Overview

overview

10

Static

static

c486a49001...0b.exe

windows7-x64

10

c486a49001...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2023, 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c486a490014902ef7c1bfbea8b7ca22149da5de3d52fdef46d7e5ea3853a2d0b.exe

  • Size

    383KB

  • MD5

    da722dc2d1f9d50565f559fca222c02e

  • SHA1

    b0b394bb73bd034aee69f8d9180f12559026bd5e

  • SHA256

    c486a490014902ef7c1bfbea8b7ca22149da5de3d52fdef46d7e5ea3853a2d0b

  • SHA512

    68bc25284d42fa1fa9b7916d0ab7b8594276f40e8448e0a488102a10d54720c2a933a7553252a1059b0d085cf5e69499240a27a98301095c28e8558b284a9638

  • SSDEEP

    6144:XMQEWI9VWILS452oxzQj2lzIHgYlYy9JauK4nRVIkvmbWw+QHxG//RnrmJj:8QLI9VWI+4HdjlzMR9jP5irxau

Score
10/10
triumphloaderloadertrojan

Malware Config

Signatures

  • TriumphLoader

    TriumphLoader is a c++ loader based on the open source AbsentLoader.

    trojanloadertriumphloader
  • TriumphLoader payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c486a490014902ef7c1bfbea8b7ca22149da5de3d52fdef46d7e5ea3853a2d0b.exe
    "C:\Users\Admin\AppData\Local\Temp\c486a490014902ef7c1bfbea8b7ca22149da5de3d52fdef46d7e5ea3853a2d0b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 736
      2⤵
      • Program crash
      PID:792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 776
      2⤵
      • Program crash
      PID:4108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 776
      2⤵
      • Program crash
      PID:4556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 836
      2⤵
      • Program crash
      PID:5036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 900
      2⤵
      • Program crash
      PID:344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1192
      2⤵
      • Program crash
      PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1228
      2⤵
      • Program crash
      PID:4068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\vlJpjFsNzVaQZTdrdfHw /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\vlJpjFsNzVaQZTdrdfHw /f
        3⤵
          PID:4784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C timeout /t 60 && SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\vlJpjFsNzVaQZTdrdfHw\4Ûnethelper.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 60
          3⤵
          • Delays execution with timeout.exe
          PID:4324
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\vlJpjFsNzVaQZTdrdfHw\4Ûnethelper.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:4312
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1288
        2⤵
        • Program crash
        PID:4720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2340 -ip 2340
      1⤵
        PID:1992
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2340 -ip 2340
        1⤵
          PID:2684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2340 -ip 2340
          1⤵
            PID:1180
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2340 -ip 2340
            1⤵
              PID:4676
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2340 -ip 2340
              1⤵
                PID:3924
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2340 -ip 2340
                1⤵
                  PID:620
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2340 -ip 2340
                  1⤵
                    PID:1400
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2340 -ip 2340
                    1⤵
                      PID:3632

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2340-132-0x0000000000B17000-0x0000000000B54000-memory.dmp

                      Filesize

                      244KB

                      Download

                    • memory/2340-133-0x0000000000D00000-0x0000000000D7F000-memory.dmp

                      Filesize

                      508KB

                      Download

                    • memory/2340-134-0x0000000000400000-0x0000000000859000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/2340-135-0x0000000000B17000-0x0000000000B54000-memory.dmp

                      Filesize

                      244KB

                      Download

                    • memory/2340-136-0x0000000000D00000-0x0000000000D7F000-memory.dmp

                      Filesize

                      508KB

                      Download

                    • memory/2340-137-0x0000000000400000-0x0000000000859000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/2340-143-0x0000000000400000-0x0000000000859000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/2340-142-0x0000000000B17000-0x0000000000B54000-memory.dmp

                      Filesize

                      244KB

                      Download