URL:

https://www.sysgeeker.com/download/ultradmg.exe

Full analysis: https://app.any.run/tasks/7be09755-e4c5-4762-9012-c709fbdbe870
Verdict: Malicious activity
Analysis date: October 18, 2023, 12:55:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
SHA1:

CC77ABA994B07EE8EE9FB23825AE5AE0A3A167A1

SHA256:

6DF8AE4EEE26C3127832D448C3D6B751AB8416751301C5B09C72C2FC7E8C3FB2

SSDEEP:

3:N8DSLRArymLcLAn:2OLmOm/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ultradmg.exe (PID: 2956)
      • ultradmg.tmp (PID: 1952)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • ultradmg.tmp (PID: 1952)

    • Process drops legitimate windows executable

      • ultradmg.tmp (PID: 1952)

    • Drops 7-zip archiver for unpacking

      • ultradmg.tmp (PID: 1952)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2260)

    • Manual execution by a user

      • explorer.exe (PID: 2736)
      • taskmgr.exe (PID: 4068)

    • Checks supported languages

      • ultradmg.exe (PID: 2956)
      • ultradmg.tmp (PID: 1952)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3648)

    • The process uses the downloaded file

      • iexplore.exe (PID: 2260)

    • Create files in a temporary directory

      • ultradmg.exe (PID: 2956)

    • Reads the computer name

      • ultradmg.tmp (PID: 1952)

    • Application was dropped or rewritten from another process

      • ultradmg.tmp (PID: 1952)

    • Creates files in the program directory

      • ultradmg.tmp (PID: 1952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe explorer.exe no specs ultradmg.exe no specs ultradmg.exe ultradmg.tmp no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1952"C:\Users\admin\AppData\Local\Temp\is-RHJLV.tmp\ultradmg.tmp" /SL5="$60270,86825316,720896,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exe" C:\Users\admin\AppData\Local\Temp\is-RHJLV.tmp\ultradmg.tmpultradmg.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-rhjlv.tmp\ultradmg.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2260"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.sysgeeker.com/download/ultradmg.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2328"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exeiexplore.exe
User:
admin
Company:
SYSGeeker
Integrity Level:
MEDIUM
Description:
SYSGeeker UltraDMG Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\ultradmg.exe
c:\windows\system32\ntdll.dll
2736"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2956"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exe
iexplore.exe
User:
admin
Company:
SYSGeeker
Integrity Level:
HIGH
Description:
SYSGeeker UltraDMG Setup
Exit code:
0
Version:
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\ultradmg.exe
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3648"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2260 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
4068"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
13 579
Read events
13 506
Write events
67
Delete events
6

Modification events

(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
46
Suspicious files
553
Text files
1 847
Unknown types
0

Dropped files

PID
Process
Filename
Type
2260iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1259C367514A55BF3279CD7A2BE17FE3
SHA256:C2DD5D19B564677821BDA6386DF0444DBC11952F493B1B4F1400861F05BBC844
2260iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3648iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exe.81e1lfd.partial
MD5:
SHA256:
2260iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:3D25A1DE6040E9CD32204A21D4BFC758
SHA256:C5CEAE42A4FEC86B3A6FE7D08171D68A3B94C0D4444416F0EE40C3BD3FB539D6
3648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B947B1DEBD7653FFADD28363D1678EBbinary
MD5:90B8CA95439265FABB58C71B2C3AC876
SHA256:B273114C688D87D9EEFF7AAEE05CB4AE05FD7ADD715C013644D4A487355AA6FC
3648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B947B1DEBD7653FFADD28363D1678EBbinary
MD5:EB51CF0600047933210823B94B570AF3
SHA256:DFBA3A7C67DA6DCFB7A23895D76C27DECA20D0F5EED4BF275454C7E8F3DF9C4A
2260iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ultradmg.exe
MD5:
SHA256:
2260iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:5AF34F7CD374666C170F30A0B3AC3908
SHA256:B307C2CDC8E0A549A4CE2AC818C0835FEEA61A52273DBB213075ACC484E87441
2260iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9F61D0C0-6DB5-11EE-B150-12A9866C77DE}.datbinary
MD5:ACE65422791EA7ABF7978564639CC4C7
SHA256:95318BE9241EEDABEBD336AACF8091BF8EA7954B22D770F04BF4F0C1C62795B1
2260iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2FEA205FE1129BFB.TMPbinary
MD5:DB935C60A20F2FA8D0B3A5A34E7D5210
SHA256:886C98BFAA808F30AD1AA0850C9C3B51347CE7A2BD38C2B8A7B11DFAACE197B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
21
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2260
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dc516db73da38a37
unknown
compressed
4.66 Kb
unknown
2260
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
unknown
binary
1.47 Kb
unknown
2260
iexplore.exe
GET
200
8.241.123.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7147a541e8aecbd1
unknown
compressed
4.66 Kb
unknown
3648
iexplore.exe
GET
200
104.18.14.101:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
binary
2.18 Kb
unknown
3648
iexplore.exe
GET
200
104.18.14.101:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCKeAOdh%2Fh%2FU7XM8Czhte7K
unknown
binary
472 b
unknown
3648
iexplore.exe
GET
200
104.18.15.101:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
2260
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
2260
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
2260
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3648
iexplore.exe
207.246.108.200:443
AS-CHOOPA
US
unknown
2260
iexplore.exe
23.53.43.88:443
www.bing.com
Akamai International B.V.
DE
unknown
2260
iexplore.exe
8.241.123.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
2260
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2260
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3648
iexplore.exe
104.18.15.101:80
ocsp.comodoca.com
CLOUDFLARENET
unknown
3648
iexplore.exe
104.18.14.101:80
ocsp.comodoca.com
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2260
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 23.53.43.88
  • 23.53.43.89
whitelisted
ctldl.windowsupdate.com
  • 8.241.123.254
  • 8.241.123.126
  • 67.27.158.254
  • 67.27.158.126
  • 67.27.234.126
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ocsp.comodoca.com
  • 104.18.15.101
  • 104.18.14.101
whitelisted
ocsp.usertrust.com
  • 104.18.14.101
  • 104.18.15.101
whitelisted
ocsp.sectigo.com
  • 104.18.14.101
  • 104.18.15.101
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.sysgeeker.com/download/ultradmg.exe