Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22-10-2021 18:12
Static task
static1
Behavioral task
behavioral1
Sample
28f4003888bd4b8634f8e5c67f04ccea.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
28f4003888bd4b8634f8e5c67f04ccea.dll
Resource
win10-en-20210920
General
-
Target
28f4003888bd4b8634f8e5c67f04ccea.dll
-
Size
528KB
-
MD5
412fdeeaa926ada702cd351049516139
-
SHA1
717815a409b374922e7d140d97e796d5eac4732f
-
SHA256
ab0a3f2c0b0bace7e066433d4c3e8ad1dc253bb4b394ce504e50f15f43499ac8
-
SHA512
4503abfac1e018860f98a4e0b45d1d2d1e0650d1532bc24603c0555e2b4533fd98d2c79c0905db7d76f4bca8eadd4f3476bc696a684f62c7178e03c71d005869
Malware Config
Extracted
squirrelwaffle
http://bostoncarservice.us/ttv8fU9U19
http://payparq-cloud-3513-01.com/bON7gU8BpvAU
http://luckysoxs.com/3FbCi7ej09p
http://payparq-cloud-8799-02.com/0yXFxtYs0Z
http://rjmholding.com/JKu3ByhTE
http://centroparquekrahmer.cl/iXIdCvMk5TD7
http://capaxion.cl/xigRVxm0X
http://bimcrea.cl/CRUKqDjn
http://payparq-cloud-8899-00.com/yeoXYV97
http://18pixels.org/mDZYHjiJi
http://e2eprocess.cl/EUsDZTqM
http://payparq.com/1DT7hrizVB
http://sammlerstore.pe/KKFuUiXVI5
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 2 IoCs
resource yara_rule behavioral1/memory/1048-59-0x0000000073820000-0x0000000073830000-memory.dmp squirrelwaffle behavioral1/memory/1048-60-0x0000000073820000-0x00000000741B0000-memory.dmp squirrelwaffle -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1048 1748 rundll32.exe 27 PID 1748 wrote to memory of 1048 1748 rundll32.exe 27 PID 1748 wrote to memory of 1048 1748 rundll32.exe 27 PID 1748 wrote to memory of 1048 1748 rundll32.exe 27 PID 1748 wrote to memory of 1048 1748 rundll32.exe 27 PID 1748 wrote to memory of 1048 1748 rundll32.exe 27 PID 1748 wrote to memory of 1048 1748 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28f4003888bd4b8634f8e5c67f04ccea.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28f4003888bd4b8634f8e5c67f04ccea.dll,#12⤵PID:1048
-