Analysis

  • max time kernel
    120s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2023 17:21

General

  • Target

    Insomnia.Core-8.5.0.exe

  • Size

    142.2MB

  • MD5

    0f26867f77167c51905f3e068fb73938

  • SHA1

    31ad4addf24ab4dfdd29154a6fdfd59f14c067d8

  • SHA256

    97ac08c87609455cba421ccd416dc4601d88853ac41aeed59d86bafc73e24999

  • SHA512

    a17255d4fac7e9e4ba846206d4e3d34b473cbddbcb17ec38dac20a0637aedf906b5b946f43fc619068ff4a40ca0acef4d321a1b009092dc9bb3cf04597c40e4e

  • SSDEEP

    3145728:X+IF4fL8YZQ6Fu9gro6nh6sqSha+7GkUqAaSvP3ZKcuLVZoq2uP1chFAW:XTcLNQkCgkmqShb7PNAPXJKx51chX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.5.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe
        "C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe" --squirrel-install 8.5.0
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2504
      • C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe
        "C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe" --squirrel-firstrun
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

    Filesize

    76B

    MD5

    088ef15f8e618e55fc5b65cb4f17f8f5

    SHA1

    42434617ab13aae0a9df9e3821badc2b4beef880

    SHA256

    455b6500fc5dca4037d6591d73756c6986b74f6fd95ed425d297b2f83ffd81e6

    SHA512

    b7b6c898c49cdafe189af939a421a5c8926983248ac1173d37622d81469c89a44262fa66d2603f12ec73f8b546a5cef7551b81ad575ccc9c04437953d1971e87

  • C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

    Filesize

    8KB

    MD5

    90c66f6333edc7f15aa2f183b2082f15

    SHA1

    744d5df7023433c4074a2770f70a72d652f154b2

    SHA256

    65583541ba1a320a783aef7798ddee7dda68385103f9c3b50da403003d2de138

    SHA512

    3b15ca5ce87f0e05811938193aef797c9979ecebd7085510ad127a0a956c09c5eb862bc7aa5066403adcaf9b460096ec5f95ca961db585c562595212daf1be05

  • C:\Users\Admin\AppData\Local\SquirrelTemp\insomnia-8.5.0-full.nupkg

    Filesize

    39.1MB

    MD5

    20ac5696ce8f82948594580529edaed5

    SHA1

    1a89f3c44393323a1a270330982104ba99627938

    SHA256

    11856dfa26c2d3cbe3eb82a658af5c4f3791c88d579ee2905b20f51bb086ad24

    SHA512

    2da7c46a9bfdc9283e924876b2a8e2cc4a9e6acae1bfa2a6a790f3a32be0748a9ae2eff6f1a3b96240b9d596ca82111117a0a666a8ab7c5d1a470c2e8bfc0138

  • C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe

    Filesize

    1024KB

    MD5

    9ff50b619fe4b7ed917c62cb03270cf1

    SHA1

    168455f3d4e47e4237be44928de77c568072162a

    SHA256

    35f0b2c373deba6ba363a78d321dfdf5a0c5ea46ee81743c77eaf01b82095361

    SHA512

    a33e5686c8e3f8ed2901cf668a30c1a25bb3289d3f3089a339b84877cf9c82ea42e04a805eb1198f598458e31f7e1610674247943bdeb0be78fe7f644bede12a

  • C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe

    Filesize

    960KB

    MD5

    8fdb7ae885c82ccc842a86a466a66569

    SHA1

    a7c390440d992a429c6a592a7408a4f6c3773ee9

    SHA256

    94206ca89eb59f2987efec2f2098d04f94a44faadc4bbf7a47dcfd1d5356bcbf

    SHA512

    09218819dafef68de0e2558bbf6cede152f545e1d96ae637e7611ce6594998c6708b53dd0a19fe3dc42e9bc4c6f7c183712bc90ccd48d88b5d9077950f6a3038

  • C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\ffmpeg.dll

    Filesize

    896KB

    MD5

    e853d05094ebaf2ae5cbbe3af547517a

    SHA1

    f2b927d8ffe5fc4e0b885869f55b3d004dd3c93d

    SHA256

    724ca6b2cc3013ed9d0ac4a60495b17a12394702e0ee145e687724e4571405d7

    SHA512

    b1f6fc0dee492eec7e9ba9b909da759d7e8ff1ae1f7d4efa60589e5cd72473a729f1800de84e97ffaa1dbda7c111af18c96891e85ce89a9b784c3b243c06de30

  • C:\Users\Admin\AppData\Local\insomnia\packages\RELEASES

    Filesize

    79B

    MD5

    117fa287404e6b37e7da08bdf50427ec

    SHA1

    2cb6d3d247e1d59e3ef7c7e667d84a912418938e

    SHA256

    eafb305864851a8fbc2ca209b0cb63df17cda76db259152586da22f7683b6f84

    SHA512

    1eb6697d6e4e08d3d4c76c799bdab8084d6aba004bc4a5c71ad7fa70b4db4a639e1c14e8845d58beb9b8236eff90ccf45d359d3f6210f4f81a16b2e790b13926

  • C:\Users\Admin\AppData\Local\insomnia\packages\insomnia-8.5.0-full.nupkg

    Filesize

    6.9MB

    MD5

    0368d84f38c98b09864a2b7ae882f0bf

    SHA1

    bda3eaedc3f863b54922a864c69ced4690c66bc6

    SHA256

    e1533aa0a8c1dd1af4f262b2f79a1909ed1bef10bd0353d875301961f45d6609

    SHA512

    bd988c4d0b1d2d412782b9f397d4b6e4a4e2c05a6eff7b7765d4155fbb7bc77a23d1cb482e03d34951c88e9e6e46b67bdca17dc2e69f94f107f122c0e5b67212

  • \Users\Admin\AppData\Local\SquirrelTemp\Update.exe

    Filesize

    1.7MB

    MD5

    4a5dbd3d6263eca75561a21b98aa4353

    SHA1

    9308061daf870e2c3b002c5b5ba81556c6e03873

    SHA256

    19a9ed41a69c74f130f53572aa1b07b1fa35d93a408dcf9d3f16f0fd72dd1e69

    SHA512

    1741d133badccedeedc68079e1f6dcaf116bad58b85292031da2759ca0648416054d5806edcbf0910a276a95a76c4b21d2465dd1d994a068a1db5ee47632bd11

  • \Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe

    Filesize

    1.1MB

    MD5

    d963541773c199cedb0351614041d9a3

    SHA1

    23326d24d59abc5b9f136894bbfa90623524a30f

    SHA256

    63ed380c367b310adb7bf2eadecf5a187ea46b3f4a7cce48a493d9c1ffbc38c5

    SHA512

    dc85c7c8d3ff0efff37cd46c567da6370d588668c5669e6708f24606920d505478d46c2a09b42183fd2b2a9a484b41a9fdf5ed831551a22fde216c04dded0940

  • \Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe

    Filesize

    1.2MB

    MD5

    c572f3567ed9a32edfa369b2284f7fc8

    SHA1

    a3deb1962cc736ddd33e54ca87fc0c57cb82780a

    SHA256

    a8c55537d797e6441ddbeccc69b05ea0349b9948bfecb671eb7fd83afef7f521

    SHA512

    3b45a1e2ace94191014ad9675204eb223a57ad4f3bc42fab1f749860d65ad4c24f2b8be5d0eb8db17d735e4d9f9755055d507453abbe66704b49a6ac8f2c4195

  • \Users\Admin\AppData\Local\insomnia\app-8.5.0\Update.exe

    Filesize

    1.3MB

    MD5

    55c793205902198fca35ff82a3caa7dc

    SHA1

    f100a5dc2bfa6133e2b173a5be31e1d4ca19a8c0

    SHA256

    11e21af3f32502ed7d2467caf93fce0d7febfee465004c4dea54ca288726e2d5

    SHA512

    4c9b99a9873a92d39fa7479ee3144cbc21344d29b337f12210d921d89c17b0f607d55b7700dacd702fd39385d0ca92189f93b514be523739ec45ea4e4aabb534

  • \Users\Admin\AppData\Local\insomnia\app-8.5.0\Update.exe

    Filesize

    640KB

    MD5

    26731d4a6e8d0fd5bc6a0c4155465534

    SHA1

    f52746e3ae1f8941bd980b947e3f784d58ef9fa8

    SHA256

    e186bc35fb53dfacc1d3b30ce7a3f4ae935fb89f16a4a9111844b349dd6d2850

    SHA512

    884c376caae57914d4be72036c866464b2ad1e7623bdf5843971fc6ebd2d317c5bc131f994c131b90d9e129a05f28fc952cf9f779e550984f0d44cd333d68b4a

  • \Users\Admin\AppData\Local\insomnia\app-8.5.0\ffmpeg.dll

    Filesize

    768KB

    MD5

    d1e3a71f8c7aa3d84f52e1591d66ca97

    SHA1

    c9768e965b0ed61eb219e80199ab7dcc8b38dbef

    SHA256

    f1d4c0a1ed9e34828f4d95788802c281ab3c6787659bc95edc8ce7bd5f176472

    SHA512

    051b2b1322fe53279adfa196421f7516754f9c803c864990fc6ca7c0624d6866b1642c7cb9ccb151efba6e990506d1881d0bad1bf9e690b1d97e66e0da8de353

  • \Users\Admin\AppData\Local\insomnia\app-8.5.0\ffmpeg.dll

    Filesize

    960KB

    MD5

    ca1bb9a041f5daaf5dad9c8939b8f889

    SHA1

    d667e9dfa75d8851ded06197060f0194282fd18b

    SHA256

    de8ddd2591915cb2107b57ee44098b641ea28997ada27937bb647973792226e9

    SHA512

    37a6a662e14eef957da1a796613a3bf0d39bb6d43246891db01d85dde5b5b4d5c7873458c36715250e04deacf23a7febd1ef3b6cf17862c52050471470a4bbeb

  • memory/1756-20-0x0000000000A60000-0x0000000000A6A000-memory.dmp

    Filesize

    40KB

  • memory/1756-11-0x0000000000A90000-0x0000000000AD0000-memory.dmp

    Filesize

    256KB

  • memory/1756-9-0x0000000000D60000-0x0000000000F24000-memory.dmp

    Filesize

    1.8MB

  • memory/1756-10-0x0000000074300000-0x00000000749EE000-memory.dmp

    Filesize

    6.9MB

  • memory/1756-19-0x0000000000A60000-0x0000000000A6A000-memory.dmp

    Filesize

    40KB

  • memory/1756-131-0x0000000074300000-0x00000000749EE000-memory.dmp

    Filesize

    6.9MB