hxxp://forms[.]soundestlink[.]com

Analysis

max time kernel
90s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2022, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://forms.soundestlink.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5447F3A-871D-11ED-919F-DEE008EA10AF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cf96d42a1bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379044802"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005482"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000427aa2022786b72012e65b2bec83a08d6cc057e133306693a17cf972cc86df6d000000000e800000000200002000000034ef702427b57c02b2b24ee3c1a9bd74b637fe64be0ff342aa4b5818b914aa122000000090b162db441ebf31520545e19b209473e9f729fa1fcd31bda0d0e5ff7cc56df240000000442733d12521bdb4c93f3f662e9ab5dd6d239631304586852d39e21517d38c6b57ac489c495d446bd52a3f34aea2c830832ded5c61ba403907a3cb64dcf98463	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3386753979"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3407691333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005482"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000008cb92aea798c4f52748dae7c74d05fc46857e0d841979d36f84710ea2be53d99000000000e80000000020000200000001511dc06ee53ff2b26883a93bebde1770b0b86fdccd6b60368a754facc348e3d200000002ff87efecb6b4e40b0dd1699e36d9f3e8955d236dab68c92de369180c6f0efd54000000040ebfbf27bee6662449b38dcd52aa29b6964e301b30b8cf8584f28b341beb64d8daacec394d32e9d29b4400b670ad0bfd62da34412b0a96404995e82c7e5e799	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c9b5d42a1bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31005482"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3386753979"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4924	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4924	iexplore.exe
4924	iexplore.exe
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE
5104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 5104	4924	iexplore.exe	83
PID 4924 wrote to memory of 5104	4924	iexplore.exe	83
PID 4924 wrote to memory of 5104	4924	iexplore.exe	83

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://forms.soundestlink.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f7b6855beb7fde6cdb1a2a9ba9fa6bcd

SHA1
fd947696cabb78e309ad669dff0b980b17818567

SHA256
f1630debcf83e724c695443316dc8ad1abfb9d422e1450edbd3fc87b23f0649d

SHA512
e21c7570af2e3a77ce35f0f4ea4bef6b2a96bb7910a5c84eab60cba45a653b428c92def96f3d9bf393a156ccb901eb9f131eee2b71b91c20c38bf50b9ebe554e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
b390f401dc00150ee32494de0d779b4b

SHA1
ab4e23ac7360f8f593048e492b42b8c585fb43e6

SHA256
8528f9d0c851de51124dd3a9dc7422e3dcb434c1e4e8ec2dfdf4e51d8a47a3fe

SHA512
4d3a71617e890d19206eda3ac25e5b40230066dfedccde5df7ed82b0bde689f6a932a023edafc92284266c8073a57a7cf8b366dc92b22177a8f948d03d2d73bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
b748b752ce44c47c57d3beea2e2bb992

SHA1
8d3ff0c156d8d178514fdbb4ba03302ced6114e6

SHA256
cbd0625f14be564e778d573be06b96b14f05e04f70db1d73796544f66f322e02

SHA512
f694f6eb66c8da62e35da58c03a6d95abb605dc85e4ff618d308783ef25f6df986c9d92f9051e1de82712eda00c920fb109e470c806e43a27f78b829bba1f7bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
d1ad8588133ad8a0ac26d1b3188fb869

SHA1
9d0b954638270e0785c2d2f4aeb7bc0fbc8cdcea

SHA256
c98e353f2ae50383b3a9dbb4b80661fd1f117d003d4660bae0b3f86f6b5ab8a3

SHA512
b4b19a413142f3aef5244d224ce43a83823dee42eab8fa51abf069c8a1c6bbd644693a32c564cce62e21adf473700573fff39df7bcc92bbebec4e11f65892b1a

Download Submit