Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
Insomnia.Core-8.5.0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Insomnia.Core-8.5.0.exe
Resource
win10v2004-20231215-en
General
-
Target
Insomnia.Core-8.5.0.exe
-
Size
142.2MB
-
MD5
0f26867f77167c51905f3e068fb73938
-
SHA1
31ad4addf24ab4dfdd29154a6fdfd59f14c067d8
-
SHA256
97ac08c87609455cba421ccd416dc4601d88853ac41aeed59d86bafc73e24999
-
SHA512
a17255d4fac7e9e4ba846206d4e3d34b473cbddbcb17ec38dac20a0637aedf906b5b946f43fc619068ff4a40ca0acef4d321a1b009092dc9bb3cf04597c40e4e
-
SSDEEP
3145728:X+IF4fL8YZQ6Fu9gro6nh6sqSha+7GkUqAaSvP3ZKcuLVZoq2uP1chFAW:XTcLNQkCgkmqShb7PNAPXJKx51chX
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1756 Update.exe 2504 Insomnia.exe 1628 Insomnia.exe -
Loads dropped DLL 8 IoCs
pid Process 2164 Insomnia.Core-8.5.0.exe 1756 Update.exe 1756 Update.exe 1756 Update.exe 1756 Update.exe 1756 Update.exe 2504 Insomnia.exe 1628 Insomnia.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Update.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1756 Update.exe 1756 Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1756 Update.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1756 Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 2164 wrote to memory of 1756 2164 Insomnia.Core-8.5.0.exe 28 PID 1756 wrote to memory of 2504 1756 Update.exe 31 PID 1756 wrote to memory of 2504 1756 Update.exe 31 PID 1756 wrote to memory of 2504 1756 Update.exe 31 PID 1756 wrote to memory of 2504 1756 Update.exe 31 PID 1756 wrote to memory of 1628 1756 Update.exe 32 PID 1756 wrote to memory of 1628 1756 Update.exe 32 PID 1756 wrote to memory of 1628 1756 Update.exe 32 PID 1756 wrote to memory of 1628 1756 Update.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.5.0.exe"C:\Users\Admin\AppData\Local\Temp\Insomnia.Core-8.5.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe"C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe" --squirrel-install 8.5.03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504
-
-
C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe"C:\Users\Admin\AppData\Local\insomnia\app-8.5.0\Insomnia.exe" --squirrel-firstrun3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5088ef15f8e618e55fc5b65cb4f17f8f5
SHA142434617ab13aae0a9df9e3821badc2b4beef880
SHA256455b6500fc5dca4037d6591d73756c6986b74f6fd95ed425d297b2f83ffd81e6
SHA512b7b6c898c49cdafe189af939a421a5c8926983248ac1173d37622d81469c89a44262fa66d2603f12ec73f8b546a5cef7551b81ad575ccc9c04437953d1971e87
-
Filesize
8KB
MD590c66f6333edc7f15aa2f183b2082f15
SHA1744d5df7023433c4074a2770f70a72d652f154b2
SHA25665583541ba1a320a783aef7798ddee7dda68385103f9c3b50da403003d2de138
SHA5123b15ca5ce87f0e05811938193aef797c9979ecebd7085510ad127a0a956c09c5eb862bc7aa5066403adcaf9b460096ec5f95ca961db585c562595212daf1be05
-
Filesize
39.1MB
MD520ac5696ce8f82948594580529edaed5
SHA11a89f3c44393323a1a270330982104ba99627938
SHA25611856dfa26c2d3cbe3eb82a658af5c4f3791c88d579ee2905b20f51bb086ad24
SHA5122da7c46a9bfdc9283e924876b2a8e2cc4a9e6acae1bfa2a6a790f3a32be0748a9ae2eff6f1a3b96240b9d596ca82111117a0a666a8ab7c5d1a470c2e8bfc0138
-
Filesize
1024KB
MD59ff50b619fe4b7ed917c62cb03270cf1
SHA1168455f3d4e47e4237be44928de77c568072162a
SHA25635f0b2c373deba6ba363a78d321dfdf5a0c5ea46ee81743c77eaf01b82095361
SHA512a33e5686c8e3f8ed2901cf668a30c1a25bb3289d3f3089a339b84877cf9c82ea42e04a805eb1198f598458e31f7e1610674247943bdeb0be78fe7f644bede12a
-
Filesize
960KB
MD58fdb7ae885c82ccc842a86a466a66569
SHA1a7c390440d992a429c6a592a7408a4f6c3773ee9
SHA25694206ca89eb59f2987efec2f2098d04f94a44faadc4bbf7a47dcfd1d5356bcbf
SHA51209218819dafef68de0e2558bbf6cede152f545e1d96ae637e7611ce6594998c6708b53dd0a19fe3dc42e9bc4c6f7c183712bc90ccd48d88b5d9077950f6a3038
-
Filesize
896KB
MD5e853d05094ebaf2ae5cbbe3af547517a
SHA1f2b927d8ffe5fc4e0b885869f55b3d004dd3c93d
SHA256724ca6b2cc3013ed9d0ac4a60495b17a12394702e0ee145e687724e4571405d7
SHA512b1f6fc0dee492eec7e9ba9b909da759d7e8ff1ae1f7d4efa60589e5cd72473a729f1800de84e97ffaa1dbda7c111af18c96891e85ce89a9b784c3b243c06de30
-
Filesize
79B
MD5117fa287404e6b37e7da08bdf50427ec
SHA12cb6d3d247e1d59e3ef7c7e667d84a912418938e
SHA256eafb305864851a8fbc2ca209b0cb63df17cda76db259152586da22f7683b6f84
SHA5121eb6697d6e4e08d3d4c76c799bdab8084d6aba004bc4a5c71ad7fa70b4db4a639e1c14e8845d58beb9b8236eff90ccf45d359d3f6210f4f81a16b2e790b13926
-
Filesize
6.9MB
MD50368d84f38c98b09864a2b7ae882f0bf
SHA1bda3eaedc3f863b54922a864c69ced4690c66bc6
SHA256e1533aa0a8c1dd1af4f262b2f79a1909ed1bef10bd0353d875301961f45d6609
SHA512bd988c4d0b1d2d412782b9f397d4b6e4a4e2c05a6eff7b7765d4155fbb7bc77a23d1cb482e03d34951c88e9e6e46b67bdca17dc2e69f94f107f122c0e5b67212
-
Filesize
1.7MB
MD54a5dbd3d6263eca75561a21b98aa4353
SHA19308061daf870e2c3b002c5b5ba81556c6e03873
SHA25619a9ed41a69c74f130f53572aa1b07b1fa35d93a408dcf9d3f16f0fd72dd1e69
SHA5121741d133badccedeedc68079e1f6dcaf116bad58b85292031da2759ca0648416054d5806edcbf0910a276a95a76c4b21d2465dd1d994a068a1db5ee47632bd11
-
Filesize
1.1MB
MD5d963541773c199cedb0351614041d9a3
SHA123326d24d59abc5b9f136894bbfa90623524a30f
SHA25663ed380c367b310adb7bf2eadecf5a187ea46b3f4a7cce48a493d9c1ffbc38c5
SHA512dc85c7c8d3ff0efff37cd46c567da6370d588668c5669e6708f24606920d505478d46c2a09b42183fd2b2a9a484b41a9fdf5ed831551a22fde216c04dded0940
-
Filesize
1.2MB
MD5c572f3567ed9a32edfa369b2284f7fc8
SHA1a3deb1962cc736ddd33e54ca87fc0c57cb82780a
SHA256a8c55537d797e6441ddbeccc69b05ea0349b9948bfecb671eb7fd83afef7f521
SHA5123b45a1e2ace94191014ad9675204eb223a57ad4f3bc42fab1f749860d65ad4c24f2b8be5d0eb8db17d735e4d9f9755055d507453abbe66704b49a6ac8f2c4195
-
Filesize
1.3MB
MD555c793205902198fca35ff82a3caa7dc
SHA1f100a5dc2bfa6133e2b173a5be31e1d4ca19a8c0
SHA25611e21af3f32502ed7d2467caf93fce0d7febfee465004c4dea54ca288726e2d5
SHA5124c9b99a9873a92d39fa7479ee3144cbc21344d29b337f12210d921d89c17b0f607d55b7700dacd702fd39385d0ca92189f93b514be523739ec45ea4e4aabb534
-
Filesize
640KB
MD526731d4a6e8d0fd5bc6a0c4155465534
SHA1f52746e3ae1f8941bd980b947e3f784d58ef9fa8
SHA256e186bc35fb53dfacc1d3b30ce7a3f4ae935fb89f16a4a9111844b349dd6d2850
SHA512884c376caae57914d4be72036c866464b2ad1e7623bdf5843971fc6ebd2d317c5bc131f994c131b90d9e129a05f28fc952cf9f779e550984f0d44cd333d68b4a
-
Filesize
768KB
MD5d1e3a71f8c7aa3d84f52e1591d66ca97
SHA1c9768e965b0ed61eb219e80199ab7dcc8b38dbef
SHA256f1d4c0a1ed9e34828f4d95788802c281ab3c6787659bc95edc8ce7bd5f176472
SHA512051b2b1322fe53279adfa196421f7516754f9c803c864990fc6ca7c0624d6866b1642c7cb9ccb151efba6e990506d1881d0bad1bf9e690b1d97e66e0da8de353
-
Filesize
960KB
MD5ca1bb9a041f5daaf5dad9c8939b8f889
SHA1d667e9dfa75d8851ded06197060f0194282fd18b
SHA256de8ddd2591915cb2107b57ee44098b641ea28997ada27937bb647973792226e9
SHA51237a6a662e14eef957da1a796613a3bf0d39bb6d43246891db01d85dde5b5b4d5c7873458c36715250e04deacf23a7febd1ef3b6cf17862c52050471470a4bbeb