Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

WinTroyBuilder.exe

windows7-x64

7

WinTroyBuilder.exe

windows10-2004-x64

1

Resubmissions

08/02/2023, 04:17

230208-ewg98shb88 1

08/02/2023, 04:10

230208-ervprsge81 7

02/02/2023, 17:55

230202-whhsaagf32 10

Analysis

  • max time kernel
    128s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinTroyBuilder.exe

  • Size

    2.8MB

  • MD5

    3d46955ab2275455a983c1c327835366

  • SHA1

    c18655daaaa564c2f4f2932f561f885cb1aff36b

  • SHA256

    9bf03a8f81f0c51e9f1a9cd6016ecccf7443c1559e4e4b44547b8a13521b152a

  • SHA512

    8d28dbc134d78b3ae21bf125a1eab81e6c9ab7d57c5148b3e0ac10dd40b76fe24b6846131f0224fb13d84cb0fe16f8d88cc5c97c5bbea5ec9e00960205c04332

  • SSDEEP

    49152:fOPSa4ZImzdAxZmKLEb+T+VY07d7AidLAbbtwSjugkKNJxeWsoDjLX:fraitzdAfBEa0AiLAbbO0ugk8V

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinTroyBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\WinTroyBuilder.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\Resources\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\Resources\b2e.exe" /bat C:\Users\Admin\AppData\Local\Temp\Resources\inst.bat /exe C:\Users\Admin\Desktop\WinTryo.exe /overwrite /invisible /icon "" /fileversion 1.0.0.0 /description "Made with WinTroyBuilder v1.3" /originalfilename "FreeVBucks.html" /copyright "Copyright © 2023" /productname "WinTroy" /productversion 1.0.0.0 /include "C:\Users\Admin\AppData\Local\Temp\Resources\\git"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\AppData\Roaming\Bat To Exe Converter\GoRC.exe
        "C:\Users\Admin\AppData\Roaming\Bat To Exe Converter\GoRC.exe" /r resource.rc
        3⤵
        • Executes dropped EXE
        PID:1100
      • C:\Users\Admin\AppData\Roaming\Bat To Exe Converter\GoLink.exe
        "C:\Users\Admin\AppData\Roaming\Bat To Exe Converter\GoLink.exe" resource.res
        3⤵
        • Executes dropped EXE
        PID:1600
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" C:\Users\Admin\Desktop
      2⤵
        PID:1312
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1048
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1648
      • C:\Users\Admin\Desktop\WinTryo.exe
        "C:\Users\Admin\Desktop\WinTryo.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D569.tmp\D56A.tmp\D56B.bat C:\Users\Admin\Desktop\WinTryo.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:928
          • C:\Users\Admin\Desktop\git\git.exe
            git.exe C:\Users\Admin\AppData\Roaming/WINT\
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\SysWOW64\taskkill.exe
              "C:\Windows\System32\taskkill.exe" /f /im git.exe
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1588
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKEY_CURRENT_USER\SOFTWARE\Wint /v inst /t REG_SZ /d C:\Users\Admin\Desktop\WinTryo.exe /f
            3⤵
              PID:1092
            • C:\Windows\system32\reg.exe
              reg.exe ADD HKEY_CURRENT_USER\SOFTWARE\Wint /v dcbt /t REG_SZ /d wUF+EPAgre4= /f
              3⤵
                PID:1800
              • C:\Users\Admin\AppData\Roaming\WINT\invrun.exe
                C:\Users\Admin\AppData\Roaming/WINT\invrun.exe
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1028
                • C:\Users\Admin\AppData\Roaming\WINT\WinTroy.exe
                  "C:\Users\Admin\AppData\Roaming\WINT\WinTroy.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1356
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=WinTroy.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1616
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
                      6⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1948

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\453B.tmp\resource.RC
            Filesize

            1KB

            MD5

            1af34cb75d0d5b5d4e74451848ae1970

            SHA1

            8850e575e39e5906560f941e2c0114ab495e5777

            SHA256

            6c9e9ebd0dd809c4dfd4fc79609d3f33f94380496a2bebd9d82cce63323a48c8

            SHA512

            0f4562e23e59c044f9913dff023fdf6ae3d8d54b2b5187c1524f5a7ea59196ecadb670e04942c427bd91c4b174a70e660b664960c690e5d0aec974d9e646871c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\453B.tmp\resource.exe
            Filesize

            1KB

            MD5

            aba402635f108196a7799b8b803b4f70

            SHA1

            32be7c62a6aea256629408a6c975f4ff004e1d96

            SHA256

            5e35634e1f5610087b46d291db42e7ca391d07203e7f154a13d12abedc94fad7

            SHA512

            4bd60dd17bd558e58e4893f8b3f7a50b94c117ef65afc3d850fffdf3dd58425251031ab31ac0c2f397e719618b947a46bc65de7fd15e1c8be071a727d5f33bc2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\453B.tmp\resource.res
            Filesize

            676B

            MD5

            f23b20b1d7ae577e2ca9915da2617362

            SHA1

            1a4acd32ffb7e1c19e2e49b39846013702f7babb

            SHA256

            d88d18bafa364b10963ec58c57e2881d3993a1a53f2cb47016d4f46c9146bfd8

            SHA512

            36a960715ef9550cab8744cd5f4f48707abcea1ff42bdb6ffd4eeef05148794e46cb63b2f968b61ad7cb9af93f40d4def88da0cc532623fa44fe109bf7973090

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D569.tmp\D56A.tmp\D56B.bat
            Filesize

            332B

            MD5

            d210300d1a9cafb44e30bc87468c4d5f

            SHA1

            7f837d9027a3a21afed2949e2d1271612162f244

            SHA256

            98464a41bdddc06dba9bb9586b4bf080290e51ebed84eb5ac2c51b3f6eca706f

            SHA512

            1d0aa41b79ab5ab8b7dd67c9c9a75897cde8d922a80e389ec86931439626a7db9cbd8cf9105d160109d5089e2406c7c479e84d3fe9cee5bd0fa34dcc5c14663a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Resources\b2e.exe
            Filesize

            2.0MB

            MD5

            e3d6b93e861feefa47cceeae03e99094

            SHA1

            94ac369ea396c6a4c23ddcfb41cfdfe81ce0b3da

            SHA256

            55df60e09826469e543c090198ac6a12e1269047a88ed698e25e6e62d83ff4c7

            SHA512

            2c00287925dcb22b4babd7c49e9035ccb92b895f123791ef361ff495b08d74fe1e9add54c1fcabd4de3cd396faafeccbae0c750913d911dba6531f51ab126402

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Resources\git\git.exe
            Filesize

            268KB

            MD5

            f47adb7404aa61efe87cd1fd3a003161

            SHA1

            56a605b594a5e480afd3fa06f57b5e31e612ad17

            SHA256

            ea3282590067b5b803e5658a54234fb8597471a675e7d86a2fd0d099774f81a0

            SHA512

            9af1827103b334b82c11a6f50c34cf84bc29955572499b6ffe7ff7ea1cd99c4f0aa55ac742d91040d1eac06c06fd4c8f941cce35bb6d5ecaacb9670c8d0df83a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Resources\git\lib\win32\x86\git2-106a5f2.dll
            Filesize

            918KB

            MD5

            1e96035a0fdd3783414000b12a0c4515

            SHA1

            368bda48b76c08f26a3d7c3521b3a9e8ebb17ed2

            SHA256

            1237de47ec7149ebc8f7e9edc4589a8940a29f39d23f1337b9ed87a96677d6ab

            SHA512

            884040892e89b2d874ffa436fefd6d6a4f998ca4f3044720b638703319b97533329e25fe222d5eb2e757ec12fd574d9d7b5018d54678c403f5fb46bf47283c30

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Resources\inst.bat
            Filesize

            321B

            MD5

            c0db1da7bfd074462f57611714c91ffb

            SHA1

            38dd66e17eb054da69b82207b9a4630761b7b1cf

            SHA256

            6c28b511d5cbed46ffbf9c0868a2827f332456da367d99664f3c9c20429b45ce

            SHA512

            bd30893911f684ea9375b41b287b55090f4cdde5548c027513f9f5feb0bd9e114083a02c0fcffe6a66a670ded5f7aa140a82a58a1dc3fbd1ff6d6593b9d1692d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Bat To Exe Converter\GoLink.exe
            Filesize

            46KB

            MD5

            cafc4eec8a4f05b8dfee4067fb5b9076

            SHA1

            38f4c66246636e187fe4bf2aa8cb1d9b2502a14c

            SHA256

            1fa554d18490cb5e56d624cd97069f42e63800688136c6cf3c521e4ef6e83e28

            SHA512

            3c3e7c874e6b182aef812a1b593c3b1a3ea6efd5ae99792b88009cb6e6e0cee13c46fc26a1dbb7d73899a2ed01f73779c06d85246fd23edc6bf04fe41e0e133b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Bat To Exe Converter\GoRC.exe
            Filesize

            53KB

            MD5

            f69b0e5f35b5dae1b11b950cff157fb3

            SHA1

            f582f77d036c362f1ec5a0ab11707143cb0c9220

            SHA256

            ed010c50a7ceb43b9666e7fbca13d8377d30b79203207bad77004a890adeea17

            SHA512

            f0ac0b51a80d20148d069a231d50a581e6580ea45adc2d15c15182c9551363e204e119daac544c37ac6d9e93b75ab73e90e9947e7bf3cf86707a5c5645e2750c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WINT\WinTroy.exe
            Filesize

            409KB

            MD5

            f4d31e85d3f360dbe53c3ab8f8eecf7b

            SHA1

            a9ee07a7cbbb7247b85e8abbf68afa854b603558

            SHA256

            28983cc240a6ef392358b52aea7447cb1ee74966cc77a9248cbfd94c7c08ad70

            SHA512

            c219e345446a3e575ee07700ae07fc33c597a1c0af186d79d9383c0915d35d3f2c38c27f17cf2cd815225816f08f1df8a7bc32d42d66d3fa7eb8be77a5fa111c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WINT\WinTroy.exe.config
            Filesize

            1KB

            MD5

            9666cb460cdd044561b698c4ffaf7b4e

            SHA1

            f76bdbb3bf4badede4030ccd57fdc054cf4d2757

            SHA256

            8ce2d6a2f5857064267f11c82f9ef87ed6ae84d11968291ed209fdf880328089

            SHA512

            45a278118830c6652a0fcaa695a52b344c132faeaff5d3515e689abba9cf69477c1b3ad5134471886b54f7758f855ab02b7dcbf23e1bbeb02f13ac18cd67db79

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WINT\invrun.exe
            Filesize

            9KB

            MD5

            a28632fcacd4181d170f7eb27a4ae38b

            SHA1

            b66de23dffa88a3d7263a179ee554f6ccaafb928

            SHA256

            2be6375194f84adeec9668366e6a21271336527d1f8ac053947b880a4a9f5659

            SHA512

            32597891d585492fc7bdc9582cb128affd98de20cabb1dc3832e336dee100a5d2a11c5d6681f07a11fe9cbda0b6f47040df4970b25c02355d6ef83b2fb2e2612

            Download Submit

          • C:\Users\Admin\AppData\Roaming\WINT\invrun.exe
            Filesize

            9KB

            MD5

            a28632fcacd4181d170f7eb27a4ae38b

            SHA1

            b66de23dffa88a3d7263a179ee554f6ccaafb928

            SHA256

            2be6375194f84adeec9668366e6a21271336527d1f8ac053947b880a4a9f5659

            SHA512

            32597891d585492fc7bdc9582cb128affd98de20cabb1dc3832e336dee100a5d2a11c5d6681f07a11fe9cbda0b6f47040df4970b25c02355d6ef83b2fb2e2612

            Download Submit

          • C:\Users\Admin\Desktop\WinTryo.exe
            Filesize

            828KB

            MD5

            e33bf1034ad3edaf08d6732f449be96a

            SHA1

            09116e29da02fd0dc20773f91a2979291e3fe6dc

            SHA256

            69c515c134dc7de1ebf3c1e9f278a84f929a126854adec8d7cd50f8445bb3996

            SHA512

            cfd7b1047f1f4a0dc77102b01332f74ec58a7987468b91a46a2db153f29bcf64f7391a25972716271abf006922b2d14e6e7f7ebacdabed7adf7125b9941b3662

            Download Submit

          • C:\Users\Admin\Desktop\git\git.exe
            Filesize

            268KB

            MD5

            f47adb7404aa61efe87cd1fd3a003161

            SHA1

            56a605b594a5e480afd3fa06f57b5e31e612ad17

            SHA256

            ea3282590067b5b803e5658a54234fb8597471a675e7d86a2fd0d099774f81a0

            SHA512

            9af1827103b334b82c11a6f50c34cf84bc29955572499b6ffe7ff7ea1cd99c4f0aa55ac742d91040d1eac06c06fd4c8f941cce35bb6d5ecaacb9670c8d0df83a

            Download Submit

          • C:\Users\Admin\Desktop\git\git.exe
            Filesize

            268KB

            MD5

            f47adb7404aa61efe87cd1fd3a003161

            SHA1

            56a605b594a5e480afd3fa06f57b5e31e612ad17

            SHA256

            ea3282590067b5b803e5658a54234fb8597471a675e7d86a2fd0d099774f81a0

            SHA512

            9af1827103b334b82c11a6f50c34cf84bc29955572499b6ffe7ff7ea1cd99c4f0aa55ac742d91040d1eac06c06fd4c8f941cce35bb6d5ecaacb9670c8d0df83a

            Download Submit

          • C:\Users\Admin\Desktop\git\lib\win32\x86\git2-106a5f2.dll
            Filesize

            918KB

            MD5

            1e96035a0fdd3783414000b12a0c4515

            SHA1

            368bda48b76c08f26a3d7c3521b3a9e8ebb17ed2

            SHA256

            1237de47ec7149ebc8f7e9edc4589a8940a29f39d23f1337b9ed87a96677d6ab

            SHA512

            884040892e89b2d874ffa436fefd6d6a4f998ca4f3044720b638703319b97533329e25fe222d5eb2e757ec12fd574d9d7b5018d54678c403f5fb46bf47283c30

            Download Submit

          • \Users\Admin\AppData\Local\Temp\453B.tmp\resource.exe
            Filesize

            1KB

            MD5

            aba402635f108196a7799b8b803b4f70

            SHA1

            32be7c62a6aea256629408a6c975f4ff004e1d96

            SHA256

            5e35634e1f5610087b46d291db42e7ca391d07203e7f154a13d12abedc94fad7

            SHA512

            4bd60dd17bd558e58e4893f8b3f7a50b94c117ef65afc3d850fffdf3dd58425251031ab31ac0c2f397e719618b947a46bc65de7fd15e1c8be071a727d5f33bc2

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Resources\b2e.exe
            Filesize

            2.0MB

            MD5

            e3d6b93e861feefa47cceeae03e99094

            SHA1

            94ac369ea396c6a4c23ddcfb41cfdfe81ce0b3da

            SHA256

            55df60e09826469e543c090198ac6a12e1269047a88ed698e25e6e62d83ff4c7

            SHA512

            2c00287925dcb22b4babd7c49e9035ccb92b895f123791ef361ff495b08d74fe1e9add54c1fcabd4de3cd396faafeccbae0c750913d911dba6531f51ab126402

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Resources\b2e.exe
            Filesize

            2.0MB

            MD5

            e3d6b93e861feefa47cceeae03e99094

            SHA1

            94ac369ea396c6a4c23ddcfb41cfdfe81ce0b3da

            SHA256

            55df60e09826469e543c090198ac6a12e1269047a88ed698e25e6e62d83ff4c7

            SHA512

            2c00287925dcb22b4babd7c49e9035ccb92b895f123791ef361ff495b08d74fe1e9add54c1fcabd4de3cd396faafeccbae0c750913d911dba6531f51ab126402

            Download Submit

          • \Users\Admin\AppData\Roaming\WINT\WinTroy.exe
            Filesize

            409KB

            MD5

            f4d31e85d3f360dbe53c3ab8f8eecf7b

            SHA1

            a9ee07a7cbbb7247b85e8abbf68afa854b603558

            SHA256

            28983cc240a6ef392358b52aea7447cb1ee74966cc77a9248cbfd94c7c08ad70

            SHA512

            c219e345446a3e575ee07700ae07fc33c597a1c0af186d79d9383c0915d35d3f2c38c27f17cf2cd815225816f08f1df8a7bc32d42d66d3fa7eb8be77a5fa111c

            Download Submit

          • \Users\Admin\Desktop\git\lib\win32\x86\git2-106a5f2.dll
            Filesize

            918KB

            MD5

            1e96035a0fdd3783414000b12a0c4515

            SHA1

            368bda48b76c08f26a3d7c3521b3a9e8ebb17ed2

            SHA256

            1237de47ec7149ebc8f7e9edc4589a8940a29f39d23f1337b9ed87a96677d6ab

            SHA512

            884040892e89b2d874ffa436fefd6d6a4f998ca4f3044720b638703319b97533329e25fe222d5eb2e757ec12fd574d9d7b5018d54678c403f5fb46bf47283c30

            Download Submit

          • memory/992-85-0x00000000753F1000-0x00000000753F3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1124-83-0x0000000140000000-0x00000001403EB000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/1124-67-0x0000000140000000-0x00000001403EB000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/1124-66-0x0000000140000000-0x00000001403EB000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/1124-58-0x00000000006D6000-0x00000000006F5000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1124-56-0x00000000006D6000-0x00000000006F5000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1124-54-0x00000000002E0000-0x00000000005B4000-memory.dmp

            Filesize

            2.8MB

            Download

          • memory/1124-55-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1488-91-0x0000000000F70000-0x0000000000FBA000-memory.dmp

            Filesize

            296KB

            Download

          • memory/1488-92-0x0000000000D60000-0x0000000000DCE000-memory.dmp

            Filesize

            440KB

            Download

          • memory/1648-71-0x00000000039C0000-0x00000000039D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1780-82-0x0000000140000000-0x00000001403EB000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/1780-69-0x0000000140000000-0x00000001403EB000-memory.dmp

            Filesize

            3.9MB

            Download