d3946690d0021a737907391534c1dc3deb0b095b64378e328ae860de5b769bf1

General

Target

Fluster.Installer.exe
Size

49KB
MD5

003d2cadae6e93921b557f4dc5e8acaf
SHA1

2b0b4f08f767eb912afe714cfbb2d658c62b159f
SHA256

d3946690d0021a737907391534c1dc3deb0b095b64378e328ae860de5b769bf1
SHA512

1352a80124fb46542e62fb66988939edb577fdb19d5fd161b3145617a1dd446b6abdda9429a155162a195f38e852a4f25fbc243552daab9cfb7583b0fceef384
SSDEEP

768:YJOHc8/Qlz7cu/9gDP2MzMgGkApZ4Y4HZYkQaaCQqwgiJwYeve/cWT13De1:Yk5IZr/WP2yMl7pZ4YQsaaCQqw3J9e

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\642584412\1571121237.pri	SystemSettingsAdminFlows.exe
File created	C:\Windows\rescache\_merged\3060194815\2825129510.pri	SystemSettingsAdminFlows.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "397"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "364"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "526"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "397"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "493"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "364"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
628	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4136	SystemSettingsAdminFlows.exe
2872	SearchUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1132	368	Fluster.Installer.exe	72
PID 368 wrote to memory of 1132	368	Fluster.Installer.exe	72
PID 368 wrote to memory of 4832	368	Fluster.Installer.exe	81
PID 368 wrote to memory of 4832	368	Fluster.Installer.exe	81
PID 368 wrote to memory of 4212	368	Fluster.Installer.exe	82
PID 368 wrote to memory of 4212	368	Fluster.Installer.exe	82
PID 2436 wrote to memory of 2192	2436	Fluster.Installer.exe	89
PID 2436 wrote to memory of 2192	2436	Fluster.Installer.exe	89
PID 2436 wrote to memory of 4440	2436	Fluster.Installer.exe	91
PID 2436 wrote to memory of 4440	2436	Fluster.Installer.exe	91
PID 2436 wrote to memory of 3704	2436	Fluster.Installer.exe	92
PID 2436 wrote to memory of 3704	2436	Fluster.Installer.exe	92

C:\Users\Admin\AppData\Local\Temp\Fluster.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Fluster.Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Get-AppxPackage ROBLOXCORPORATION.ROBLOX.* | Remove-AppPackage
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:4212

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
1⤵
PID:2400

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:3956

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" InstallInternalDeveloperModePackage
1⤵
PID:2080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\Fluster.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Fluster.Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Get-AppxPackage ROBLOXCORPORATION.ROBLOX.* | Remove-AppPackage
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3704

C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
1⤵
PID:4988

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0499087c7d3a458587b147c7c2bbaabc /t 3720 /p 3588
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
a8e583a4f82c82e5b7135145e72f5388

SHA1
d7e8be05dac783709a9a5350350b654eedfe1ae3

SHA256
71a69e326849b1ad6c8ea63bc7b091df0ca30a221347c18751137e0f636e842d

SHA512
693280214b041ed5a0a2a60dd77af5a8a77decb970a362669c284fa0e8f435a0e211f7f58b8bad9d4b92f03095b18133d5999613c965599353f8bc799e74f7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c948ca1d58882a438aae296f6a32121

SHA1
0498a6102b2c7cfcaf9af7cd2108411391757aec

SHA256
384b97d173f5f3471939c16eaff3f1e048f8459064086a0f2a1ee16f6fd85349

SHA512
e17f7f5a3e21147793e719b8e978e9fd978951c41866b9015b831255768854202ec57bebb35b69c593816920042e188c09550789327cea58c536c1c648bb6a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4tsqcev.gbl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2872-196-0x0000020CD0EB0000-0x0000020CD0ED0000-memory.dmp

Filesize
128KB

Download
memory/2872-194-0x0000020CD0D30000-0x0000020CD0D50000-memory.dmp

Filesize
128KB

Download
memory/4440-184-0x00007FFDDE350000-0x00007FFDDED3C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-149-0x000001D269570000-0x000001D269580000-memory.dmp

Filesize
64KB

Download
memory/4440-100-0x000001D269570000-0x000001D269580000-memory.dmp

Filesize
64KB

Download
memory/4440-99-0x00007FFDDE350000-0x00007FFDDED3C000-memory.dmp

Filesize
9.9MB

Download
memory/4832-12-0x0000028270C00000-0x0000028270C76000-memory.dmp

Filesize
472KB

Download
memory/4832-94-0x00007FFDDE240000-0x00007FFDDEC2C000-memory.dmp

Filesize
9.9MB

Download
memory/4832-84-0x0000028270BC0000-0x0000028270BD4000-memory.dmp

Filesize
80KB

Download
memory/4832-57-0x0000028270970000-0x0000028270980000-memory.dmp

Filesize
64KB

Download
memory/4832-6-0x0000028270910000-0x0000028270932000-memory.dmp

Filesize
136KB

Download
memory/4832-9-0x0000028270970000-0x0000028270980000-memory.dmp

Filesize
64KB

Download
memory/4832-8-0x0000028270970000-0x0000028270980000-memory.dmp

Filesize
64KB

Download
memory/4832-7-0x00007FFDDE240000-0x00007FFDDEC2C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing