| File name: | UltraISO.exe |
| Full analysis: | https://app.any.run/tasks/5af2ad3a-ea37-4a18-804a-3b33e8a81f9f |
| Verdict: | Malicious activity |
| Analysis date: | May 31, 2024, 06:38:26 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 5A2000A241A6947C060EE63425D7EBEF |
| SHA1: | D80BBE4769B5E00886797D6F7C30063031EB5699 |
| SHA256: | 5F26BA6CE5A487A3C9EC7663143F6D661C5500D0DD593274BD4AB6E78815D236 |
| SSDEEP: | 98304:JUj8/4MycvvCf9uOj5zXSdcrRsMZtuS0xbN0yjqnolKIMPgZrx/CpSSMD/zCDK8:Oj3MychOBXSdclsotcYyEGMPqrxo0zCP |
MALICIOUS
Drops the executable file immediately after the start
- UltraISO.exe (PID: 3976)
- UltraISO.exe (PID: 2104)
- UltraISO.tmp (PID: 2108)
Registers / Runs the DLL via REGSVR32.EXE
- UltraISO.tmp (PID: 2108)
SUSPICIOUS
Executable content was dropped or overwritten
- UltraISO.tmp (PID: 2108)
- UltraISO.exe (PID: 3976)
- UltraISO.exe (PID: 2104)
Drops a system driver (possible attempt to evade defenses)
- UltraISO.tmp (PID: 2108)
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 2116)
Reads the Windows owner or organization settings
- UltraISO.tmp (PID: 2108)
INFO
Checks supported languages
- UltraISO.exe (PID: 3976)
- UltraISO.tmp (PID: 3992)
- UltraISO.exe (PID: 2104)
- UltraISO.tmp (PID: 2108)
- IsoCmd.exe (PID: 2040)
- UltraISO.exe (PID: 1756)
Reads the computer name
- UltraISO.tmp (PID: 2108)
- UltraISO.tmp (PID: 3992)
- IsoCmd.exe (PID: 2040)
- UltraISO.exe (PID: 1756)
Creates files in the program directory
- UltraISO.tmp (PID: 2108)
Creates a software uninstall entry
- UltraISO.tmp (PID: 2108)
Create files in a temporary directory
- UltraISO.exe (PID: 3976)
- UltraISO.exe (PID: 2104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (81.5) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10.5) |
| .exe | | | Win32 Executable (generic) (3.3) |
| .exe | | | Win16/32 Executable Delphi generic (1.5) |
| .exe | | | Generic Win/DOS Executable (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41984 |
| InitializedDataSize: | 85504 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaad0 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.7.6.3829 |
| ProductVersionNumber: | 9.7.6.3829 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | EZB Systems, Inc. |
| FileDescription: | UltraISO Setup |
| FileVersion: | 9.7.6.3829 |
| LegalCopyright: | (c) EZB Systems, Inc. |
| ProductName: | UltraISO |
| ProductVersion: | 9.76 |
Total processes
44
Monitored processes
7
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1756 | "C:\Program Files\UltraISO\UltraISO.exe" | C:\Program Files\UltraISO\UltraISO.exe | — | UltraISO.tmp | |||||||||||
User: admin Company: EZB Systems, Inc. Integrity Level: HIGH Description: UltraISO Premium Version: 9.7.6.3829 Modules
| |||||||||||||||
| 2040 | "C:\Program Files\UltraISO\drivers\isocmd.exe" -i | C:\Program Files\UltraISO\drivers\IsoCmd.exe | — | UltraISO.tmp | |||||||||||
User: admin Company: EZB Systems, Inc. Integrity Level: HIGH Description: ISO Command Exit code: 0 Version: 3.21 built by: WinDDK Modules
| |||||||||||||||
| 2104 | "C:\Users\admin\AppData\Local\Temp\UltraISO.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\UltraISO.exe | UltraISO.tmp | ||||||||||||
User: admin Company: EZB Systems, Inc. Integrity Level: HIGH Description: UltraISO Setup Exit code: 0 Version: 9.7.6.3829 Modules
| |||||||||||||||
| 2108 | "C:\Users\admin\AppData\Local\Temp\is-98VFT.tmp\UltraISO.tmp" /SL5="$5012A,4629041,128512,C:\Users\admin\AppData\Local\Temp\UltraISO.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\is-98VFT.tmp\UltraISO.tmp | UltraISO.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2116 | "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\UltraISO\isoshell.dll" | C:\Windows\System32\regsvr32.exe | — | UltraISO.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3976 | "C:\Users\admin\AppData\Local\Temp\UltraISO.exe" | C:\Users\admin\AppData\Local\Temp\UltraISO.exe | explorer.exe | ||||||||||||
User: admin Company: EZB Systems, Inc. Integrity Level: MEDIUM Description: UltraISO Setup Exit code: 0 Version: 9.7.6.3829 Modules
| |||||||||||||||
| 3992 | "C:\Users\admin\AppData\Local\Temp\is-HD5HO.tmp\UltraISO.tmp" /SL5="$20138,4629041,128512,C:\Users\admin\AppData\Local\Temp\UltraISO.exe" | C:\Users\admin\AppData\Local\Temp\is-HD5HO.tmp\UltraISO.tmp | — | UltraISO.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
Total events
4 211
Read events
4 176
Write events
35
Delete events
0
Modification events
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | Shared |
Value: C:\Program Files\Common Files\EZB Systems | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_CURRENT_USER\Software\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | Shared |
Value: C:\Program Files\Common Files\EZB Systems | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_CURRENT_USER\Software\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | XPBurn |
Value: 0 | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_CURRENT_USER\Software\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | ISOFolder |
Value: C:\Users\admin\Documents\My ISO Files | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_CURRENT_USER\Software\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | UseSkins |
Value: 1 | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_CURRENT_USER\Software\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | SoundEffect |
Value: 1 | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_CURRENT_USER\Software\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | Language |
Value: 1033 | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\EasyBoot Systems\UltraISO\5.0 |
| Operation: | write | Name: | Install |
Value: 1 | |||
| (PID) Process: | (2108) UltraISO.tmp | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ISODrive\Parameters |
| Operation: | write | Name: | AutoMount |
Value: 1 | |||
| (PID) Process: | (2116) regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved |
| Operation: | write | Name: | {AD392E40-428C-459F-961E-9B147782D099} |
Value: UltraISO | |||
Executable files
108
Suspicious files
9
Text files
6
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3976 | UltraISO.exe | C:\Users\admin\AppData\Local\Temp\is-HD5HO.tmp\UltraISO.tmp | executable | |
MD5:3DE2992C86C78E781881E9C0DB26A32F | SHA256:E9700438D88E5A5F54D6940A4129477E943DCD4B95B006D0B38EF1E2A566A642 | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\unins000.exe | executable | |
MD5:F92F7190CAB7F80CBD7F5E419C27E37D | SHA256:82190E1BFE62F4549F3CA2DD76261CC6213968D4F599349D3B07274499223ECE | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\is-320JR.tmp | executable | |
MD5:63285E1D8A23AD23DD5B163FEB715059 | SHA256:116033B8E66845A6DB4C97A134464254034228AD937E2610066E1B6A759018BE | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\is-7M0RS.tmp | executable | |
MD5:F92F7190CAB7F80CBD7F5E419C27E37D | SHA256:82190E1BFE62F4549F3CA2DD76261CC6213968D4F599349D3B07274499223ECE | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\is-C64LV.tmp | executable | |
MD5:BDCC1A4B4D745DB4397B6AE3EB9C954B | SHA256:19D13F1930210741BA580C0D031121435C225953B5203823FBE18C1E8D58B94B | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\UltraISO.exe | executable | |
MD5:63285E1D8A23AD23DD5B163FEB715059 | SHA256:116033B8E66845A6DB4C97A134464254034228AD937E2610066E1B6A759018BE | |||
| 2104 | UltraISO.exe | C:\Users\admin\AppData\Local\Temp\is-98VFT.tmp\UltraISO.tmp | executable | |
MD5:3DE2992C86C78E781881E9C0DB26A32F | SHA256:E9700438D88E5A5F54D6940A4129477E943DCD4B95B006D0B38EF1E2A566A642 | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\isoshl64.dll | executable | |
MD5:C0FC6C67BD9D9FBC4F8AD44232D49D11 | SHA256:50DF2E7BA2AB1892DD1E8C03BE51A1DFA9C1ECC501D5166CD5E69BADB4A8C503 | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\isoshell.dll | executable | |
MD5:BDCC1A4B4D745DB4397B6AE3EB9C954B | SHA256:19D13F1930210741BA580C0D031121435C225953B5203823FBE18C1E8D58B94B | |||
| 2108 | UltraISO.tmp | C:\Program Files\UltraISO\drivers\ISODrive.sys | executable | |
MD5:5645290B24D23612D8AE10BBE8BF03CE | SHA256:21DC0FFF80748CE3115658BD6CDFF9FC13711ED9E686D25233C3A73535157D0F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |