Overview
overview
9Static
static
3windirstat...up.exe
windows10-2004-x64
9$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$_5_.exe
windows10-2004-x64
9Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows10-2004-x64
3shfolder.dll
windows10-2004-x64
3wdsh0407.chm
windows10-2004-x64
1wdsh040e.chm
windows10-2004-x64
1wdsh0415.chm
windows10-2004-x64
1wdsr0405.dll
windows10-2004-x64
1wdsr0407.dll
windows10-2004-x64
1wdsr040a.dll
windows10-2004-x64
1wdsr040b.dll
windows10-2004-x64
1wdsr040c.dll
windows10-2004-x64
1wdsr040e.dll
windows10-2004-x64
1wdsr0410.dll
windows10-2004-x64
1wdsr0413.dll
windows10-2004-x64
1wdsr0415.dll
windows10-2004-x64
1wdsr0419.dll
windows10-2004-x64
1wdsr0425.dll
windows10-2004-x64
1windirstat.chm
windows10-2004-x64
1windirstat.exe
windows10-2004-x64
9Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 06:51
Static task
static1
Behavioral task
behavioral1
Sample
windirstat1_1_2_setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
$_5_.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Uninstall.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
shfolder.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
wdsh0407.chm
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
wdsh040e.chm
Resource
win10v2004-20240709-en
Behavioral task
behavioral10
Sample
wdsh0415.chm
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
wdsr0405.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral12
Sample
wdsr0407.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
wdsr040a.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral14
Sample
wdsr040b.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
wdsr040c.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral16
Sample
wdsr040e.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
wdsr0410.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral18
Sample
wdsr0413.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
wdsr0415.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral20
Sample
wdsr0419.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
wdsr0425.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral22
Sample
windirstat.chm
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
windirstat.exe
Resource
win10v2004-20240709-en
General
-
Target
$_5_.exe
-
Size
632KB
-
MD5
3f3dd4476249ae664e3365e5bb651601
-
SHA1
752e1687d58de3bef927d9ad24c0ed3da3754e17
-
SHA256
f12d0929055567eee4b5842b7e59c34585a03191447de682dc729ad19aa2314f
-
SHA512
c9d38fa61fac0f48e8c2bc319c87df31f1ee49e8bc383ce348042480e1f0d0c28f198fbfa8cb6dd62f5767ae51ce8e67a7f527213fe1043987add465f1ba97df
-
SSDEEP
12288:5nKnA/rpVTNPjAuufoRqGKRsytFTkzpjSp+Km:InA/zTN7AvfJGAsuTkzu
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
$_5_.exedescription ioc process File opened (read-only) \??\D: $_5_.exe File opened (read-only) \??\F: $_5_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
$_5_.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $_5_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
$_5_.exedescription pid process Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe Token: SeBackupPrivilege 3008 $_5_.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
$_5_.exepid process 3008 $_5_.exe 3008 $_5_.exe 3008 $_5_.exe 3008 $_5_.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1