370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

Analysis

max time kernel
95s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windirstat1_1_2_setup.exe
Size

630KB
MD5

3abf1c149873e25d4e266225fbf37cbf
SHA1

6fa92dd2ca691c11dfbfc0a239e34369897a7fab
SHA256

370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd
SHA512

b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e
SSDEEP

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

windirstat.exe

pid process

4328 windirstat.exe
Loads dropped DLL 3 IoCs

Processes:

windirstat1_1_2_setup.exe

pid process

4952 windirstat1_1_2_setup.exe
4952 windirstat1_1_2_setup.exe
4952 windirstat1_1_2_setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

windirstat.exe

description ioc process

File opened (read-only) \??\F: windirstat.exe
File opened (read-only) \??\D: windirstat.exe

pid	process
4328	windirstat.exe

pid	process
4952	windirstat1_1_2_setup.exe
4952	windirstat1_1_2_setup.exe
4952	windirstat1_1_2_setup.exe

description	ioc	process
File opened (read-only)	\??\F:	windirstat.exe
File opened (read-only)	\??\D:	windirstat.exe

Drops file in Program Files directory 3 IoCs

Processes:

windirstat1_1_2_setup.exe

description	ioc	process
File created	C:\Program Files (x86)\WinDirStat\Uninstall.exe	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\windirstat.exe	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\windirstat.chm	windirstat1_1_2_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\WinDirStat\Uninstall.exe	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msedge.exe

pid process

1360 msedge.exe
1360 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

windirstat.exe

pid process

4328 windirstat.exe

pid	process
1360	msedge.exe
1360	msedge.exe

pid	process
4328	windirstat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

windirstat.exe

description	pid	process
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe
Token: SeBackupPrivilege	4328	windirstat.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

windirstat.exe

pid process

4328 windirstat.exe
4328 windirstat.exe
4328 windirstat.exe
4328 windirstat.exe

pid	process
4328	windirstat.exe
4328	windirstat.exe
4328	windirstat.exe
4328	windirstat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

windirstat1_1_2_setup.exe

description	pid	process	target process
PID 4952 wrote to memory of 4328	4952	windirstat1_1_2_setup.exe	windirstat.exe
PID 4952 wrote to memory of 4328	4952	windirstat1_1_2_setup.exe	windirstat.exe
PID 4952 wrote to memory of 4328	4952	windirstat1_1_2_setup.exe	windirstat.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc896646f8,0x7ffc89664708,0x7ffc89664718
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
"C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4952

C:\Program Files (x86)\WinDirStat\windirstat.exe
"C:\Program Files (x86)\WinDirStat\windirstat.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
1⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
1⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
1⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
1⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
1⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4564749699002177473,17622881685101198986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
1⤵
PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinDirStat\Uninstall.exe
Filesize
46KB

MD5
a127e6118b9dd2f9d5a7cc4d697a0105

SHA1
9ac17d4dcf0884ceafacf10c42209c0942dfe7a8

SHA256
afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670

SHA512
0e57d2856c02c55d477d9b3cc1d4bf5ffa3650d4b20be18b0a9e614d19143aee325c4cd92ff31bbddf6e93cd3ebeb47d8727de6e25faa366341cc71117122065

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.chm
Filesize
50KB

MD5
1bddb8a0e0f9cd90a5b3936ec2c2c4cf

SHA1
c8302168fb532fe03e76cb8a82aa53b49ee0bc44

SHA256
1e87c07744054709d271337d8ce06929429b334d70875605cb68ecc4c6610cd1

SHA512
b857de9026b3eab13f4dbc464e6403835e3a61e5e9e3566735bf1ddd8dedc4ecf08807b27207bd8b385250b71ea234b301dd49e6f3c90f1270ae03868c035472

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
2cca7c4d73f79a05a1d5db248dd1eed1

SHA1
7170fb834eaf8992c030f2728c7cf8a8553b2648

SHA256
0432886deb2fc21ba1ad9d879c5a3901bd81bfd8a232f8f447fe437c9b95b3fe

SHA512
e5b095e2e4441d1e942f91ee4f046810a97ff938fea09bca23601109b56e4b4792fcae9650c1f988b0b387a6bb8f7ba8fd9d43be2cc8f82039c809b9c98f3d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7EC.tmp\InstallOptions.dll
Filesize
14KB

MD5
9b2ad0546fd834c01a3bdcbfbc95da7d

SHA1
4f92f5a6b269d969ba3340f1c1978d337992a62c

SHA256
7e08cb4ff81dbb0573c672301681e31b2042682e9a2204673f811455f823dd37

SHA512
5b374fe7cc8d6ff8b93cfcc8deae23f2313f8240c998d04d3e65c196b33c7d36a33930ffd481cdd6d30aa4c73dd2a1c6fe43791e9bf10bd71b33321a8e71c6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7EC.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7EC.tmp\ioSpecial.ini
Filesize
798B

MD5
9e471ea6086d9b59907b0bc372ea9c4a

SHA1
86654ad4318d8880027de8a99899fc06aabc7e00

SHA256
f2bcc02745cb635f85722720aac87bf24064c7ad0b06041752f696a5eaf78a1a

SHA512
c958d30b689fb9cfa8df671489e2dba2cf976f7197e8a6ba11c7c0bdc2343a492a94baa0580069565c8897006b6408fa369ca3d604d771318fbb7343957635a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7EC.tmp\ioSpecial.ini
Filesize
724B

MD5
4dd99290e028e44c81fc006cebe234d7

SHA1
d0e97431f2e26cd583f2fcd2d4e7c8d87391a259

SHA256
e5efeaa51ae6553fefa799deaf3122ca3e3f0fef52647aff85afd2bd05f3e8ac

SHA512
9fa751aecdcc1a5fc591663822d7d26b26995ff52752bf3b75d427452a841c22fac61111cc664dd33131c2d409723672a14c6705c1fcaf09deb6ef14ae06cc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7EC.tmp\ioSpecial.ini
Filesize
789B

MD5
0911dc38642e47b4fd9b7efc8162487f

SHA1
1153ec26d584780b68c94377c763ec1b46a26824

SHA256
ca3dd714022862fa9ad97054bc651469d7dbeb4ddcdc421df75f3786bb7a7a6d

SHA512
2e7fb5d507652748e3cdcb192948ca64a35d7d383408ee2d04aa1ad0f30b67d99ec4e34d0d891db3d37d767168d22fbf982a3e6e878513b805bfb2e5f5675bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (ENG).lnk
Filesize
1KB

MD5
9b96d4713e65e3f47cac0bf0ba2235a2

SHA1
25546db2ddb78a231f46bc8be4abb26003bc4d48

SHA256
14898451cdbd3849c6db717bee9abd6d8f2a669762a7d7fd4605a57ef2919b04

SHA512
6efd3b4d0fe050b17322182ac45ac86e883723fc9796394ca4afff8afaa48390980c00dc0ff48da61f75794ce295f1c3c1c6a67bb6391b9da3ef12eeb5c785df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\Uninstall WinDirStat.lnk
Filesize
1KB

MD5
0e1a9b9abdc730268a2d950e1d7ac03d

SHA1
4acab5ea4ea3c0c93e521b5a65e9702dc1c07525

SHA256
c2effb1685707e9ab9e1796b83fff193090a8429c28fc79e8b64b9698321b81e

SHA512
e67a2999142545e1dffbc1b8a91f2cf8c01feef07774780f0bb54245d452097d58ca04f983146cb58c045d34bc558c6849a36f30546ce485509bdb088f521910

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\WinDirStat.lnk
Filesize
1KB

MD5
d8770d0318817e14bbaa5d377de0eeec

SHA1
da5416b60d4a05326d07aba4e85c3aa01958d2bb

SHA256
f846436b8f21a41675290ea14a23222c7ebc6fe1ccb0b4c46ec0324c2472ac2a

SHA512
71588b5ef75945ef9eb196b053aa6df8871d06f0a83f3387b7fff55b3824337f54045928b47ecaabef1d1f40c622eedf89010fe104a1ed4b4549c814798800e1

Download Submit
C:\Users\Admin\Desktop\WinDirStat.lnk
Filesize
1KB

MD5
6915cf292978c6e480ee18b608c328d1

SHA1
44bf333809755ccd13c67bc383e37080591cb3f8

SHA256
6b05ec464a841f03a83e3f1fdfd3ccdee5654c4982bcaa43b1ab05e540b26408

SHA512
523f27f92ad8511303400576f58ee25bbfa59489a6faed73f3d515cfcdb5d68a1e0c6ff8f09798433fa80276837625deb125fbdd19213e820f13af0491461441

Download Submit
\??\pipe\LOCAL\crashpad_1788_MZJBHBXILAUURMWE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit