Analysis
-
max time kernel
71s -
max time network
101s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 21:00
Static task
static1
Behavioral task
behavioral1
Sample
a4d7848d13ff3e7119820779f0c7267fdd0962116e41d926240b13a3403eeaea.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
a4d7848d13ff3e7119820779f0c7267fdd0962116e41d926240b13a3403eeaea.dll
Resource
win10-en-20211014
General
-
Target
a4d7848d13ff3e7119820779f0c7267fdd0962116e41d926240b13a3403eeaea.dll
-
Size
531KB
-
MD5
47c0e967f4efba7e10168c48b0547280
-
SHA1
57481c839e78f5da675a0442b079a850936c5115
-
SHA256
a4d7848d13ff3e7119820779f0c7267fdd0962116e41d926240b13a3403eeaea
-
SHA512
3227b5cde15cd967cf8ef39e8ec00dc488bcc28e0d2fb81ffafce459dac0e035d195e42270f3a803ee178620559aeb23c4f3bc8545bb365bdb3a5419a74b9174
Malware Config
Extracted
squirrelwaffle
http://bostoncarservice.us/ttv8fU9U19
http://payparq-cloud-3513-01.com/bON7gU8BpvAU
http://luckysoxs.com/3FbCi7ej09p
http://payparq-cloud-8799-02.com/0yXFxtYs0Z
http://rjmholding.com/JKu3ByhTE
http://centroparquekrahmer.cl/iXIdCvMk5TD7
http://capaxion.cl/xigRVxm0X
http://bimcrea.cl/CRUKqDjn
http://payparq-cloud-8899-00.com/yeoXYV97
http://18pixels.org/mDZYHjiJi
http://e2eprocess.cl/EUsDZTqM
http://payparq.com/1DT7hrizVB
http://sammlerstore.pe/KKFuUiXVI5
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 2 IoCs
resource yara_rule behavioral1/memory/524-59-0x0000000073070000-0x0000000073A00000-memory.dmp squirrelwaffle behavioral1/memory/524-58-0x0000000073070000-0x0000000073080000-memory.dmp squirrelwaffle -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1620 wrote to memory of 524 1620 rundll32.exe 28 PID 1620 wrote to memory of 524 1620 rundll32.exe 28 PID 1620 wrote to memory of 524 1620 rundll32.exe 28 PID 1620 wrote to memory of 524 1620 rundll32.exe 28 PID 1620 wrote to memory of 524 1620 rundll32.exe 28 PID 1620 wrote to memory of 524 1620 rundll32.exe 28 PID 1620 wrote to memory of 524 1620 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4d7848d13ff3e7119820779f0c7267fdd0962116e41d926240b13a3403eeaea.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4d7848d13ff3e7119820779f0c7267fdd0962116e41d926240b13a3403eeaea.dll,#12⤵PID:524
-