Closed SpikeRoche closed 2 years ago
SpikeRoche
commented
2 years ago 
mttaggart
commented
2 years ago Thanks, this is really cool!
Does squirrel.exe do anything particularly strange? Or is the WTF coming from the mere existence of an executable named "squirrel?"
mttaggart
commented
2 years ago @SpikeRoche I need a little more info to qualify this as a WTFBin. Does squirrel.exe do anything strange, or is it just the name? I'm looking for a reason why this would appear malicious during threat hunting or incident response.
SpikeRoche
commented
2 years ago It makes outbound connections, creates a file/process called Update.exe, and loads multiple dll's. [image: chrome_rTX3g6Qecp.png] [image: chrome_GTt5SGqXYp.png][image: chrome_S8pHssV7fm.png]
On Sun, Mar 20, 2022 at 12:33 PM Michael Taggart @.***> wrote:
@SpikeRoche https://github.com/SpikeRoche I need a little more info to qualify this as a WTFBin. Does squirrel.exe do anything strange, or is it just the name? I'm looking for a reason why this would appear malicious during threat hunting or incident response.
— Reply to this email directly, view it on GitHub https://github.com/mttaggart/wtfbins/issues/10#issuecomment-1073286675, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQWT7ZNMK5MZ4N4AQ355Z7DVA5HN7ANCNFSM5RAT2X4A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
mttaggart
commented
2 years ago Sorry, I can't see those images. But creating a new process and loading DLLs is normal behavior for any Windows executable. I think for now, we're going to close this one until we have some evidence that is a bit more suspicious. I know it's on the Teams exclusions list, but we don't know why. That's what we'd need.