triumphloader | 6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b

General

Target

6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe
Size

451KB
MD5

e944f222fae6f727f0a7b2e148947c08
SHA1

3e6417b1028234a015c6c3166878fea6fd082985
SHA256

6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b
SHA512

63d7463d1402b125230004aa80921b77bacc926835e719d259963018c2f4ad176874f4014194e7f48df96a276c4bdbdc87d282566387dece95028871cb8356de
SSDEEP

12288:eRtB7ZfsvpaczkUappXQ9cvykBU9QJ3AeQg2Jz8Cv1N:eRt9ZiaSjap1NKZzeBDC9N

Score

10^/10

triumphloader loader trojan

Malware Config

Signatures

TriumphLoader
TriumphLoader is a c++ loader based on the open source AbsentLoader.
trojan loader triumphloader

TriumphLoader payload 4 IoCs

resource	yara_rule
behavioral2/memory/4072-133-0x0000000002BF0000-0x0000000002C6F000-memory.dmp	family_triumphloader
behavioral2/memory/4072-134-0x0000000000400000-0x0000000002B12000-memory.dmp	family_triumphloader
behavioral2/memory/4072-135-0x0000000000400000-0x0000000002B12000-memory.dmp	family_triumphloader
behavioral2/memory/4072-140-0x0000000000400000-0x0000000002B12000-memory.dmp	family_triumphloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1220	4072	WerFault.exe	80
4432	4072	WerFault.exe	80
720	4072	WerFault.exe	80
1448	4072	WerFault.exe	80
4288	4072	WerFault.exe	80
4752	4072	WerFault.exe	80
3952	4072	WerFault.exe	80
3748	4072	WerFault.exe	80
3756	4072	WerFault.exe	80

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1204	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4732	timeout.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4808	4072	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe	98
PID 4072 wrote to memory of 4808	4072	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe	98
PID 4072 wrote to memory of 4808	4072	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe	98
PID 4072 wrote to memory of 1320	4072	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe	100
PID 4072 wrote to memory of 1320	4072	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe	100
PID 4072 wrote to memory of 1320	4072	6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe	100
PID 4808 wrote to memory of 4440	4808	cmd.exe	102
PID 4808 wrote to memory of 4440	4808	cmd.exe	102
PID 4808 wrote to memory of 4440	4808	cmd.exe	102
PID 1320 wrote to memory of 4732	1320	cmd.exe	103
PID 1320 wrote to memory of 4732	1320	cmd.exe	103
PID 1320 wrote to memory of 4732	1320	cmd.exe	103
PID 1320 wrote to memory of 1204	1320	cmd.exe	106
PID 1320 wrote to memory of 1204	1320	cmd.exe	106
PID 1320 wrote to memory of 1204	1320	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe
"C:\Users\Admin\AppData\Local\Temp\6e2a2ac4d64d3843e08602f1f10f3bfa4eb6b1433361226cdeffe28f3236812b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 736
  2⤵
  - Program crash
  PID:1220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 756
  2⤵
  - Program crash
  PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 772
  2⤵
  - Program crash
  PID:720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 776
  2⤵
  - Program crash
  PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 900
  2⤵
  - Program crash
  PID:4288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1172
  2⤵
  - Program crash
  PID:4752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1152
  2⤵
  - Program crash
  PID:3952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1268
  2⤵
  - Program crash
  PID:3748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\feptsGRpndzfEwLdlxVa /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\feptsGRpndzfEwLdlxVa /f
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 60 && SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\feptsGRpndzfEwLdlxVa\¤çnethelper.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - Delays execution with timeout.exe
    PID:4732
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\feptsGRpndzfEwLdlxVa\¤çnethelper.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1180
  2⤵
  - Program crash
  PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4072 -ip 4072
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4072 -ip 4072
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4072 -ip 4072
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4072 -ip 4072
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4072 -ip 4072
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4072 -ip 4072
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4072 -ip 4072
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4072 -ip 4072
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4072 -ip 4072
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4072-132-0x0000000002E13000-0x0000000002E4F000-memory.dmp

Filesize
240KB

Download
memory/4072-133-0x0000000002BF0000-0x0000000002C6F000-memory.dmp

Filesize
508KB

Download
memory/4072-134-0x0000000000400000-0x0000000002B12000-memory.dmp

Filesize
39.1MB

Download
memory/4072-135-0x0000000000400000-0x0000000002B12000-memory.dmp

Filesize
39.1MB

Download
memory/4072-140-0x0000000000400000-0x0000000002B12000-memory.dmp

Filesize
39.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads