triumphloader | fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24

Analysis

max time kernel
91s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe
Size

1.0MB
MD5

cc7b823c32c5f355e0d81389c14a433e
SHA1

7d393e46bbbc869b11eae612009b6aa0f4cd453c
SHA256

fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24
SHA512

4708a421f1414e42c11ed8abe5271f031d1b923ac89f8abde7102964be92b002528c11ef8e75975d7e2bd4472d162f7e4701d257554614e13a40358ecac1b643
SSDEEP

12288:pfAWb05a/N5c4SeAjKPDKXXhzfNwaW8wkEsI0mhyUQU8Uj0:ee00YKPDSzfAkmdbQP

Score

10^/10

triumphloader loader trojan

Malware Config

Signatures

TriumphLoader
TriumphLoader is a c++ loader based on the open source AbsentLoader.
trojan loader triumphloader

TriumphLoader payload 4 IoCs

resource	yara_rule
behavioral2/memory/4848-134-0x0000000000400000-0x000000000050B000-memory.dmp	family_triumphloader
behavioral2/memory/4848-135-0x0000000000400000-0x000000000050B000-memory.dmp	family_triumphloader
behavioral2/memory/4848-137-0x0000000000400000-0x000000000050B000-memory.dmp	family_triumphloader
behavioral2/memory/4848-142-0x0000000000400000-0x000000000050B000-memory.dmp	family_triumphloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3572	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2092	timeout.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4236	4848	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe	87
PID 4848 wrote to memory of 4236	4848	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe	87
PID 4848 wrote to memory of 4236	4848	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe	87
PID 4848 wrote to memory of 4896	4848	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe	89
PID 4848 wrote to memory of 4896	4848	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe	89
PID 4848 wrote to memory of 4896	4848	fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe	89
PID 4236 wrote to memory of 4240	4236	cmd.exe	91
PID 4236 wrote to memory of 4240	4236	cmd.exe	91
PID 4236 wrote to memory of 4240	4236	cmd.exe	91
PID 4896 wrote to memory of 2092	4896	cmd.exe	92
PID 4896 wrote to memory of 2092	4896	cmd.exe	92
PID 4896 wrote to memory of 2092	4896	cmd.exe	92
PID 4896 wrote to memory of 3572	4896	cmd.exe	94
PID 4896 wrote to memory of 3572	4896	cmd.exe	94
PID 4896 wrote to memory of 3572	4896	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe
"C:\Users\Admin\AppData\Local\Temp\fcf2e23185fd23aa0a3584cabb77d534a9f42dda67c2ab784b3c9ddafe774d24.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\KDUtGtVYaTvIzxIYVzxI /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\KDUtGtVYaTvIzxIYVzxI /f
    3⤵
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 60 && SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\KDUtGtVYaTvIzxIYVzxI\xônethelper.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - Delays execution with timeout.exe
    PID:2092
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\KDUtGtVYaTvIzxIYVzxI\xônethelper.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4848-132-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4848-133-0x00000000025D0000-0x00000000026C3000-memory.dmp

Filesize
972KB

Download
memory/4848-134-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4848-136-0x00000000025D0000-0x00000000026C3000-memory.dmp

Filesize
972KB

Download
memory/4848-135-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4848-137-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4848-142-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads