48a4eef151463b3e83c55044979c5bc175980cb7600fe28539cefb28b31ebc2a | Triage

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 11:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

UIManagerBrokerps.dll
Size

11KB
MD5

1b1955d3d792aae9bbf54d1a49c2284e
SHA1

1e04a61cebb077e29d95bbb661c68ee66daa7750
SHA256

48a4eef151463b3e83c55044979c5bc175980cb7600fe28539cefb28b31ebc2a
SHA512

ce74434af4c508ab3d976927d9edff91662e638d60fe18d2b0d64062067bffd801c905942d1bfc59a26bf6f0ee39f6c37f3e2d46bec8366355a12005faec8861
SSDEEP

192:R9nfNzrJirmYlmUAGC3C2h/frjE6CZ+W2v2W:PdrJirmYl6S2xrOZ+W2v2W

Score

1^/10

Malware Config

Signatures

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95D9BDD0-D1EE-4605-98A2-5551EA3FB39A}\ = "IUIManagerBroker"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1540	208	regsvr32.exe	83
PID 208 wrote to memory of 1540	208	regsvr32.exe	83
PID 208 wrote to memory of 1540	208	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\UIManagerBrokerps.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\UIManagerBrokerps.dll
  2⤵
  - Modifies registry class
  PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads