Analysis
-
max time kernel
110s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
ae3a3999c23fb3d49e68f38c64fd903b88ba4758473f12cccb17a1ff566effc5.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ae3a3999c23fb3d49e68f38c64fd903b88ba4758473f12cccb17a1ff566effc5.dll
Resource
win10-en-20211208
General
-
Target
ae3a3999c23fb3d49e68f38c64fd903b88ba4758473f12cccb17a1ff566effc5.dll
-
Size
507KB
-
MD5
115c075075f7e79de8539f7aa073ad0f
-
SHA1
735486dd33eabd3a1480acd43982f7e576b7f444
-
SHA256
ae3a3999c23fb3d49e68f38c64fd903b88ba4758473f12cccb17a1ff566effc5
-
SHA512
bb3009a49797c9bca2a4946fc14dbc2896f98480c7919591aaa18b1b232cdc4043730f4fa47df4a5fef743d30016c79e0b6b968a48ba01a7aa6286492cad8d3e
Malware Config
Extracted
squirrelwaffle
http://acdlimited.com/2u6aW9Pfe
http://jornaldasoficinas.com/ZF8GKIGVDupL
http://orldofjain.com/lMsTA7tSYpe
http://altayaralsudani.net/SSUsPgb7PHgC
http://hoteloaktree.com/QthLWsZsVgb
http://aterwellnessinc.com/U7D0sswwp
http://sirifinco.com/Urbhq9wO50j
http://ordpress17.com/5WG6Z62sKWo
http://mohsinkhanfoundation.com/pcQLeLMbur
http://lendbiz.vn/xj3BhHtMbf
http://geosever.rs/ObHP1CHt
http://nuevainfotech.com/xCNyTjzkoe
http://dadabhoy.pk/m6rQE94U
http://111
http://sjgrand.lk/zvMYuQqEZj
http://erogholding.com/GFM1QcCFk
http://armordetailing.rs/lgfrZb4Re6WO
http://lefrenchwineclub.com/eRUGdDox
Signatures
-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2624-117-0x0000000000B60000-0x0000000000B71000-memory.dmp squirrelwaffle behavioral2/memory/2624-118-0x0000000000B90000-0x0000000000BA0000-memory.dmp squirrelwaffle -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3728 2624 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe 3728 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3728 WerFault.exe Token: SeBackupPrivilege 3728 WerFault.exe Token: SeDebugPrivilege 3728 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2496 wrote to memory of 2624 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 2624 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 2624 2496 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae3a3999c23fb3d49e68f38c64fd903b88ba4758473f12cccb17a1ff566effc5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae3a3999c23fb3d49e68f38c64fd903b88ba4758473f12cccb17a1ff566effc5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 7083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2624-115-0x0000000000650000-0x00000000006CE000-memory.dmpFilesize
504KB
-
memory/2624-116-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/2624-117-0x0000000000B60000-0x0000000000B71000-memory.dmpFilesize
68KB
-
memory/2624-118-0x0000000000B90000-0x0000000000BA0000-memory.dmpFilesize
64KB