triumphloader | 14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044

General

Target

14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe
Size

451KB
MD5

95717067649f46f99fd1a6fdf756d8dc
SHA1

9e83a602c6ac952f23816b5cfca9b5038cc7026a
SHA256

14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044
SHA512

baca39a84299b154b7a065a2ecf4ca1cfe4fb219aaa2315b54fd514b3ea868f5246fe2d7966c2d9bf9ae92e9e523bb8831560b4880b632dfff445aa03e6d0bc6
SSDEEP

12288:f7Z1YxE0qcmh204+2gYEOAF4uwmRilBJo:fLL0qlh9oAF4uw4Kk

Score

10^/10

triumphloader loader trojan

Malware Config

Signatures

TriumphLoader
TriumphLoader is a c++ loader based on the open source AbsentLoader.
trojan loader triumphloader

TriumphLoader payload 5 IoCs

resource	yara_rule
behavioral2/memory/1316-133-0x0000000002DD0000-0x0000000002E4F000-memory.dmp	family_triumphloader
behavioral2/memory/1316-134-0x0000000000400000-0x0000000002B13000-memory.dmp	family_triumphloader
behavioral2/memory/1316-136-0x0000000002DD0000-0x0000000002E4F000-memory.dmp	family_triumphloader
behavioral2/memory/1316-137-0x0000000000400000-0x0000000002B13000-memory.dmp	family_triumphloader
behavioral2/memory/1316-143-0x0000000000400000-0x0000000002B13000-memory.dmp	family_triumphloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4336	1316	WerFault.exe	81
4700	1316	WerFault.exe	81
3460	1316	WerFault.exe	81
2444	1316	WerFault.exe	81
864	1316	WerFault.exe	81
4052	1316	WerFault.exe	81
2128	1316	WerFault.exe	81
948	1316	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1492	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4684	timeout.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1848	1316	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe	96
PID 1316 wrote to memory of 1848	1316	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe	96
PID 1316 wrote to memory of 1848	1316	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe	96
PID 1316 wrote to memory of 4144	1316	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe	98
PID 1316 wrote to memory of 4144	1316	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe	98
PID 1316 wrote to memory of 4144	1316	14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe	98
PID 1848 wrote to memory of 1512	1848	cmd.exe	100
PID 1848 wrote to memory of 1512	1848	cmd.exe	100
PID 1848 wrote to memory of 1512	1848	cmd.exe	100
PID 4144 wrote to memory of 4684	4144	cmd.exe	101
PID 4144 wrote to memory of 4684	4144	cmd.exe	101
PID 4144 wrote to memory of 4684	4144	cmd.exe	101
PID 4144 wrote to memory of 1492	4144	cmd.exe	112
PID 4144 wrote to memory of 1492	4144	cmd.exe	112
PID 4144 wrote to memory of 1492	4144	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe
"C:\Users\Admin\AppData\Local\Temp\14e26fcb0564640ced6ab6e7902603f6f2d982671ce2c2381f4820d6bd587044.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 740
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 756
  2⤵
  - Program crash
  PID:4700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 756
  2⤵
  - Program crash
  PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 808
  2⤵
  - Program crash
  PID:2444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 888
  2⤵
  - Program crash
  PID:864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1188
  2⤵
  - Program crash
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1216
  2⤵
  - Program crash
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\WRYNpmVXcKBNGxJWWqzn /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\NetHelper" /v path /t REG_SZ /d C:\ProgramData\NetHelper\Cache\WRYNpmVXcKBNGxJWWqzn /f
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 60 && SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\WRYNpmVXcKBNGxJWWqzn\¤çnethelper.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 60
    3⤵
    - Delays execution with timeout.exe
    PID:4684
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Create /SC MINUTE /MO 1 /TN "Service for windows Network Helper updates" /TR C:\ProgramData\NetHelper\Cache\WRYNpmVXcKBNGxJWWqzn\¤çnethelper.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1264
  2⤵
  - Program crash
  PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1316 -ip 1316
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1316 -ip 1316
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1316 -ip 1316
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1316 -ip 1316
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1316 -ip 1316
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1316 -ip 1316
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1316 -ip 1316
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1316 -ip 1316
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-142-0x0000000002CE3000-0x0000000002D20000-memory.dmp

Filesize
244KB

Download
memory/1316-133-0x0000000002DD0000-0x0000000002E4F000-memory.dmp

Filesize
508KB

Download
memory/1316-134-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/1316-135-0x0000000002CE3000-0x0000000002D20000-memory.dmp

Filesize
244KB

Download
memory/1316-136-0x0000000002DD0000-0x0000000002E4F000-memory.dmp

Filesize
508KB

Download
memory/1316-137-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download
memory/1316-132-0x0000000002CE3000-0x0000000002D20000-memory.dmp

Filesize
244KB

Download
memory/1316-143-0x0000000000400000-0x0000000002B13000-memory.dmp

Filesize
39.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads