triumphloader | 3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5

General

Target

3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe
Size

368KB
MD5

17358cc82a59b6403afb0ab287ab5629
SHA1

778da0baf186f31b6c7b525fc112bb070514f4b0
SHA256

3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5
SHA512

8a58ef4a5bb03337f785bf2dcf1e212b6f28e5bbb8da906b84e4e1d8b6c4c70e361a4ca1235e1cffab9b5e899e869ee8782ec7e114018a2d1315f09190d6fc89
SSDEEP

6144:NbfDIM2SpQtijNZ9ZtEYB5bY0xRWRrrDJwwD4GizoIVwoeyEE30GLfijJO:Nb0eCy9ZtEwmzaw0GizBi3yEs/Lfq

Score

10^/10

triumphloader loader trojan

Malware Config

Signatures

TriumphLoader
TriumphLoader is a c++ loader based on the open source AbsentLoader.
trojan loader triumphloader

TriumphLoader payload 4 IoCs

resource	yara_rule
behavioral2/memory/2636-133-0x0000000000D70000-0x0000000000DEF000-memory.dmp	family_triumphloader
behavioral2/memory/2636-134-0x0000000000400000-0x0000000000856000-memory.dmp	family_triumphloader
behavioral2/memory/2636-135-0x0000000000400000-0x0000000000856000-memory.dmp	family_triumphloader
behavioral2/memory/2636-141-0x0000000000400000-0x0000000000856000-memory.dmp	family_triumphloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1604	2636	WerFault.exe	78
2784	2636	WerFault.exe	78
3360	2636	WerFault.exe	78
4864	2636	WerFault.exe	78
1812	2636	WerFault.exe	78
5020	2636	WerFault.exe	78
4108	2636	WerFault.exe	78
2484	2636	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4452	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2660	timeout.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1880	2636	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe	94
PID 2636 wrote to memory of 1880	2636	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe	94
PID 2636 wrote to memory of 1880	2636	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe	94
PID 2636 wrote to memory of 2108	2636	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe	96
PID 2636 wrote to memory of 2108	2636	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe	96
PID 2636 wrote to memory of 2108	2636	3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe	96
PID 1880 wrote to memory of 552	1880	cmd.exe	98
PID 1880 wrote to memory of 552	1880	cmd.exe	98
PID 1880 wrote to memory of 552	1880	cmd.exe	98
PID 2108 wrote to memory of 2660	2108	cmd.exe	99
PID 2108 wrote to memory of 2660	2108	cmd.exe	99
PID 2108 wrote to memory of 2660	2108	cmd.exe	99
PID 2108 wrote to memory of 4452	2108	cmd.exe	103
PID 2108 wrote to memory of 4452	2108	cmd.exe	103
PID 2108 wrote to memory of 4452	2108	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe
"C:\Users\Admin\AppData\Local\Temp\3c38eb510b9a2616b648de7734a8772a9739102599e7e128cc520d8b958b57d5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 740
  2⤵
  - Program crash
  PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 752
  2⤵
  - Program crash
  PID:2784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 752
  2⤵
  - Program crash
  PID:3360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 808
  2⤵
  - Program crash
  PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 768
  2⤵
  - Program crash
  PID:1812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1176
  2⤵
  - Program crash
  PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1184
  2⤵
  - Program crash
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\JTfnbnViwUeYbWimRKjE /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\JTfnbnViwUeYbWimRKjE /f
    3⤵
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 60 && SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\JTfnbnViwUeYbWimRKjE\èànethelper.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - Delays execution with timeout.exe
    PID:2660
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\JTfnbnViwUeYbWimRKjE\èànethelper.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1276
  2⤵
  - Program crash
  PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2636 -ip 2636
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2636 -ip 2636
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2636 -ip 2636
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2636 -ip 2636
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2636 -ip 2636
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2636 -ip 2636
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2636 -ip 2636
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2636 -ip 2636
1⤵
PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-133-0x0000000000D70000-0x0000000000DEF000-memory.dmp

Filesize
508KB

Download
memory/2636-132-0x0000000000AC7000-0x0000000000B04000-memory.dmp

Filesize
244KB

Download
memory/2636-134-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2636-135-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2636-140-0x0000000000AC7000-0x0000000000B04000-memory.dmp

Filesize
244KB

Download
memory/2636-141-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads