370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windirstat1_1_2_setup.exe
Size

630KB
MD5

3abf1c149873e25d4e266225fbf37cbf
SHA1

6fa92dd2ca691c11dfbfc0a239e34369897a7fab
SHA256

370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd
SHA512

b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e
SSDEEP

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

windirstat.exe

pid process

4768 windirstat.exe
Loads dropped DLL 3 IoCs

Processes:

windirstat1_1_2_setup.exe

pid process

3396 windirstat1_1_2_setup.exe
3396 windirstat1_1_2_setup.exe
3396 windirstat1_1_2_setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

windirstat.exe

description ioc process

File opened (read-only) \??\F: windirstat.exe
File opened (read-only) \??\D: windirstat.exe

pid	process
4768	windirstat.exe

pid	process
3396	windirstat1_1_2_setup.exe
3396	windirstat1_1_2_setup.exe
3396	windirstat1_1_2_setup.exe

description	ioc	process
File opened (read-only)	\??\F:	windirstat.exe
File opened (read-only)	\??\D:	windirstat.exe

Drops file in Program Files directory 3 IoCs

Processes:

windirstat1_1_2_setup.exe

description	ioc	process
File created	C:\Program Files (x86)\WinDirStat\windirstat.chm	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\Uninstall.exe	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\windirstat.exe	windirstat1_1_2_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\WinDirStat\Uninstall.exe	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

windirstat.exe

pid process

4768 windirstat.exe

pid	process
4768	windirstat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

windirstat.exe

description	pid	process
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe
Token: SeBackupPrivilege	4768	windirstat.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

windirstat.exe

pid process

4768 windirstat.exe
4768 windirstat.exe
4768 windirstat.exe
4768 windirstat.exe

pid	process
4768	windirstat.exe
4768	windirstat.exe
4768	windirstat.exe
4768	windirstat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

windirstat1_1_2_setup.exe

description	pid	process	target process
PID 3396 wrote to memory of 4768	3396	windirstat1_1_2_setup.exe	windirstat.exe
PID 3396 wrote to memory of 4768	3396	windirstat1_1_2_setup.exe	windirstat.exe
PID 3396 wrote to memory of 4768	3396	windirstat1_1_2_setup.exe	windirstat.exe

C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
"C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3396

C:\Program Files (x86)\WinDirStat\windirstat.exe
"C:\Program Files (x86)\WinDirStat\windirstat.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinDirStat\Uninstall.exe
Filesize
46KB

MD5
a127e6118b9dd2f9d5a7cc4d697a0105

SHA1
9ac17d4dcf0884ceafacf10c42209c0942dfe7a8

SHA256
afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670

SHA512
0e57d2856c02c55d477d9b3cc1d4bf5ffa3650d4b20be18b0a9e614d19143aee325c4cd92ff31bbddf6e93cd3ebeb47d8727de6e25faa366341cc71117122065

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.chm
Filesize
50KB

MD5
1bddb8a0e0f9cd90a5b3936ec2c2c4cf

SHA1
c8302168fb532fe03e76cb8a82aa53b49ee0bc44

SHA256
1e87c07744054709d271337d8ce06929429b334d70875605cb68ecc4c6610cd1

SHA512
b857de9026b3eab13f4dbc464e6403835e3a61e5e9e3566735bf1ddd8dedc4ecf08807b27207bd8b385250b71ea234b301dd49e6f3c90f1270ae03868c035472

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\InstallOptions.dll
Filesize
14KB

MD5
9b2ad0546fd834c01a3bdcbfbc95da7d

SHA1
4f92f5a6b269d969ba3340f1c1978d337992a62c

SHA256
7e08cb4ff81dbb0573c672301681e31b2042682e9a2204673f811455f823dd37

SHA512
5b374fe7cc8d6ff8b93cfcc8deae23f2313f8240c998d04d3e65c196b33c7d36a33930ffd481cdd6d30aa4c73dd2a1c6fe43791e9bf10bd71b33321a8e71c6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\ioSpecial.ini
Filesize
799B

MD5
0bdb5f7ccedebbcddb72b66b5e3fedd1

SHA1
73f07a395fcbd74e238187cb546425c2b7c68788

SHA256
d3e2a8c4721bd3f1b6c86eb0aee8d25691dc2984d32a2c5e637d630f38c15b48

SHA512
44456e0570760d03d8bccdadf41487dfdc674c48e58dc2a550073ec5aaec3b1dceb1ad5a7d0dd31c89a054be1efe3a3ed3a8954b161ecf74cd66f8555406b142

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\ioSpecial.ini
Filesize
573B

MD5
ed76e7d306a9d4ae8112427a9f5ffeff

SHA1
6059d0b135d12ff4599591305dcb0b002ccbf114

SHA256
ea6365afb3b4560307075340580b34ef2c9785dcfe8b50c6f62295f87d6c23df

SHA512
b2d73b1aa21c0a032a3766087f96d92442045c7ad8c3a831936e1217c5d0663ac35627c27f3b334e837a0ff8f140a31493b3e05c58f940c8595bb619d0c194ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\ioSpecial.ini
Filesize
725B

MD5
a4c60765014cb5f37e8bcd3c357a3695

SHA1
00ece71269a4e5390ce21d7fa991194560e5fd97

SHA256
832a6d4c124de972f952c082291885500251292d9ec715547e064618783bd930

SHA512
0208a85f34f3af46c903b6dc8991d854af61509c25dfb10f04253843e92801496e17519e6689816830563e8e39b35e8332715b6fc200be49cf7366a391e05f43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (ENG).lnk
Filesize
1KB

MD5
a357ea377832c14454c654d26b5c1a1f

SHA1
18bc43e4e879a5aae24e07555175839a3198ba11

SHA256
b54a6a654868df87c2bc575a110ac72152790370ea2eb59032a5f6d53fdf3709

SHA512
e0f282368f1476d710aa303f427698e5285ad5bc536b055b929dc1472f753d04dc1a2196948c5b789d8dc226bda94a7319729f21fb15713d92903c43cab53597

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\Uninstall WinDirStat.lnk
Filesize
1KB

MD5
5b550be6cd269e35b29ddc3f8837ec9a

SHA1
0aa642c787e43d2923ab60ea67b2fb18c7f2c816

SHA256
594c1ebb3f0a219e35085ba1ffa818f771e93464bcd5cb973583e0097871a78a

SHA512
730f56d46cea3e939da92947b554555fc518d1c25e9bc946be8ac87edd7704578d07aa96d2afa8d8deba3ed13e8264d9cf25f97ff1862425cc1d0bfff51632db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\WinDirStat.lnk
Filesize
1KB

MD5
90a210f15f0fbf92d1aa6d27b78102f5

SHA1
d93d4e81e74f8934a2635b7cddfdb57fb7b03b0d

SHA256
529bbcf2afd4c6503f061a3079cddb9ab9f9c7a0a0d676c0217992da407b8057

SHA512
7f5efa3d81aef5a5176f9561c88b91abd8c544d51b3b0f1c141dffdf7c33ab2ed3e2a037204d49478143bbad2dda1e46fedc569ced4bbd9dbd4dd0391349df4b

Download Submit
C:\Users\Admin\Desktop\WinDirStat.lnk
Filesize
1KB

MD5
b862cc1ee312921bcba60eb4ab7e39bc

SHA1
7f85087aee37ea2921ae9b6e1b6fb6ec81a4b2ea

SHA256
43419277ca604dac83bbd04adb63c068ea3b6825dc16422a7aad44b8a6a8d6d9

SHA512
16b7237fe0708e540ecc0e24f232f6723da531ad54342774e05c4291da5242041468bc4a462902fa0a613ade9b00e7f5b2f0f411757a12bfb021bbc7b8de5013

Download Submit