Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Trojan.Win...on.exe

windows7-x64

7

Trojan.Win...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 20:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win32.BlackMon.exe

  • Size

    47KB

  • MD5

    384c2ebb4440ee1297dfc815880c3f00

  • SHA1

    a379f436236376ebb4e8ded76e72a2176f42fbd0

  • SHA256

    fb579cab0c840098a956836876b5c936ce65650ac1708f8e59bc1962582d05ac

  • SHA512

    20b65b4d2ea4474caa2a8036b46c7b7f378dd0eac4133b7c0ecb7d56f2d5ce4793d7799471a2801227a6a4f02d0a19a9b8910dd34b0d07f55fb9b013cc465981

  • SSDEEP

    768:9qSqC8+N5ozQQqncwxWmNXMX3cX8tcXmcX8/XrX8/uUjC:9rqfzQQqamN88xjm7c7m

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.BlackMon.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.BlackMon.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Program Files (x86)\f8fd5966\jusched.exe
      "C:\Program Files (x86)\f8fd5966\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2984
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4668,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
    1⤵
      PID:1016

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      elegan_786444.el.funpic.org
      jusched.exe
      Remote address:
      8.8.8.8:53
      Request
      elegan_786444.el.funpic.org
      IN A
      Response
    • flag-us
      DNS
      griptoloji.host-ed.net
      jusched.exe
      Remote address:
      8.8.8.8:53
      Request
      griptoloji.host-ed.net
      IN A
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ftp.tripod.com
      jusched.exe
      Remote address:
      8.8.8.8:53
      Request
      ftp.tripod.com
      IN A
      Response
      ftp.tripod.com
      IN A
      209.202.252.54
    • flag-us
      DNS
      54.252.202.209.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      54.252.202.209.in-addr.arpa
      IN PTR
      Response
      54.252.202.209.in-addr.arpa
      IN PTR
      ftptripodcom
    • flag-us
      DNS
      elegan_786444.el.funpic.org
      jusched.exe
      Remote address:
      8.8.8.8:53
      Request
      elegan_786444.el.funpic.org
      IN A
      Response
    • flag-us
      DNS
      griptoloji.host-ed.net
      jusched.exe
      Remote address:
      8.8.8.8:53
      Request
      griptoloji.host-ed.net
      IN A
      Response
    • 209.202.252.54:21
      ftp.tripod.com
      ftp
      jusched.exe
      441 B
       367 B
       9
      6
    • 209.202.252.54:21
      ftp.tripod.com
      ftp
      jusched.exe
      441 B
       367 B
       9
      6
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      elegan_786444.el.funpic.org
      dns
      jusched.exe
      73 B
       138 B
       1
      1

      DNS Request

      elegan_786444.el.funpic.org

    • 8.8.8.8:53
      griptoloji.host-ed.net
      dns
      jusched.exe
      68 B
       124 B
       1
      1

      DNS Request

      griptoloji.host-ed.net

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      ftp.tripod.com
      dns
      jusched.exe
      60 B
       76 B
       1
      1

      DNS Request

      ftp.tripod.com

      DNS Response

      209.202.252.54

    • 8.8.8.8:53
      54.252.202.209.in-addr.arpa
      dns
      73 B
       101 B
       1
      1

      DNS Request

      54.252.202.209.in-addr.arpa

    • 8.8.8.8:53
      elegan_786444.el.funpic.org
      dns
      jusched.exe
      73 B
       138 B
       1
      1

      DNS Request

      elegan_786444.el.funpic.org

    • 8.8.8.8:53
      griptoloji.host-ed.net
      dns
      jusched.exe
      68 B
       124 B
       1
      1

      DNS Request

      griptoloji.host-ed.net

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\f8fd5966\f8fd5966
      Filesize

      13B

      MD5

      f253efe302d32ab264a76e0ce65be769

      SHA1

      768685ca582abd0af2fbb57ca37752aa98c9372b

      SHA256

      49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

      SHA512

      1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

      Download Submit

    • C:\Program Files (x86)\f8fd5966\jusched.exe
      Filesize

      47KB

      MD5

      b96edbc55bef382cc5aabe9dad9ef899

      SHA1

      620fb8537045bbe40df74bc64682b5cd2e244798

      SHA256

      bf897c294caea216c760c6cfad4a025a767d1a5256c20609b8215ec55e00bfc9

      SHA512

      f0f394f51a4f19c50397c14fa020f2f264b8d8737a89a156d31fb86c23147642c6eda29d0349c5d9f4e08adec307be8526cff1804b1fd908f42b4fd2a50f5baa

      Download Submit

    • memory/2984-14-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2984-20-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2984-17-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4496-0-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4496-1-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4496-5-0x0000000000401000-0x0000000000406000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4496-4-0x00000000005B0000-0x00000000005B3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4496-15-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.