Edit tour

Windows Analysis Report
Squirrel.exe

Overview

General Information

Sample Name:Squirrel.exe
Analysis ID:576539
MD5:6f4893f0ff0fb87d8a2fe0be84f13367
SHA1:f0b8c998d0568d92d49b6dcf55b90357bb3d301b
SHA256:4f1055adb04b195eaf805e68b3e897c80bad818d9786951e16236c079bd811b3
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Allocates memory with a write watch (potentially for evading sandboxes)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
  • System is w10x64
  • Squirrel.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\Squirrel.exe" MD5: 6F4893F0FF0FB87D8A2FE0BE84F13367)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Squirrel.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Squirrel.exeFile created: C:\Users\user\Desktop\SquirrelSetup.logJump to behavior
Source: Squirrel.exeStatic PE information: certificate valid
Source: Squirrel.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstandard.pdb.mdb source: Squirrel.exe
Source: Binary string: PresentationCore.pdb source: Squirrel.exe, 00000000.00000002.602099722.0000000006510000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 4x nop then jmp 017789E1h
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 4x nop then jmp 0177BE5Eh
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 4x nop then jmp 017789E1h
Source: Squirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.netscape.com/publish/formats/rss-0.91.dtd
Source: Squirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Squirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Squirrel.exe, 00000000.00000002.602859050.0000000006889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#SignedProperties
Source: Squirrel.exe, 00000000.00000002.602859050.0000000006889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#bhttp://uri.etsi.org/01903/v1.2.2#SignedProperties
Source: Squirrel.exe, 00000000.00000002.602859050.0000000006889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#yHKEY_LOCAL_MACHINE
Source: Squirrel.exeString found in binary or memory: https://api.github.com/
Source: Squirrel.exeString found in binary or memory: https://api.github.com/#
Source: Squirrel.exeString found in binary or memory: https://github.com/myuser/myrepo
Source: Squirrel.exeString found in binary or memory: https://pipe.int.trafficmanager.net/Collector/3.0/
Source: Squirrel.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Squirrel.exeBinary or memory string: originalFileName vs Squirrel.exe
Source: Squirrel.exe, 00000000.00000002.606013291.0000000007F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs Squirrel.exe
Source: Squirrel.exe, 00000000.00000002.606013291.0000000007F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: originalFilename vs Squirrel.exe
Source: Squirrel.exe, 00000000.00000000.376250835.0000000000C82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: originalFileName vs Squirrel.exe
Source: Squirrel.exe, 00000000.00000000.376660075.0000000000EA8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpdate.exe@ vs Squirrel.exe
Source: Squirrel.exeBinary or memory string: originalFileName vs Squirrel.exe
Source: Squirrel.exeBinary or memory string: OriginalFilenameUpdate.exe@ vs Squirrel.exe
Source: Squirrel.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Squirrel.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Squirrel.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 0_2_00C85555
Source: C:\Users\user\Desktop\Squirrel.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\Squirrel.exeFile read: C:\Users\user\Desktop\Squirrel.exeJump to behavior
Source: Squirrel.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Squirrel.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\Squirrel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9326B03-E51D-43A3-9394-9B8ECCDBAD9B}\InprocServer32
Source: C:\Users\user\Desktop\Squirrel.exeFile created: C:\Users\user\Desktop\SquirrelSetup.logJump to behavior
Source: Squirrel.exeString found in binary or memory: a=|process-start-args=
Source: Squirrel.exeString found in binary or memory: Couldn't start the app, will do a force-install...
Source: Squirrel.exeString found in binary or memory: squirrel-install
Source: Squirrel.exeString found in binary or memory: meeting-addin-install-logs.txt
Source: Squirrel.exeString found in binary or memory: meeting-addin-install-logs.txt
Source: Squirrel.exeString found in binary or memory: meeting-addin
Source: Squirrel.exeString found in binary or memory: *meeting-addin-install-logs*
Source: Squirrel.exeString found in binary or memory: *meeting-addin-install-logs*
Source: Squirrel.exeString found in binary or memory: presence-addin-install-logs.txt
Source: Squirrel.exeString found in binary or memory: presence-addin-install-logs.txt
Source: Squirrel.exeString found in binary or memory: CheckAndTryDeleteInstallSource: MSI uninstall initiated, but no MSI-installed Teams found. Quitting
Source: Squirrel.exeString found in binary or memory: --squirrel-install
Source: Squirrel.exeString found in binary or memory: Update.exe not found, not a Squirrel-installed app?
Source: Squirrel.exeString found in binary or memory: Failed to invoke post-install
Source: Squirrel.exeString found in binary or memory: --squirrel-install {0}
Source: Squirrel.exeString found in binary or memory: " --processStart "Teams.exe" --process-start-args "--system-initiated"
Source: Squirrel.exeString found in binary or memory: b=|baseUrl={Provides a base URL to prefix the RELEASES file packages with-a=|process-start-args=iArguments that will be used when starting executable-l=|shortcut-locations=
Source: Squirrel.exeString found in binary or memory: maxCount%cannotDeleteOldAppgFailed to install (folder locked). App was started.eCouldn't start the app, will do a force-install...#processStartError
Source: Squirrel.exeString found in binary or memory: ((?=^[ ]{{0,{0}}}[^ \t\n])|\Z) # Lookahead for non-space at line-start, or end of doc
Source: Squirrel.exeString found in binary or memory: N!squirrel-install3Starting automatic update7Failed to check for updates5Failed to download updates/Failed to apply updates9Failed to set up uninstaller=meeting-addin-install-logs.txtYUninstalling Teams meeting addin for OutlookwSoftware\Microsoft\Office\Outlook\Addins\TeamsAddin.Connect
Source: Squirrel.exeString found in binary or memory: N!squirrel-install3Starting automatic update7Failed to check for updates5Failed to download updates/Failed to apply updates9Failed to set up uninstaller=meeting-addin-install-logs.txtYUninstalling Teams meeting addin for OutlookwSoftware\Microsoft\Office\Outlook\Addins\TeamsAddin.Connect
Source: Squirrel.exeString found in binary or memory: meeting-addin]Add-in root directory not found within package
Source: Squirrel.exeString found in binary or memory: *.*9*meeting-addin-install-logs*ADeleting the local add-in folderWFailure hit when uninstalling meeting addin
Source: Squirrel.exeString found in binary or memory: *.*9*meeting-addin-install-logs*ADeleting the local add-in folderWFailure hit when uninstalling meeting addin
Source: Squirrel.exeString found in binary or memory: copyFailureUFailed to register addin as always enabledeVersion {0} of the meeting add-in is now installedaFailed to create the directory for config file 'MConfig already exists. Deleting first.EFailed to delete the config file 'IFailed to write to the config file 'I\current\resources\assets\tlb\Uc.tlbU\current\resources\assets\tlb\Uc.win32.tlb'\TeamsPresenceAddin?presence-addin-install-logs.txtaUninstalling Teams Presence addin for Outlook...WERROR: Failed to uninstall presence add-in.
Source: Squirrel.exeString found in binary or memory: copyFailureUFailed to register addin as always enabledeVersion {0} of the meeting add-in is now installedaFailed to create the directory for config file 'MConfig already exists. Deleting first.EFailed to delete the config file 'IFailed to write to the config file 'I\current\resources\assets\tlb\Uc.tlbU\current\resources\assets\tlb\Uc.win32.tlb'\TeamsPresenceAddin?presence-addin-install-logs.txtaUninstalling Teams Presence addin for Outlook...WERROR: Failed to uninstall presence add-in.
Source: Squirrel.exeString found in binary or memory: CheckAndTryDeleteInstallSource: MSI uninstall initiated, but no MSI-installed Teams found. Quitting5PreventInstallationFromMsi_IsInstallSourceExpected: expected value is null
Source: Squirrel.exeString found in binary or memory: Filename%--squirrel-install%--squirrel-updated'--squirrel-obsolete)--squirrel-uninstall'--squirrel-firstrunAFailed to handle Squirrel events[\StringFileInfo\040904B0\SquirrelAwareVersion)SquirrelAwareVersion;Failed to promote Tray icon:
Source: Squirrel.exeString found in binary or memory: ..\Update.exegUpdate.exe not found, not a Squirrel-installed app?
Source: Squirrel.exeString found in binary or memory: esu;Failed to invoke post-install
Source: Squirrel.exeString found in binary or memory: piefspIdesktop_squirrel_invoke_post_install---squirrel-updated {0}---squirrel-install {0}9Squirrel Enabled Apps: [{0}]wNo apps are marked as Squirrel-aware! Going to run them all#all_users_install
Source: Squirrel.exeString found in binary or memory: " --processStart "Teams.exe" --process-start-args "--system-initiated"/prevent_auto_start_exit=auto_start_registry_param_failWFailed to read AutoStart registry parameter)before_process_start% --deployedInstall-Failed to delete key: /--squirrel-obsolete {0}KcleanDeadVersions: Deleting directoryYcleanDeadVersions: Marking directory as dead]cleanDeadVersions: Couldn't delete directory: ccleanDeadVersions: Invoking process with args {0}wcleanDeadVersions: Couldn't run Squirrel hook, continuing:
Source: Squirrel.exeString found in binary or memory: stopwatch/stopwatch isn't running
Source: Squirrel.exeString found in binary or memory: stopwatch/stopwatch isn't running
Source: classification engineClassification label: clean5.winEXE@1/3@0/0
Source: C:\Users\user\Desktop\Squirrel.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: Squirrel.exeStatic file information: File size 2452664 > 1048576
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: Squirrel.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\Squirrel.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry
Source: Squirrel.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Squirrel.exeStatic PE information: certificate valid
Source: Squirrel.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x225200
Source: Squirrel.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstandard.pdb.mdb source: Squirrel.exe
Source: Binary string: PresentationCore.pdb source: Squirrel.exe, 00000000.00000002.602099722.0000000006510000.00000004.00000800.00020000.00000000.sdmp
Source: Squirrel.exeStatic PE information: real checksum: 0x25a3d1 should be: 0x261be2
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 0_2_0177283B push ebx; ret
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 0_2_01773350 pushfd ; retf
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 0_2_01773340 pushad ; retf
Source: C:\Users\user\Desktop\Squirrel.exeCode function: 0_2_01773330 pushfd ; retf
Source: C:\Users\user\Desktop\Squirrel.exeFile created: C:\Users\user\Desktop\SquirrelSetup.logJump to behavior
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Squirrel.exeWindow / User API: threadDelayed 7584
Source: C:\Users\user\Desktop\Squirrel.exeWindow / User API: threadDelayed 1839
Source: C:\Users\user\Desktop\Squirrel.exeMemory allocated: 1730000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\Squirrel.exeMemory allocated: 3510000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\Squirrel.exeMemory allocated: 5510000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\Squirrel.exe TID: 4680Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\Desktop\Squirrel.exe TID: 4232Thread sleep count: 7584 > 30
Source: C:\Users\user\Desktop\Squirrel.exe TID: 4232Thread sleep count: 1839 > 30
Source: C:\Users\user\Desktop\Squirrel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Squirrel.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Squirrel.exeThread delayed: delay time: 922337203685477
Source: Squirrel.exe, 00000000.00000002.627413618.000000000AA42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
Source: Squirrel.exe, 00000000.00000002.627413618.000000000AA42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System Product482KYL13343542-072A-9C0A-EE7F-DDC360C7B9AFVMware, Inc.Noney*
Source: Squirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System Product482KYL13343542-072A-9C0A-EE7F-DDC360C7B9AFVMware, Inc.None
Source: C:\Users\user\Desktop\Squirrel.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Users\user\Desktop\Squirrel.exe VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Squirrel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation
Path InterceptionPath Interception1
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
Command and Scripting Interpreter
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory42
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)42
Virtualization/Sandbox Evasion
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS23
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 576539 Sample: Squirrel.exe Startdate: 22/02/2022 Architecture: WINDOWS Score: 5 4 Squirrel.exe 5 2->4         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Squirrel.exe0%VirustotalBrowse
Squirrel.exe0%MetadefenderBrowse
Squirrel.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://my.netscape.com/publish/formats/rss-0.91.dtdSquirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    https://github.com/myuser/myrepoSquirrel.exefalse
      high
      http://uri.etsi.org/01903/v1.2.2#SignedPropertiesSquirrel.exe, 00000000.00000002.602859050.0000000006889000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://api.github.com/#Squirrel.exefalse
          high
          http://schemas.xmlsoap.org/soap/encoding/Squirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://uri.etsi.org/01903/v1.2.2#bhttp://uri.etsi.org/01903/v1.2.2#SignedPropertiesSquirrel.exe, 00000000.00000002.602859050.0000000006889000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://api.github.com/Squirrel.exefalse
                high
                http://schemas.xmlsoap.org/wsdl/Squirrel.exe, 00000000.00000002.620692450.0000000008E4C000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  No contacted IP infos
                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:576539
                  Start date:22.02.2022
                  Start time:15:58:12
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 8m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Squirrel.exe
                  Cookbook file name:defaultwindowsfilecookbook.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:CLEAN
                  Classification:clean5.winEXE@1/3@0/0
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 0% (good quality ratio 0%)
                  • Quality average: 66%
                  • Quality standard deviation: 0%
                  HCA Information:
                  • Successful, ratio: 81%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Execution Graph export aborted for target Squirrel.exe, PID 6960 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  TimeTypeDescription
                  16:00:06API Interceptor153x Sleep call for process: Squirrel.exe modified
                  No context
                  No context
                  No context
                  No context
                  No context
                  Process:C:\Users\user\Desktop\Squirrel.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1110
                  Entropy (8bit):5.161831089326872
                  Encrypted:false
                  SSDEEP:24:MLME4K2KDE4K72EE4MYE4GE4pE4KvAE4K/E4TKIE4VAE4KBE4FsXE4j:MgHK2YHK72EHMYHGHpHKoHK/HTtHVAHb
                  MD5:424F2EADECD26DA55C4B60EB7BAD75B2
                  SHA1:2EC25BC35AFF803CA210C77473294BDF4BB7FC39
                  SHA-256:F9A0E1A0C9C033CC6B15A5A5F517AC3CA7DC1277F3BB62E3B4D2A49FFB27DF8A
                  SHA-512:F65F7969F433449F72BF282AE53F37B1789645DED039AAF046CE45C2AF7907E7C558E9CF4453B13352F96833A7D17A6215F287BCF702DB0D97EA010D0A900461
                  Malicious:false
                  Reputation:low
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..2,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..2,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..2,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Runtime.Caching, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03
                  Process:C:\Users\user\Desktop\Squirrel.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):62
                  Entropy (8bit):4.606633810037929
                  Encrypted:false
                  SSDEEP:3:72gc4D1XzQEBM2F2UZHsOBEREov:aZ45gVUB4Bv
                  MD5:AD469178B1FA1AA2988F0AC67E4CF57E
                  SHA1:DC71B6C0BC134BBABA1CBF520900634355403A64
                  SHA-256:D75803DC57CA5100FDF0C8EE4448999A6FA770713CACF6BB7A44EBC5BF36BFA5
                  SHA-512:38E8AE97CDC1E27184E2E9C6838FDC5C49BA94F841F509517303257EC788DDA6EA22DD265D17A87194113C3E47D09A267AAEBB3EEE4C697FA20536C29AF9A2E7
                  Malicious:false
                  Reputation:low
                  Preview:.2022-02-22 15:59:50> Program: Starting Squirrel Updater: ..
                  Process:C:\Users\user\Desktop\Squirrel.exe
                  File Type:ASCII text, with very long lines, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8287
                  Entropy (8bit):4.9239145723887665
                  Encrypted:false
                  SSDEEP:192:MMntjBjaIFz+FUgll8l9zdGoQl8l9z0koQl8l9a:MWtjBjaBn+9I+9j+9a
                  MD5:B1082741C37A140C71969722A6D9ABE4
                  SHA1:916987AC3D4A156A16195FF7A31E812588CA2691
                  SHA-256:B0325F04FF24AF033AA544C0FD2FABBC9B3269D6C9A809D8755F85B70FCD993E
                  SHA-512:BD2830FEB92E69AB578071C942F4A019AF441DC0442099D05C823A8BCEB32694397B4D0D038A3585CBAD2C0436646162F22BACA989EA69DEB1BDADE360EEF517
                  Malicious:false
                  Reputation:low
                  Preview:Usage: Squirrel.exe command [OPTS]..Manages Squirrel packages....Commands.. --install=VALUE Install the app whose package is in the specified.. directory.. --uninstall Uninstall the app the same dir as Update.exe.. --download=VALUE Download the releases specified by the URL and.. write new results to stdout as JSON.. --checkForUpdate=VALUE Check for one available update and writes new.. results to stdout as JSON.. --update=VALUE Update the application to the latest remote.. version specified by URL.. --releasify=VALUE Update or generate a releases directory with a.. given NuGet package.. --deltify=VALUE Create delta packages against previous packages.. for given new package... --generateMsi=VALUE Generate MSI with a given i
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.8640086784302285
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.91%
                  • Win32 Executable (generic) a (10002005/4) 49.86%
                  • InstallShield setup (43055/19) 0.21%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:Squirrel.exe
                  File size:2452664
                  MD5:6f4893f0ff0fb87d8a2fe0be84f13367
                  SHA1:f0b8c998d0568d92d49b6dcf55b90357bb3d301b
                  SHA256:4f1055adb04b195eaf805e68b3e897c80bad818d9786951e16236c079bd811b3
                  SHA512:922a34f263ff68fa8dadee57a706265de1ab41a96fe21b6664af82717b3cefbe77759d31d59be399062d11f1a40aed9a9d519c8c4e8977f611cb4e289bd99ec4
                  SSDEEP:24576:SDbwuK5gB/cb8Yjhpv8RCbMHmTfzS1XmtIfrs0AzMoozv7Z3WO:obwr5gBToiSOgtIfw0AzozZ3F
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rMI_.................R".........>p".. ........@.. .......................`%.......%...@................................
                  Icon Hash:30b0bcece4e070b2
                  Entrypoint:0x62703e
                  Entrypoint Section:.text
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x5F494D72 [Fri Aug 28 18:31:14 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Signature Valid:true
                  Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                  Signature Validation Error:The operation completed successfully
                  Error Number:0
                  Not Before, Not After
                  • 4/1/2020 12:03:03 PM 1/31/2021 11:03:03 AM
                  Subject Chain
                  • CN=Microsoft 3rd Party Application Component, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                  Version:3
                  Thumbprint MD5:F54D03C6CD8FFF903BE644221A24BA7F
                  Thumbprint SHA-1:899FA016DEE8E665FF2A315A1151C43FB96C430B
                  Thumbprint SHA-256:D3D05ED9EE7AD90DD417F10866E52B1CB608D37803D7342F68CA1CA5D2EAAAD6
                  Serial:33000001AB7555F52EB6A4B14E0000000001AB
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x226fe80x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2280000x2adf0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x2504000x68b8
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2540000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x2250440x225200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x2280000x2adf00x2ae00False0.200363292638data4.37102165734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x2540000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x2284600x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 13158600, next used block 8439687
                  RT_ICON0x2287480x128GLS_BINARY_LSB_FIRST
                  RT_ICON0x2288700x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 1482184704, next used block 1465407320
                  RT_ICON0x229e980xea8data
                  RT_ICON0x22ad400x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                  RT_ICON0x22b5e80x568GLS_BINARY_LSB_FIRST
                  RT_ICON0x22bb500x3524PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                  RT_ICON0x22f0740x94a8data
                  RT_ICON0x23851c0x67e8data
                  RT_ICON0x23ed040x5488data
                  RT_ICON0x24418c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                  RT_ICON0x2483b40x3a48data
                  RT_ICON0x24bdfc0x25a8data
                  RT_ICON0x24e3a40x1a68data
                  RT_ICON0x24fe0c0x10a8data
                  RT_ICON0x250eb40x988data
                  RT_ICON0x25183c0x6b8data
                  RT_ICON0x251ef40x468GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0x25235c0x102data
                  RT_VERSION0x2524600x3acdata
                  RT_MANIFEST0x25280c0x5e1XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  DLLImport
                  mscoree.dll_CorExeMain
                  DescriptionData
                  LegalCopyrightMicrosoft Corporation
                  Assembly Version1.10.54.0
                  InternalNameUpdate.exe
                  FileVersion1.10.54.0
                  CompanyNameMicrosoft Corporation
                  LegalTrademarks
                  CommentsMicrosoft Teams
                  ProductNameMicrosoft Teams
                  ProductVersion1.10.54.0
                  FileDescriptionMicrosoft Teams
                  OriginalFilenameUpdate.exe
                  Translation0x0000 0x04b0
                  No network behavior found
                  No statistics
                  Target ID:0
                  Start time:15:59:25
                  Start date:22/02/2022
                  Path:C:\Users\user\Desktop\Squirrel.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Squirrel.exe"
                  Imagebase:0xc80000
                  File size:2452664 bytes
                  MD5 hash:6F4893F0FF0FB87D8A2FE0BE84F13367
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  No disassembly