0be2467c140a096809775cd9e279f0c0a6d629a73ce666e4ac5205e387e5d0ba | Triage

Analysis

max time kernel
139s
max time network
144s
platform
windows10_x64
resource
win10-en-20211104
submitted
13-11-2021 17:35

Sharing

Report Analysis Logs

General

Target

0be2467c140a096809775cd9e279f0c0a6d629a73ce666e4ac5205e387e5d0ba.dll
Size

66KB
MD5

159f694415b8ef42a8b1073d28531b78
SHA1

bfa3ffe1fa960a42789cae49acee18cfb6844c04
SHA256

0be2467c140a096809775cd9e279f0c0a6d629a73ce666e4ac5205e387e5d0ba
SHA512

40a1720ad7ede3bd4c203a6702691e97c51bfd4797f9df84bae3a36733ac64e6c6e828be9617618db6b50ffed957ce6a0e0eee5b44f8f5b22bd71cf4bea12150

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata

Blocklisted process makes network request 4 IoCs

flow	pid	Process
24	1904	rundll32.exe
30	1904	rundll32.exe
35	1904	rundll32.exe
38	1904	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 1904	3092	rundll32.exe	68
PID 3092 wrote to memory of 1904	3092	rundll32.exe	68
PID 3092 wrote to memory of 1904	3092	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be2467c140a096809775cd9e279f0c0a6d629a73ce666e4ac5205e387e5d0ba.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be2467c140a096809775cd9e279f0c0a6d629a73ce666e4ac5205e387e5d0ba.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads