hxxp://quitpaper[.]esker[.]com/contact-your-vendor[.]html

Analysis

max time kernel
82s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2023, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://quitpaper.esker.com/contact-your-vendor.html

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\esker.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6EAC7407-BC58-11ED-8FFF-DA4DA442263B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31019109"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1157805678"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31019109"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204bd5476550d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\esker.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\esker.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384897331"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1134163062"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31019109"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000044e4569bbeb841a1b4dff1b3f298853eb4ca35395948dce92b2568d0f1a233f000000000e80000000020000200000005583dcc2b419b8887dd6fbdfa6b5df492589099ba51611c522052b8953b953552000000062c557d16d413013706de055595989a89e17b93398a15d12a0ac87de0cf7813f40000000907ec52cfb680fa348da899688ed8fadb6e90517daa706140da1b21ba3da494cf47a2e6d846aad9a7eef87c248bad86865001bda632dc1b0af8b7d98a8dec7c8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e036e8476550d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1134202999"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000003ba619eb4f84dccf17d0190344d8cff24e25ec9e85983312aa4fe14c937bdf4b000000000e80000000020000200000006b30ecff3828a87935c5b41a28658db7899ac103d2eeea64686ce86ec1aa62e5200000009f0d0aead3414c803e7e4afaf5a27432092c5f7823516594b3f577f86ed8954f4000000008884199f02765d8b0a84f185dba40bff4302892c2f4aad088efc9b892da5553425e2ef84cbc8a6c89d33c2c85519061c14e14d43d940979b962b716dfdaccea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3240	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3240	iexplore.exe
3240	iexplore.exe
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4316	3240	iexplore.exe	86
PID 3240 wrote to memory of 4316	3240	iexplore.exe	86
PID 3240 wrote to memory of 4316	3240	iexplore.exe	86

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://quitpaper.esker.com/contact-your-vendor.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3240 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
b3ef1b7bb3d391a9de6dcb49989456c4

SHA1
589e0fbc8a7a7df97052bc2590b5c5f583543804

SHA256
7d796294a7e1960e94fd48033bbca1b902061bd949dddfc8822f8c59ec5d3963

SHA512
386879e01372e454385e6ebd27d91bcb6a45e719016dff59d2993927d9d5da80296b3fd02ce3311e11ff1e65e382b01cf604abd799c0d456f6f49a4a3e9dbb2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
bb6708e74ef42fd4b0d0f3c135cf54a7

SHA1
a0afcc4486dcd86ed7da7e78b5486f56b5cd817c

SHA256
2008ee9aa9c39a452c066f6801053e284f11cfbe0ed88e5f24dd830eea380efc

SHA512
a86ed0cffe595e4184bfa7d5aca74ff9230bb068c37ed07531e517c594e4f05ac0100727cc8fbf4ea6e0ff803441d0e9b20c958a4901ec87e5a6db7ac8e4f5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\jquery-latest.min[1].js

Filesize
54KB

MD5
a9331828c517ac5d97f93b3cfdbcc9bc

SHA1
1be9c3684054001f53fa7ff6d85ec3cb573a9cd2

SHA256
d548530775a6286f49ba66e0715876b4ec5985966b0291c21568fecfc4178e8d

SHA512
403b7c0dc179ee12b85b76885ecb9a16e1e538572ad866a943f404f674dd3ca8c626b1cb2729fb720a6db3eba4e6ac1ac1de875a4d598f1b76337366d33bdba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\munchkin[2].js

Filesize
1KB

MD5
d59e4096b6b551f06e189b1a016fc70a

SHA1
28d94f1f98e84639371266a39607f71d1ed4c63b

SHA256
8de86d71297dc0c8a04caeab00e28f1fcadaa2574558098cccfddd3aa27b8172

SHA512
e6050563bba6a435688ef9b794670e82545b8616786448eb01ae147d12c89787d0500e27d7203cfb81391cf4aa63f46fe4d12e3650bf336fdc52a3d88a03f35b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\insight.min[1].js

Filesize
13KB

MD5
b846c9d158853dd4aa95d3d7407ed8bb

SHA1
2cf0eb02a22e8bd80d19a50a84593420d777d5db

SHA256
f56ccb2db87aacedd9415232e40f80bff9939703df2f9c3f9ec8a092e545349f

SHA512
62e95eed5842d2c4e263b3cd0668af061fd14309db168837bc17d11666d900dd029913b4d774134508e91a6b337a4f28e820da19dccc125262f205596793dbdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\C6PG5B7R.htm

Filesize
52KB

MD5
8409b2a675f1980cb5d635230f00808b

SHA1
2b59ab868498bfa870b323a5f548c5a561d60db3

SHA256
f45aded7e5d0e0efc97c82a3edb2ccdfe141e9654facfaa0cf83bc28fa6ec067

SHA512
43ea5eb53be52592bb2b55bb33842f86ef7d99be4354f455b922e06e4db98409a001428402e6eb2b1b34349b3bb226c63225f2dc45c996c9bef2975f64cae5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/4316-3553-0x000000000E950000-0x000000000EA50000-memory.dmp

Filesize
1024KB

Download