Overview

overview

10

Static

static

54da392d72...9b.exe

windows7-x64

10

54da392d72...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2023, 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54da392d7204459210bc5035f612f5f7294973de31fc635e2cfc3af40c72aa9b.exe

  • Size

    383KB

  • MD5

    7273b9a307d1761e38b0cceac3281217

  • SHA1

    a86108e33b221c84ec59c61b8a37febe2a8bbba8

  • SHA256

    54da392d7204459210bc5035f612f5f7294973de31fc635e2cfc3af40c72aa9b

  • SHA512

    62b0dc9696ba720af607acd48337a3273d32702f0cef841f4eac8bd355e3474bef0192baa734f2dae49fcf7fc0376a8489813a68b873f93c55227b64e85dcced

  • SSDEEP

    6144:S+LBazVtCLeY8gHvizRzoSWAB2gAoasce2rr2uXGuh0J9c/DWsHnZnB:dLBazVtCyYNHuoSWzgAbXuuhRz5

Score
10/10
triumphloaderloadertrojan

Malware Config

Signatures

  • TriumphLoader

    TriumphLoader is a c++ loader based on the open source AbsentLoader.

    trojanloadertriumphloader
  • TriumphLoader payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54da392d7204459210bc5035f612f5f7294973de31fc635e2cfc3af40c72aa9b.exe
    "C:\Users\Admin\AppData\Local\Temp\54da392d7204459210bc5035f612f5f7294973de31fc635e2cfc3af40c72aa9b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 736
      2⤵
      • Program crash
      PID:4748
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 756
      2⤵
      • Program crash
      PID:1520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 756
      2⤵
      • Program crash
      PID:808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 832
      2⤵
      • Program crash
      PID:1704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 900
      2⤵
      • Program crash
      PID:384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1184
      2⤵
      • Program crash
      PID:1944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1196
      2⤵
      • Program crash
      PID:548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1228
      2⤵
      • Program crash
      PID:4992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\RUVlPfJcLdVHOrdtSSCc /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\RUVlPfJcLdVHOrdtSSCc /f
        3⤵
          PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C timeout /t 60 && SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\RUVlPfJcLdVHOrdtSSCc\4Ûnethelper.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 60
          3⤵
          • Delays execution with timeout.exe
          PID:3868
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\RUVlPfJcLdVHOrdtSSCc\4Ûnethelper.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:3944
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1620
        2⤵
        • Program crash
        PID:4900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2480 -ip 2480
      1⤵
        PID:1348
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2480 -ip 2480
        1⤵
          PID:4908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
          1⤵
            PID:4468
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2480 -ip 2480
            1⤵
              PID:1972
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2480 -ip 2480
              1⤵
                PID:2656
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2480 -ip 2480
                1⤵
                  PID:4088
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2480 -ip 2480
                  1⤵
                    PID:632
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2480 -ip 2480
                    1⤵
                      PID:1720
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2480 -ip 2480
                      1⤵
                        PID:5032

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/2480-133-0x0000000000AC0000-0x0000000000B3F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/2480-132-0x0000000000B97000-0x0000000000BD4000-memory.dmp

                        Filesize

                        244KB

                        Download

                      • memory/2480-134-0x0000000000400000-0x0000000000859000-memory.dmp

                        Filesize

                        4.3MB

                        Download

                      • memory/2480-135-0x0000000000400000-0x0000000000859000-memory.dmp

                        Filesize

                        4.3MB

                        Download

                      • memory/2480-140-0x0000000000B97000-0x0000000000BD4000-memory.dmp

                        Filesize

                        244KB

                        Download

                      • memory/2480-141-0x0000000000400000-0x0000000000859000-memory.dmp

                        Filesize

                        4.3MB

                        Download