Overview
overview
9Static
static
9Xy2tools_V...EL.dll
windows7-x64
8Xy2tools_V...EL.dll
windows10-2004-x64
8Xy2tools_V...վ.url
windows7-x64
1Xy2tools_V...վ.url
windows10-2004-x64
1Xy2tools_V...EL.dll
windows7-x64
8Xy2tools_V...EL.dll
windows10-2004-x64
8Xy2tools_V...ssx.js
windows7-x64
1Xy2tools_V...ssx.js
windows10-2004-x64
1Xy2tools_V...(1).js
windows7-x64
1Xy2tools_V...(1).js
windows10-2004-x64
1Xy2tools_V...s/c.js
windows7-x64
1Xy2tools_V...s/c.js
windows10-2004-x64
1Xy2tools_V...ick.js
windows7-x64
1Xy2tools_V...ick.js
windows10-2004-x64
1Xy2tools_V.../ga.js
windows7-x64
1Xy2tools_V.../ga.js
windows10-2004-x64
1Xy2tools_V...sa.htm
windows7-x64
1Xy2tools_V...sa.htm
windows10-2004-x64
1Xy2tools_V...1).gif
windows7-x64
1Xy2tools_V...1).gif
windows10-2004-x64
1Xy2tools_V...at.gif
windows7-x64
1Xy2tools_V...at.gif
windows10-2004-x64
1Xy2tools_V...(1).js
windows7-x64
1Xy2tools_V...(1).js
windows10-2004-x64
1Xy2tools_V...xy2.js
windows7-x64
1Xy2tools_V...xy2.js
windows10-2004-x64
1Xy2tools_V...bal.js
windows7-x64
1Xy2tools_V...bal.js
windows10-2004-x64
1Xy2tools_V...te.exe
windows7-x64
1Xy2tools_V...te.exe
windows10-2004-x64
1Xy2tools_V...ls.exe
windows7-x64
8Xy2tools_V...ls.exe
windows10-2004-x64
8Analysis
-
max time kernel
89s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 14:38
Behavioral task
behavioral1
Sample
Xy2tools_V1.020/Ini/SkinH_EL.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Xy2tools_V1.020/Ini/SkinH_EL.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Xy2tools_V1.020/JZ5Uɫվ.url
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
Xy2tools_V1.020/JZ5Uɫվ.url
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Xy2tools_V1.020/SkinH_EL.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral6
Sample
Xy2tools_V1.020/SkinH_EL.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Xy2tools_V1.020/jsyc/jssx.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
Xy2tools_V1.020/jsyc/jssx.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Xy2tools_V1.020/jsyc/jssx_files/c(1).js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
Xy2tools_V1.020/jsyc/jssx_files/c(1).js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Xy2tools_V1.020/jsyc/jssx_files/c.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
Xy2tools_V1.020/jsyc/jssx_files/c.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Xy2tools_V1.020/jsyc/jssx_files/click.js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
Xy2tools_V1.020/jsyc/jssx_files/click.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Xy2tools_V1.020/jsyc/jssx_files/ga.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
Xy2tools_V1.020/jsyc/jssx_files/ga.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Xy2tools_V1.020/jsyc/jssx_files/sa.htm
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
Xy2tools_V1.020/jsyc/jssx_files/sa.htm
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Xy2tools_V1.020/jsyc/jssx_files/stat(1).gif
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
Xy2tools_V1.020/jsyc/jssx_files/stat(1).gif
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Xy2tools_V1.020/jsyc/jssx_files/stat.gif
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
Xy2tools_V1.020/jsyc/jssx_files/stat.gif
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Xy2tools_V1.020/jsyc/jssx_files/xy2(1).js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
Xy2tools_V1.020/jsyc/jssx_files/xy2(1).js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Xy2tools_V1.020/jsyc/jssx_files/xy2.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
Xy2tools_V1.020/jsyc/jssx_files/xy2.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Xy2tools_V1.020/jsyc/jssx_files/yzz_global.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral28
Sample
Xy2tools_V1.020/jsyc/jssx_files/yzz_global.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Xy2tools_V1.020/update.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral30
Sample
Xy2tools_V1.020/update.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Xy2tools_V1.020/xy2tools.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral32
Sample
Xy2tools_V1.020/xy2tools.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
Xy2tools_V1.020/jsyc/jssx_files/stat(1).gif
-
Size
43B
-
MD5
325472601571f31e1bf00674c368d335
-
SHA1
2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
-
SHA256
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
-
SHA512
717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376404886" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009bb47cd97d47ab4bbd071b6358c55fe50000000002000000000010660000000100002000000028dc57d3189a6a30281c2c4b206f8e25c637e3e9b21aeae8ef479d17fd4bb332000000000e8000000002000020000000d2b5f74deeff2d3178ba312e493a90ae5a4b6fc20230560a7cb76fa9e262937890000000ec675bb1d5562085ad0fda519bb30104381a78d95098238497abbbd913025d2e2a16b19bba912c3714c4bfb2d5a60a4cddb894b4f9e9b76e5d05263ac202d96edece06f37712177cfde68f2c6de111b0b2e0657a4ce299571d966b7c0a748567822010c24b1db6005ad7add8bbef8a19eef3a231b94576a764438831e30490d4e6cb38f79077efd51721b857c0558e5240000000fce5fdf4578ae021747020c346e7b515f39373b546358c2483bd32883ed1d10cc64b451e03a61275134eb92a4f0dd4beaba4e10b93a639a5563b1128f9dfc3b2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6312CCD1-6F1B-11ED-AA01-6AB3F8C7EA51} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009bb47cd97d47ab4bbd071b6358c55fe500000000020000000000106600000001000020000000750abc434b19e0583c49f80875a0a2ca940aa74d7e4bf4f5d0b61e742874195b000000000e8000000002000020000000358e04ba49692e18069c93869981a9dcd1ec2b5ae4d6358aa0b3b2e61b56a3662000000079c5e46a5ff3e4cf5f1e8848c05f869a16f1ead709ca5b116b051eced965ddad40000000d24298eec400f9f8d16e124573abd31661e471756e4e0e13ace50415ccef0e4170344b501a2280604f3c61f8342898fb1df448ce6136581b6d060d55cc7c34a9 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f019cb382803d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 896 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 896 iexplore.exe 896 iexplore.exe 468 IEXPLORE.EXE 468 IEXPLORE.EXE 468 IEXPLORE.EXE 468 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 896 wrote to memory of 468 896 iexplore.exe 29 PID 896 wrote to memory of 468 896 iexplore.exe 29 PID 896 wrote to memory of 468 896 iexplore.exe 29 PID 896 wrote to memory of 468 896 iexplore.exe 29
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xy2tools_V1.020\jsyc\jssx_files\stat(1).gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:468
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD51ce5ff5f273ee0f4089feebb9107c5dd
SHA1be0f7a2ddc7cb3165d3c1ed3061401e0b08f6057
SHA2561523d2dfe2d577477c074860ab49bb0c33b97d60af1bb0006c843cdf11b897d3
SHA512f08a17d4a2ce05b20d9caf35299ffed65b7caf032adef659bb1b11d6a6ba85204d92e6cb2736174f0f9e68b8daf063a2333e2107911f20c26168fcc7daf5caf7