stordiag.exe

  • File Path: C:\WINDOWS\system32\stordiag.exe
  • Description:

Hashes

Type Hash
MD5 274CE0986C0B644035BBB28FE6BBC9B2
SHA1 2C0ECD330EE9F5FD6F0FE1D138562CB83668E96C
SHA256 CAEBDBA030A9458F6ECB452FAF79A6A3E19A666E16471F12AC26017714CB1A2A
SHA384 93DE58FF8103535AD3E70BE372A777AB1ECF7D35B57FFD8D2CCBF949199C9332FA6FDEBCC7398BAF3DD938FC2D12386B
SHA512 2E10CA5AE19ACA0A1F8D29823C1C50872662F3F09BFA68EF81668474D0C22F6591DD2F34634A542F1EEED543B94A3F634E630359323E837189D1B0BBC2057E08
SSDEEP 3072:1VzhKuWZfRvY7V//e3jzl5b9zd4HZJRFgvbmYq:1zR+3HfbfsV
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 02F85B54D1E724467A071DC7DBCDE229EBA0FCC4
PE256 863AC88F7E57DD1E03BE9FCF434F0AB09A013B3C1382581AFD8CEFD005BF4B33

Runtime Data

Usage (stdout):


Collects storage and filesystem diagnostic logs and outputs them to a folder.

StorDiag [-collectEtw] [-out <PATH>]
-collectEtw                  Collect a 30-second long ETW trace if run from an elevated session
-collectPerf                 Collect disk performance counters
-collectStorageBreakdown     Collect system volume used space breakdown
-checkFSConsistency          Checks for the consistency of the NTFS file system
-diagnostic                  outputs a storage diagnostic report
-bootdiag                    output boot sectors of the disk
-driverdiag                  output avaliable storport and storahci logs
-out <PATH>                  Specify the output path. If not specified, logs are saved to %TEMP%\StorDiag

Child Processes:

conhost.exe

Open Handles:

Path Type
(R–) C:\Users\user\AppData\Local\Temp\StorDiag\PSLogs.txt File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\System32\en-US\mpr.dll.mui File
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui File
(RW-) C:\Windows\System32 File
...\Cor_SxSPublic_IPCBlock Section
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\Cor_Private_IPCBlock_v4_9424 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.dll
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\MSCOREE.DLL
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\stordiag.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: stordiag_managed.exe
  • Product Name: Microsoft (R) Windows (R) Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1
  • Product Version: 10.0.22000.1
  • Language: Language Neutral
  • Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/caebdba030a9458f6ecb452faf79a6a3e19a666e16471f12ac26017714cb1a2a/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\SysWOW64\stordiag.exe 88

Possible Misuse

The following table contains possible examples of stordiag.exe being misused. While stordiag.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_stordiag_execution.yml title: Execution via stordiag.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html DRL 1.0
sigma proc_creation_win_stordiag_execution.yml ParentImage\|endswith: '\stordiag.exe' DRL 1.0
sigma proc_creation_win_stordiag_execution.yml ParentImage\|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - Legitimate usage of stordiag.exe. DRL 1.0
LOLBAS Stordiag.yml Name: Stordiag.exe  
LOLBAS Stordiag.yml - Command: stordiag.exe  
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - Path: c:\windows\system32\stordiag.exe  
LOLBAS Stordiag.yml - Path: c:\windows\syswow64\stordiag.exe  

MIT License. Copyright (c) 2020-2021 Strontic.