Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8ed766a294...dc.dll

windows7_x64

10

8ed766a294...dc.dll

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    183s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21/01/2022, 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ed766a294811e4b1f73ecdb4f2675b41cc50783b31e2c3b546715cbbf4ae5dc.dll

  • Size

    507KB

  • MD5

    f3a8b9bbe9e0e7c8b1e47b241feb0ea1

  • SHA1

    3aa5a1fefe4f4948dc578accb623c4fac5044820

  • SHA256

    8ed766a294811e4b1f73ecdb4f2675b41cc50783b31e2c3b546715cbbf4ae5dc

  • SHA512

    a843494ac8cb268adcb661f3a8e7c1b1c9b68aa001959c4e93b26cc356899da449e6c471b89694efdf351b47ddc64e763d72f053307539c1a54cc27816739837

Score
10/10
squirrelwaffledownloader

Malware Config

Extracted

Family

squirrelwaffle

C2

http://acdlimited.com/2u6aW9Pfe

http://jornaldasoficinas.com/ZF8GKIGVDupL

http://orldofjain.com/lMsTA7tSYpe

http://altayaralsudani.net/SSUsPgb7PHgC

http://hoteloaktree.com/QthLWsZsVgb

http://aterwellnessinc.com/U7D0sswwp

http://sirifinco.com/Urbhq9wO50j

http://ordpress17.com/5WG6Z62sKWo

http://mohsinkhanfoundation.com/pcQLeLMbur

http://lendbiz.vn/xj3BhHtMbf

http://geosever.rs/ObHP1CHt

http://nuevainfotech.com/xCNyTjzkoe

http://dadabhoy.pk/m6rQE94U

http://111

http://sjgrand.lk/zvMYuQqEZj

http://erogholding.com/GFM1QcCFk

http://armordetailing.rs/lgfrZb4Re6WO

http://lefrenchwineclub.com/eRUGdDox

Signatures

  • SquirrelWaffle is a simple downloader written in C++.

    SquirrelWaffle.

    downloadersquirrelwaffle
  • Squirrelwaffle Payload 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ed766a294811e4b1f73ecdb4f2675b41cc50783b31e2c3b546715cbbf4ae5dc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ed766a294811e4b1f73ecdb4f2675b41cc50783b31e2c3b546715cbbf4ae5dc.dll,#1
      2⤵
        PID:2836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 700
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3372

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2836-118-0x0000000003200000-0x00000000032AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/2836-119-0x0000000005290000-0x00000000052A1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2836-120-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download