Welcome back, aspiring investigators!
If you have spent any time searching for software online, you have almost certainly encountered fake download websites, often mimicking branding just well enough to appear trustworthy at a glance. Big download buttons, vague promises of performance improvements, and minimal text are all red flags. Experienced users tend to recognize this pattern quickly, but many people do not. Even skilled professionals can occasionally be caught off guard when they are in a hurry or looking for a specific tool.
That is exactly the situation we are examining today. In this case, a user unknowingly downloaded a fake piece of software from one of these malicious websites.
According to our scenario, the user believed they were downloading Sysinternals. Sysinternals is a well-known suite of advanced Windows utilities developed by Microsoft. These tools are commonly used by system administrators and incident responders to inspect running processes, analyze system activity, and troubleshoot complex Windows issues. After executing the downloaded file, nothing happened. The tool did not launch, and no interface appeared. Shortly after, the user noticed that their system was becoming slower and less responsive over time. At this point, suspicion finally set in, and the system was handed over for forensic analysis.
Let us take a look at what was happening on the system behind the scenes.
Evidence
Every forensic investigation starts with evidence. In this case, we were provided with an E01 image file. The E01 format is a widely used forensic disk image format that supports compression, metadata, and integrity verification. Instead of storing raw disk data only, E01 files include additional information such as case details and checksums. The compression used in this format helps reduce storage size while preserving all forensic data, and integrity checks allow us to verify that the evidence has not been altered during acquisition or analysis.
E01 images can be opened using tools such as Autopsy or FTK Imager.
Analysis
For this analysis, we chose Autopsy and created a new case using the provided evidence image. Since we are dealing with a suspected malicious executable, our focus is on artifacts that record program execution and installation activity
Amcache
One of the most valuable Windows artifacts in cases like this is Amcache. Amcache is a registry hive that stores information about executables and installers that have been executed or otherwise observed by the system. It was originally designed to support application compatibility, but from a forensic perspective it provides a historical record of program execution that often survives even when files are deleted.
The Amcache hive can be found at the following location:
C:\Windows\AppCompat\Programs\Amcache.hve
After exporting the Amcache.hve file from the disk image, we open it using Registry Explorer.
At first glance, Amcache can feel overwhelming due to the amount of data it contains. To reduce noise, we start with what we already know. The user downloaded the file from the internet, so the Downloads folder is a logical place to focus.
Here we found the executable we are looking for. The registry entry provides us with the full file path, the filename, cryptographic hashes, and additional metadata. This is where things begin to stand out. Although the tool claims to be a Sysinternals utility, the Publisher and Product Name fields do not list Microsoft. Instead, they reference Sysinternals, Inc., which is inconsistent with how genuine Sysinternals tools are signed and distributed.
At this point, we extract the hash value and move on to a deeper inspection.
Family and Behavior
One of the fastest ways to gain initial insight is static analysis using a hash lookup on VirusTotal. Submitting the hash confirms that the file is classified as a trojan. We also see detections labeled as Deyma. This is a generic detection name used by Microsoft Defender for suspicious Windows files and behaviors. It commonly appears in cases involving downloaders, credential stealers, and backdoors, especially when malware acts as an initial access component.
Next, we move to the behavior analysis section to understand what the malware actually does when executed.
The picture becomes much clearer here. The malware functions primarily as an information stealer. It captures user input and browser session cookies, which allows attackers to hijack authenticated sessions without needing passwords.
Captured data is sent back to the command and control server over encrypted channels. In addition to credential theft, the malware performs system discovery. It collects information about the operating system, hardware, and network configuration to determine whether the infected machine is of high value. If the system appears to be part of a corporate environment, the attackers can escalate things quickly. Techniques such as Ingress Tool Transfer, mapped as T1105 in MITRE ATT&CK, allow them to download and execute additional custom tools.
Defense evasion techniques observed here are fairly standard. They include hiding artifacts, injecting into legitimate processes, obfuscating code, and using indirect command execution. This is not advanced malware, but it is effective precisely because it blends in and avoids drawing attention.
Looking up the malware by one of its aliases reveals an overview graphic that summarizes its risk profile.
Damage potential and overall severity are rated as relatively low, which aligns with what we are seeing. This is a stealer, not ransomware. However, its impact depends entirely on where it lands and what data it collects.
Relations
In the relations section, we find contacted URLs. One of them is download[.]sysinternals[.]com, along with several others.
This confirms that the malware acted as a dropper, downloading additional components from the internet after execution. From this information alone, we can already identify the malicious website that originally delivered the fake software.
Dynamic analysis using AnyRun provides even more clarity. In the process information view, we see the malware invoking cmd.exe to install a secondary executable called vmtoolsIO.exe
This executable then creates and starts a new Windows service. Service-based persistence is one of the most commonly abused techniques because it is reliable and survives reboots. Once created, the service is configured to start automatically, ensuring the attacker maintains access.
We can validate these findings through VirusTotal behavior analysis as well.
The actions match closely. The malware deliberately mimics VMware-related components to blend in. On systems where Sysinternals tools might reasonably be present, such naming choices reduce suspicion. The first-stage executable, SysInternals.exe, downloads the second-stage payload, vmtoolsIO.exe, which then creates the VMwareIOHelperService for persistence.
If you want to explore persistence mechanisms in more depth, this topic is covered extensively in our Advanced Windows Persistence series, which is designed for both red and blue teams.
Timeline
The timeline of the attack begins with the user visiting a fake download website and retrieving what appeared to be a legitimate Sysinternals tool. Shortly after execution, the first-stage malware runs, performs initial system checks, and establishes outbound communication. Within minutes, it downloads the second-stage payload and installs a persistent service. From that point onward, the malware begins continuous data collection, capturing user input and session cookies while periodically communicating with its command and control infrastructure. Over time, system performance degrades as background activity increases, eventually alerting the user that something is wrong.
Summary
In this article, we showed what happens when fake software is downloaded and executed. Malware delivered in this way rarely acts immediately or visibly. Instead, it quietly inspects the system it has landed on, collecting system details, network configuration, and installed applications. At the same time, it captures user input and browser session cookies, which are sent back to the attacker over encrypted channels. These cookies can later be reused using tools such as browser-based cookie editors, allowing hackers to impersonate users without knowing their passwords.
When such malware discovers a corporate environment, attackers often escalate their activity. This can then quickly evolve into lateral movement, privilege escalation, and ultimately full-scale breaches or ransomware attacks. None of these outcomes are easy to handle once they unfold.
Source: HackersArise
Source Link: https://hackers-arise.com/digital-forensics-analyzing-fake-software/