36
PID 2036 wrote to memory of 2260	2036	uiso97pes.tmp	36
PID 2036 wrote to memory of 2260	2036	uiso97pes.tmp	36
PID 2036 wrote to memory of 2260	2036	uiso97pes.tmp	36

C:\Users\Admin\AppData\Local\Temp\UltraISO Premium Edition v9.7.3.3629 Retail Ml_Rus DC 17.07.2020\uiso97pes.exe
"C:\Users\Admin\AppData\Local\Temp\UltraISO Premium Edition v9.7.3.3629 Retail Ml_Rus DC 17.07.2020\uiso97pes.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\is-9OPK7.tmp\uiso97pes.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9OPK7.tmp\uiso97pes.tmp" /SL5="$4010A,4329604,128000,C:\Users\Admin\AppData\Local\Temp\UltraISO Premium Edition v9.7.3.3629 Retail Ml_Rus DC 17.07.2020\uiso97pes.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\UltraISO\isoshl64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1576
- - C:\Program Files (x86)\UltraISO\drivers\isocmd.exe
    "C:\Program Files (x86)\UltraISO\drivers\isocmd.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\UltraISO\Readme.txt
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2004
- - C:\Program Files (x86)\UltraISO\UltraISO.exe
    "C:\Program Files (x86)\UltraISO\UltraISO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraISO\Readme.txt

Filesize
2KB

MD5
bff30d893fc39cf16544a3ae18e72d33

SHA1
027219b92ade452de2757d5460618a73c3ab7aa7

SHA256
904e402e59d1b093378516064bffb2a7d06fb53c1422615724292640cb2f7c0a

SHA512
f56cc68b15b0e17fa15e4d8cf4c22995a2a3dc46c2201143fa86195088a64fa2c3b54d587b481d1f219ea894c1e09d9ecd254f2189dede94bdb7a6d4348a6945

Download Submit
C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys

Filesize
121KB

MD5
be68c42760724fb9931bb38e921cd3cb

SHA1
56c64b258d16b8e5307a1ddd28d980235c757357

SHA256
aeea7670c130ff659f09d8daf200ab8f429d307a483936aee9efb849e33b3064

SHA512
6b7cf20e12aba6116f256b930bdda2c48ed60a5db76c8a1291641dc6a26bd1e371bc1efcba16dae4ecf2463a39afcf9904ec3b29cba1ddc5df6f546ab5a56e42

Download Submit
C:\Program Files (x86)\UltraISO\drivers\IsoCmd.exe

Filesize
26KB

MD5
26bff94babb8a0ccb74bcdbba7a67f82

SHA1
703ad751f975b6bcd1b165e41a1a4b5d44842015

SHA256
28d530f9e46c6fc9fa66c4f7f232c57b3d5d9287840c13e187d513358ed12a5d

SHA512
4f41a4b92f4d5cdfc7cb0ff4657e12172f3a5cd997ebb76468286a69256fbb611b21b577597743a4d7f1aefacf52c03bf8d5ed8505ffc048d3dcda0556ad1b05

Download Submit
\Program Files (x86)\UltraISO\UltraISO.exe

Filesize
5.2MB

MD5
94b0019cb77dc79b19483d0e129e4667

SHA1
1c52c8abb8218746e701f9ce0296395f75bbb05d

SHA256
e8741d2eb9c7c37a818a43e42c9dad5305182f154cd6a4659f0dac0dce951539

SHA512
9c05a9a66080a8c51bb1c1478f86e1699da604ab8b4f8df1d36f1cd9450646554b303a95e2c360c8933f8cf64adc0f036b0366f88e2a9e5db25f15531a75c31f

Download Submit
\Program Files (x86)\UltraISO\isoshl64.dll

Filesize
151KB

MD5
c0fc6c67bd9d9fbc4f8ad44232d49d11

SHA1
e5ad2b56cc20652401ee5c60fe118cf3fb474a7b

SHA256
50df2e7ba2ab1892dd1e8c03be51a1dfa9c1ecc501d5166cd5e69badb4a8c503

SHA512
74bc8d2d93c870f0449582b6de60ade9b0322a5cca945beac8842ccd4577569ea97a7089163dcff8b0115ebbaf2ae75d09ae5214efcb8ea6902c80a2cc0e5586

Download Submit
\Program Files (x86)\UltraISO\unins000.exe

Filesize
776KB

MD5
807124784f31a75c636f9970fd1ae5f0

SHA1
f42e996539127b6bfe62ebbc8cc09878503df2aa

SHA256
28a17164feda8369165faa610f5b3feff4b8b6f78f7444bf86c53a81c003e7a9

SHA512
86f4c63368ab6de5bf2c7019b366dd9bf0a55314295df09c7548c3d1a299e76607d353688bacc1c14992003d74d94506a74b637c9517f79eb598770383304750

Download Submit
\Users\Admin\AppData\Local\Temp\is-9OPK7.tmp\uiso97pes.tmp

Filesize
765KB

MD5
0856978f29ae90dc02a700a33fe0302e

SHA1
c71d25f4418ecdbd30da98a6ab0804ecca2a800b

SHA256
45b137a10ad4eb65b6d04dcb768e88ba372e2b36fca1e44060bd9517d71f49f1

SHA512
4d07c277987d28c731cb7435b27010e7cbe7448b865fd138a6299e8ccbf9d172a47d5477e554084e2d608212fcc3d07b97fb1bd53b56fb1e18ce50ee4acf3119

Download Submit
memory/1644-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1644-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1644-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1644-167-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2036-13-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2036-11-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2036-9-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2036-165-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2260-168-0x0000000000400000-0x0000000000E22000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads