stordiag.exe

  • File Path: C:\Windows\system32\stordiag.exe
  • Description:

Hashes

Type Hash
MD5 09595FAB75F9764D8BB8D77A02602E9B
SHA1 2035188F2858DEC97D9B9CA8587FB2C109425C2F
SHA256 75CBE3CC080A0C681E925E8A7FA20577524E04E0D7E713DD0E73355ED02AF960
SHA384 98F90AFFCF3D4A6FC77AAA8CCBADCCB39DD5A3F13437664F2DD5705255FDB2E41D928067C7AB56E7F49382F38D232C25
SHA512 2D780DA4B52038526737AEC828417E26A77184938F2C3D9EF08160CED4F381E591E5443449CB8DBB1EEF1D5050E86C23FE8728DF162D9CC6D39F21559D3FE34B
SSDEEP 384:En4/E+AWVUClB0a9ETJnbMYI1UzscQN0UNUQAzmynEYfP0Kqhihnhacd4SZqxJ4/:En6rUClB19ilbTYcQlxKhs0N+E

Runtime Data

Usage (stdout):


Collects storage and filesystem diagnostic logs and outputs them to a folder.

StorDiag [-collectEtw] [-out <PATH>]
-collectEtw           Collect a 30-second long ETW trace if run from an elevated session
-checkFSConsistency   Checks for the consistency of the NTFS file system
-out <PATH>           Specify the output path. If not specified, logs are saved to %TEMP%\StorDiag



Child Processes:

conhost.exe systeminfo.exe

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: stordiag.exe
  • Product Name: Microsoft (R) Windows (R) Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0
  • Product Version: 10.0.14393.0
  • Language: Language Neutral
  • Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of stordiag.exe being misused. While stordiag.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_stordiag_execution.yml title: Execution via stordiag.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html DRL 1.0
sigma proc_creation_win_stordiag_execution.yml ParentImage\|endswith: '\stordiag.exe' DRL 1.0
sigma proc_creation_win_stordiag_execution.yml ParentImage\|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - Legitimate usage of stordiag.exe. DRL 1.0
LOLBAS Stordiag.yml Name: Stordiag.exe  
LOLBAS Stordiag.yml - Command: stordiag.exe  
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - Path: c:\windows\system32\stordiag.exe  
LOLBAS Stordiag.yml - Path: c:\windows\syswow64\stordiag.exe  

MIT License. Copyright (c) 2020-2021 Strontic.