7350e4610fd476ec7d36aa495e46e9c20a036d8592339649918711a70b987c04

Analysis

max time kernel
101s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/05/2023, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

particle_levelupfinally.xml
Size

2KB
MD5

4f643acbdba37cb1c70b97906b05b4e3
SHA1

a683f1ed88b45a5650869fb6116d4f4a9200d830
SHA256

1bb0810967a64e18fe5e3f292346c756c1d58aede52f163ca2e62bf0dc0883a7
SHA512

b057df1acd46c33f3085aacfdc0f8276ee952ef131e27bc33bac6964e4b3f0f0fc56d6b60e35ce412ce1bec93a6af984d3a2ef4fea06bf0bcef8a130de5b6602

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392106295"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1ECF0361-FDE9-11ED-90D3-5E76FDCFC840} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f644f6f591d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c11879f89b8fc46b6d6487fa27f7f9b000000000200000000001066000000010000200000004b4a7fcaf2d6f289201fbb21fdbba7d8a3bc3db7af388338fdd07349ccf7b982000000000e8000000002000020000000964703872a126186e3a0fdb393983846a831a72a6eae8019867b2d4d03c3934990000000a55b80a7ec3c5efa3aeae57ba412be4f698bb683be6a8237ea70e7033d3cecf854ba61eb53cadb564fac1a3bc93a77a61d6abb1a4c68da8893211a55cf8032884facb34991e7235e0fd55a9fa150f966edb1d5880c142f57b7cd5c6af7995a14093653263cc1b2d48858c96f8a538f4a8c87997f5caa9fec6518f8c9243efe9242c73c0166a0e0aae215c1bbf67beddd40000000d27f69f94be071006e669d42a97ec1475e09b263c4adbd060ff5c531c6d6acb3b72b611a9bfbbfde94b0883e355ab790694b121e5d261f47485967d51a68e0d5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c11879f89b8fc46b6d6487fa27f7f9b000000000200000000001066000000010000200000004690c6c9e4d237bac941d38566867091f143eadaf93cc56a098465d65e645f3a000000000e8000000002000020000000b05ee2f90e109735752d682f5780c85720c12d1afbd47e78be5c164da71674f4200000001237ffd83ab7d96d3c24daef31c5272105f522a14d4395e03824d62679fd3132400000002b342f1a16601689c78f76154faeab90fba0a2a7d3c723721896c3fa40b83921353a8b3ee9e5f0f6651180a88a669375466424c332142062b68ad608553baf25	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
560	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
560	IEXPLORE.EXE
560	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1632	1820	MSOXMLED.EXE	29
PID 1820 wrote to memory of 1632	1820	MSOXMLED.EXE	29
PID 1820 wrote to memory of 1632	1820	MSOXMLED.EXE	29
PID 1820 wrote to memory of 1632	1820	MSOXMLED.EXE	29
PID 1632 wrote to memory of 560	1632	iexplore.exe	30
PID 1632 wrote to memory of 560	1632	iexplore.exe	30
PID 1632 wrote to memory of 560	1632	iexplore.exe	30
PID 1632 wrote to memory of 560	1632	iexplore.exe	30
PID 560 wrote to memory of 1460	560	IEXPLORE.EXE	31
PID 560 wrote to memory of 1460	560	IEXPLORE.EXE	31
PID 560 wrote to memory of 1460	560	IEXPLORE.EXE	31
PID 560 wrote to memory of 1460	560	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\particle_levelupfinally.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dbf9d0089d3b5aa53ec1cbbc0be914b4

SHA1
eb134bd06508cf7a517de2e6693af055b42da40b

SHA256
4a977d0c097016b181799ecab23310c2b11443ff5a0896fafda41f102a53b6ca

SHA512
fdc6f3eb912711c8238f6b9a4cbd971d1e56993a0e1666e1486c2d361860d87f48b78f1cdf3bc6ecb39fb0d7d42a3f0b5e7928111a2b973552c143727c5747f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4b10a16be4ef807ee67f089b0bc86888

SHA1
6e846fdd93f3808c1a31f7ca1d19431272cbb0d3

SHA256
e94c5d9589c0bb77b4060ab71baba72c26a0936e22c4b084a1ce6e258210b323

SHA512
512fe90136a3f2bf5c482b88afd1b65538d883574eeccfd62b93314a41f9e78296ed8ff8b922fd0471cd484e4a394b9c1af3a2b74bedbd97de9478fdf0b01394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dda43a928280c704b10b1098370ebbb3

SHA1
bfb73d8dd6eedcced70ee170fde095a79750e335

SHA256
83ae9add6626d57e8f6ed7fd8ee78288bcc30c83dd7de88759a97284c8268dea

SHA512
8efa3ddc47e7dcc3eb88a3d6dc82d04daa61acc88ebc38dc2bb6c38891f2c80f7edbb4423149cf8b17fa91fd7b556d3ff04454b502af7bfeed25acff99ea3146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4de652aa1de4dd10c246b20fac88227e

SHA1
2403ed22e966df34cd85b69fcb86bc5b0854c168

SHA256
9570daecd74d3c1d04b38c11ff7a4076e217181dfc98d7d3c4a5c7560ba7b55e

SHA512
e2b03565c30aa976b257c970421749b7a1a0dbc48446f7d04dae00253bc3a7fb55396c96ee9f4b397809801b94b88e136cac3c4ff143f82ae241db16569f4202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f49969c13dd21ce800e2ecfa95c3634f

SHA1
fa90363df98bbc5f2f711c2f474197863d953961

SHA256
d8f77fe0a5408e56c61abef78ea42cc0670d8826b55dad5f22936b63bd7786b8

SHA512
535509d230007e60da1e49a8b6797cafe9ccf9c0c9229778ab88dbaadece5a7f298a717c696a8fcd622a7f0b1b678c76ef15712e7e1590bdb346e35104817680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
99873295a23e43bd8ddba11949ba4388

SHA1
07e29b55ae8466419685061d71ee61322903255a

SHA256
196561c700e411cbed09150fcef558d6c0f52e5eac3876c051e86a3f2776491a

SHA512
adda77682f64183320de494c74af8f097bf352595bdfab169dc7a93f6c50c8d77f1e86d8640b07651dbfd9f1aba04ead5b6d99915f358d1afec4d07a4bf97fc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8130747b642f14af3f608590d219e569

SHA1
e5ca9a97e242a413af1d84e1d94d8ac3bdcbadba

SHA256
74e727dde099679d1f860a8e2e4df5cbf7a978fbd2f6780c9e2a9b98530ccc8d

SHA512
50c1d567d8917afc26021463c201a71d6eff99419f6edcb81b5954116fdbf742d89f720a71fe15bba1c0bea642407a792f2b09340be57666661bb746c89e3dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
50ef9cef30bd783a6dbbe9f6e4792d7f

SHA1
2448b806eba3b82b57487c856046d80afefea22a

SHA256
4f5ee87c54c2a3b11e3a2d7372fb88ef059620bf45960b3745667f615f4e716c

SHA512
70ce43aa53f20b3e05e549decf354b57b55e9acd89c00cfda57e4570ad06943f860352e62bdc5cb71a41b2ba82d5689d0c40c1e5cc5b9b8d6b316317c071c661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9651a23593008c8c2e2ab9eb473112e9

SHA1
fc5148124cf14a3226263c198c7a1a230717afcb

SHA256
5fcdc6eb4e09e78e4d363e36a79ee6048a8b6a23d1d3d51241ae7ea740cc12b2

SHA512
e137a00300bd28cdb57b4cb4575f3812ca0e5340454f329b703de308452b1b7f369b0536040f17b045a75de973822ab2574e9eadb6253fc5f6ea4d408cb2d684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5821.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5952.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JI1NOHNZ.txt

Filesize
601B

MD5
3b49ee0d760434ac1a7435f3aa5b0928

SHA1
3fb515cdc6eb7f36cfd086a4cd816adcd1c8396f

SHA256
770d2412d2c157c391f544ca1a7a24c67f6d33c0c26a8c679adf3c334ee7ac99

SHA512
7d916a23073a0473d4f78b114c2fb193a8aff91807ea28715dfb2ecdd04567dfccc4461b335e97bbf6767e9db86ed1c33bfd5359caa52b10f8d6d18fe2886d78

Download Submit