hxxps://www[.]minetest[.]net

General

Target

https://www.minetest.net

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08ea58517ffd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375957883"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000461a1a323a482eaf89abb74dd2f0866bdae9877f24a20040d3e6ec4f5767fe1f000000000e800000000200002000000078e3e42be912a17dd1423261fe67d585d4e66313836eb9c6ae0559f2fadf578c9000000039ed19e872a94ab18ee3b6ae3b7c77766b498bfd7f848f3dfa6c5ac19f0f6bf20537a63ed59e508733b9e58db09decff981cce6ea625f560089b54c62c4e6a5da5083c4b1257ce407f57f8b52d9fab560fc05fe412f5a2db213d4e41e205fb8fa48955a686096f283004217e9ae3ca8eb1f73e2a863af18f64db74a9fb33d10122742b2263a408499c50c4dc1b016e6740000000709e636d6cf86bee67b308cb22b64a5b086b7e0a72360a9640f96bb52569357c9ba4b2e7c2178ec6b46f1c536e20f60122d8978375a8d82d513a0afd4e0fd357	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AAB7F161-6B0A-11ED-B78F-CED6325FB9F2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a10000000002000000000010660000000100002000000073465540e1f0a2b27c70fe93cc34ab1bbf76b509f6604914f151c22d4ba908a7000000000e80000000020000200000005ef4f83228a45c58400785c1b8ba81a6133e8be46d5b1adeb306373b78e3d24920000000b8d73ddc4357ab8406e3dfd4e5df5330cb2af5967483477fd824316cd45e2b1740000000c0012c65b7df3306ef46ca44ab828f32cfeb93eac9ea9db57d5927cea5125f1213eef6b4a23b9cf91d43d238557b4a2d3ac0c0ebb5dfab9f84c13e2d045a2cd6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

792 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

792 iexplore.exe
792 iexplore.exe
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE

pid	process
792	iexplore.exe

pid	process
792	iexplore.exe
792	iexplore.exe
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 792 wrote to memory of 684	792	iexplore.exe	IEXPLORE.EXE
PID 792 wrote to memory of 684	792	iexplore.exe	IEXPLORE.EXE
PID 792 wrote to memory of 684	792	iexplore.exe	IEXPLORE.EXE
PID 792 wrote to memory of 684	792	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.minetest.net
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
38facfb6f01cb6888710c33ce0510924

SHA1
3dd91cd296fbdfbb017ab389df9d0a1dee3e6c69

SHA256
2266cd75be1efa8ce3900c17fc274d74eecf498688c60a3ee468693b31b1f7e2

SHA512
74996c4c3a6656d840b9bcfa99c0da7984a514bd79127019ef02ca4e5140f24d236df37b997674dca481b6acbcbd5942bbb03baccfb1737798c7c50813db8068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d267ba04199fb0443165d59ba990ae63

SHA1
ccbc9493fcd3ecb4d7f4aa2267534136caa2dc3e

SHA256
7fca1da7d4bc0773cf9dc34587e2877affaef16611b9ed5f9ee92dfebf895e45

SHA512
07a0bbe650da6c1b80855b19ecaa56d6eba2b74f949fa831993e453ae83657be62f3629484f0efe4af55cea47c89bdb0d0754b551f0d5a60958145e6045129ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
12078bd10047249a8d7176c12104dfb1

SHA1
4dd5a357dbcfd62687bdc74bb6d474381b8fbe70

SHA256
9fed8b6d2f62fa21465ee63fe7fdc3a97059ecc1854525dbdc1a7e0a751f6008

SHA512
672b4d572525bdd4a1e4f9bd257c26fbafa59f88bdd3190796548df3ae9b41953e32d3198f5f7a2ba355f48d11400316a8dbe3a007f73807a9b66082bc513860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1wzfztv\imagestore.dat
Filesize
1KB

MD5
211874703de1934cad28ca813dfd8021

SHA1
cd79d2f080c6f6cb24489f76a857e88c76ff38cd

SHA256
ffd0d95547c9ad441894db725eef2a6c6aa6e05771cf089b58d48e7512230361

SHA512
cdc6dc65304e30f0244affcf12668f08172bfaa5852e75f1fe5485b58ffc56b64fe563a8112a9119cce7f01a62ac994e2d641c7794cd5332e8410712e75875bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\26F1Q9H6.txt
Filesize
608B

MD5
0050a282961fbbfc194f2c9eab288a80

SHA1
0f023ea1d31394aeac86d61a958677a6734f2d50

SHA256
bf9574a62f13c5f6ba808ce7474b1596fb4112dddfe6189695894f596f832a85

SHA512
a1a509bb78aac6dd1f28dcda571438cdaeadba56d0ea6f99a34df2cde144fde8cf3d288375a9df4419e5c53f08c345f205f405d3bf869f103bfc017736fd9a9e

Download Submit

Analysis

Sharing