Analysis
-
max time kernel
34s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
windirstat1_1_2_setup.exe
Resource
win7-20240221-en
General
-
Target
windirstat1_1_2_setup.exe
-
Size
630KB
-
MD5
3abf1c149873e25d4e266225fbf37cbf
-
SHA1
6fa92dd2ca691c11dfbfc0a239e34369897a7fab
-
SHA256
370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd
-
SHA512
b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e
-
SSDEEP
12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windirstat.exepid process 4768 windirstat.exe -
Loads dropped DLL 3 IoCs
Processes:
windirstat1_1_2_setup.exepid process 3396 windirstat1_1_2_setup.exe 3396 windirstat1_1_2_setup.exe 3396 windirstat1_1_2_setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windirstat.exedescription ioc process File opened (read-only) \??\F: windirstat.exe File opened (read-only) \??\D: windirstat.exe -
Drops file in Program Files directory 3 IoCs
Processes:
windirstat1_1_2_setup.exedescription ioc process File created C:\Program Files (x86)\WinDirStat\windirstat.chm windirstat1_1_2_setup.exe File created C:\Program Files (x86)\WinDirStat\Uninstall.exe windirstat1_1_2_setup.exe File created C:\Program Files (x86)\WinDirStat\windirstat.exe windirstat1_1_2_setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\WinDirStat\Uninstall.exe nsis_installer_1 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
windirstat.exepid process 4768 windirstat.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
windirstat.exedescription pid process Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe Token: SeBackupPrivilege 4768 windirstat.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
windirstat.exepid process 4768 windirstat.exe 4768 windirstat.exe 4768 windirstat.exe 4768 windirstat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
windirstat1_1_2_setup.exedescription pid process target process PID 3396 wrote to memory of 4768 3396 windirstat1_1_2_setup.exe windirstat.exe PID 3396 wrote to memory of 4768 3396 windirstat1_1_2_setup.exe windirstat.exe PID 3396 wrote to memory of 4768 3396 windirstat1_1_2_setup.exe windirstat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Program Files (x86)\WinDirStat\windirstat.exe"C:\Program Files (x86)\WinDirStat\windirstat.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WinDirStat\Uninstall.exeFilesize
46KB
MD5a127e6118b9dd2f9d5a7cc4d697a0105
SHA19ac17d4dcf0884ceafacf10c42209c0942dfe7a8
SHA256afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670
SHA5120e57d2856c02c55d477d9b3cc1d4bf5ffa3650d4b20be18b0a9e614d19143aee325c4cd92ff31bbddf6e93cd3ebeb47d8727de6e25faa366341cc71117122065
-
C:\Program Files (x86)\WinDirStat\windirstat.chmFilesize
50KB
MD51bddb8a0e0f9cd90a5b3936ec2c2c4cf
SHA1c8302168fb532fe03e76cb8a82aa53b49ee0bc44
SHA2561e87c07744054709d271337d8ce06929429b334d70875605cb68ecc4c6610cd1
SHA512b857de9026b3eab13f4dbc464e6403835e3a61e5e9e3566735bf1ddd8dedc4ecf08807b27207bd8b385250b71ea234b301dd49e6f3c90f1270ae03868c035472
-
C:\Program Files (x86)\WinDirStat\windirstat.exeFilesize
636KB
MD524cd9a82fcfc658dd3ae7ba25c958ffb
SHA126e14a532e1e050eb20755a0b7a5fea99dd80588
SHA256cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c
SHA5124de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d
-
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\InstallOptions.dllFilesize
14KB
MD59b2ad0546fd834c01a3bdcbfbc95da7d
SHA14f92f5a6b269d969ba3340f1c1978d337992a62c
SHA2567e08cb4ff81dbb0573c672301681e31b2042682e9a2204673f811455f823dd37
SHA5125b374fe7cc8d6ff8b93cfcc8deae23f2313f8240c998d04d3e65c196b33c7d36a33930ffd481cdd6d30aa4c73dd2a1c6fe43791e9bf10bd71b33321a8e71c6b8
-
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\System.dllFilesize
10KB
MD54125926391466fdbe8a4730f2374b033
SHA1fdd23034ada72d2537939ac6755d7f7c0e9b3f0e
SHA2566692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5
SHA51232a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008
-
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\ioSpecial.iniFilesize
799B
MD50bdb5f7ccedebbcddb72b66b5e3fedd1
SHA173f07a395fcbd74e238187cb546425c2b7c68788
SHA256d3e2a8c4721bd3f1b6c86eb0aee8d25691dc2984d32a2c5e637d630f38c15b48
SHA51244456e0570760d03d8bccdadf41487dfdc674c48e58dc2a550073ec5aaec3b1dceb1ad5a7d0dd31c89a054be1efe3a3ed3a8954b161ecf74cd66f8555406b142
-
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\ioSpecial.iniFilesize
573B
MD5ed76e7d306a9d4ae8112427a9f5ffeff
SHA16059d0b135d12ff4599591305dcb0b002ccbf114
SHA256ea6365afb3b4560307075340580b34ef2c9785dcfe8b50c6f62295f87d6c23df
SHA512b2d73b1aa21c0a032a3766087f96d92442045c7ad8c3a831936e1217c5d0663ac35627c27f3b334e837a0ff8f140a31493b3e05c58f940c8595bb619d0c194ee
-
C:\Users\Admin\AppData\Local\Temp\nso2A9C.tmp\ioSpecial.iniFilesize
725B
MD5a4c60765014cb5f37e8bcd3c357a3695
SHA100ece71269a4e5390ce21d7fa991194560e5fd97
SHA256832a6d4c124de972f952c082291885500251292d9ec715547e064618783bd930
SHA5120208a85f34f3af46c903b6dc8991d854af61509c25dfb10f04253843e92801496e17519e6689816830563e8e39b35e8332715b6fc200be49cf7366a391e05f43
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (ENG).lnkFilesize
1KB
MD5a357ea377832c14454c654d26b5c1a1f
SHA118bc43e4e879a5aae24e07555175839a3198ba11
SHA256b54a6a654868df87c2bc575a110ac72152790370ea2eb59032a5f6d53fdf3709
SHA512e0f282368f1476d710aa303f427698e5285ad5bc536b055b929dc1472f753d04dc1a2196948c5b789d8dc226bda94a7319729f21fb15713d92903c43cab53597
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\Uninstall WinDirStat.lnkFilesize
1KB
MD55b550be6cd269e35b29ddc3f8837ec9a
SHA10aa642c787e43d2923ab60ea67b2fb18c7f2c816
SHA256594c1ebb3f0a219e35085ba1ffa818f771e93464bcd5cb973583e0097871a78a
SHA512730f56d46cea3e939da92947b554555fc518d1c25e9bc946be8ac87edd7704578d07aa96d2afa8d8deba3ed13e8264d9cf25f97ff1862425cc1d0bfff51632db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat\WinDirStat.lnkFilesize
1KB
MD590a210f15f0fbf92d1aa6d27b78102f5
SHA1d93d4e81e74f8934a2635b7cddfdb57fb7b03b0d
SHA256529bbcf2afd4c6503f061a3079cddb9ab9f9c7a0a0d676c0217992da407b8057
SHA5127f5efa3d81aef5a5176f9561c88b91abd8c544d51b3b0f1c141dffdf7c33ab2ed3e2a037204d49478143bbad2dda1e46fedc569ced4bbd9dbd4dd0391349df4b
-
C:\Users\Admin\Desktop\WinDirStat.lnkFilesize
1KB
MD5b862cc1ee312921bcba60eb4ab7e39bc
SHA17f85087aee37ea2921ae9b6e1b6fb6ec81a4b2ea
SHA25643419277ca604dac83bbd04adb63c068ea3b6825dc16422a7aad44b8a6a8d6d9
SHA51216b7237fe0708e540ecc0e24f232f6723da531ad54342774e05c4291da5242041468bc4a462902fa0a613ade9b00e7f5b2f0f411757a12bfb021bbc7b8de5013