hxxps://titan[.]mythicmc[.]org/Minecraft%20Launcher[.]exe

General

Target

https://titan.mythicmc.org/Minecraft%20Launcher.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{DD23B2F4-15C6-44DB-B1C5-187CE8EE38CE}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{50C23AD4-D10D-11ED-9F77-FE76446D24E5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
456	iexplore.exe
456	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
456	iexplore.exe
456	iexplore.exe
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 2260	456	iexplore.exe	85
PID 456 wrote to memory of 2260	456	iexplore.exe	85
PID 456 wrote to memory of 2260	456	iexplore.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://titan.mythicmc.org/Minecraft%20Launcher.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:456 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Minecraft Launcher.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Minecraft Launcher.exe"
  2⤵
  PID:4272
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xms256m -Xmx512m -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Minecraft Launcher.exe"
    3⤵
    PID:4896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\Minecraft%20Launcher[1].exe

Filesize
4.4MB

MD5
be214f4374142dfa548ac39eca507e94

SHA1
3e2279a0eb74ae3dcf2d60cd6ed33a3fd45fa304

SHA256
ea04fa0a4191001206744c948dbf1a810a633fd760f699c16b60386c66a6b6b7

SHA512
c16f7b2d8c4fd6b0aad0f4061a8c2b8617f1dc09d696ab6e28ee8e87c661713a5fba34c3916f6477731f36f49ea74cc0c557e73ac05d07807576259eda7c4a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Minecraft Launcher.exe

Filesize
4.4MB

MD5
be214f4374142dfa548ac39eca507e94

SHA1
3e2279a0eb74ae3dcf2d60cd6ed33a3fd45fa304

SHA256
ea04fa0a4191001206744c948dbf1a810a633fd760f699c16b60386c66a6b6b7

SHA512
c16f7b2d8c4fd6b0aad0f4061a8c2b8617f1dc09d696ab6e28ee8e87c661713a5fba34c3916f6477731f36f49ea74cc0c557e73ac05d07807576259eda7c4a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Minecraft Launcher.exe.ilvcmak.partial

Filesize
4.4MB

MD5
be214f4374142dfa548ac39eca507e94

SHA1
3e2279a0eb74ae3dcf2d60cd6ed33a3fd45fa304

SHA256
ea04fa0a4191001206744c948dbf1a810a633fd760f699c16b60386c66a6b6b7

SHA512
c16f7b2d8c4fd6b0aad0f4061a8c2b8617f1dc09d696ab6e28ee8e87c661713a5fba34c3916f6477731f36f49ea74cc0c557e73ac05d07807576259eda7c4a00

Download Submit
memory/4272-146-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4896-202-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-219-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-182-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-188-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-164-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-212-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-216-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-174-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-223-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-224-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-241-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-245-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-249-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-251-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4896-260-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads