Overview

overview

10

Static

static

029b714502...39.dll

windows10_x64

10

061dfb6a25...52.dll

windows10_x64

10

06d55f75d7...d2.dll

windows10_x64

10

24401ac43b...65.dll

windows10_x64

3

260e2d5769...40.dll

windows10_x64

10

26cd036960...18.dll

windows10_x64

10

2a0a88a2e5...4a.dll

windows10_x64

3

2f33217d51...94.dll

windows10_x64

10

336cdd146b...da.dll

windows10_x64

10

417c1828d9...73.dll

windows10_x64

10

4d3095c796...ee.dll

windows10_x64

10

54e526fe05...4c.dll

windows10_x64

1

6402b33d72...3b.dll

windows10_x64

10

64c044cb3e...db.dll

windows10_x64

10

671f477c30...4e.dll

windows10_x64

10

67785724b6...ce.dll

windows10_x64

3

6c6934613a...fb.dll

windows10_x64

10

6f63742c25...fd.dll

windows10_x64

10

813a9b03c6...48.dll

windows10_x64

10

839ac59a78...e3.dll

windows10_x64

10

85d0b72fe8...39.dll

windows10_x64

10

a34cb4049e...c4.dll

windows10_x64

10

a55c19c552...60.dll

windows10_x64

10

a98e988f03...48.dll

windows10_x64

10

acc31f97c3...27.dll

windows10_x64

10

b194eec1e5...c7.dll

windows10_x64

10

bac73f9cce...00.dll

windows10_x64

10

c5d2f0da18...0c.dll

windows10_x64

10

d559ee0a26...7e.dll

windows10_x64

1

db5276c0d5...79.dll

windows10_x64

10

e5efde9740...15.dll

windows10_x64

10

fe028e6f99...1c.dll

windows10_x64

10

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    335s
  • max time network
    3728s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    31-10-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll

  • Size

    439KB

  • MD5

    22aef4558853a72dd07ff9513a6b9dbf

  • SHA1

    52a914b43dfa44910ab649be77a57db631d038ee

  • SHA256

    64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb

  • SHA512

    550f72f4d6186869893b2dc6536b3ce9bcb7843b0db726a1d9fb118291b1e96d642dfb57369b85ff58c41b38d6c40f6853d1da752f589aa419cb1f4d35381be4

Score
10/10
squirrelwaffledownloader

Malware Config

Extracted

Family

squirrelwaffle

C2

http://deanandwilconstruction.com/UXEvfuIlhws

http://arimeto.lv/Nm70oAfwB

http://gitamschool.com/oZbs0Oqw7uv

http://eresourcesmoneymarket.com/JbVwdgaV6l

http://flyershipmanager.com/SGAsORYsywt
Attributes
  • blocklist

    94.46.179.80

    206.189.205.251

    88.242.66.45

    85.75.110.214

    87.104.3.136

    207.244.91.171

    49.230.88.160

    91.149.252.75

    91.149.252.88

    92.211.109.152

    178.0.250.168

    88.69.16.230

    95.223.77.160

    99.234.62.23

    2.206.105.223

    84.222.8.201

    89.183.239.142

    5.146.132.101

    77.7.60.154

    45.41.106.122

    45.74.72.13

    74.58.152.123

    88.87.68.197

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle
  • Squirrelwaffle Payload 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll,#1
      2⤵
        PID:1908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 700
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:892

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1908-118-0x0000000000000000-mapping.dmp

      Download

    • memory/1908-119-0x0000000003150000-0x000000000329A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1908-120-0x0000000005100000-0x0000000005114000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1908-121-0x0000000005130000-0x0000000005142000-memory.dmp

      Filesize

      72KB

      Download