Locator.exe

  • File Path: C:\Windows\system32\Locator.exe
  • Description: Rpc Locator

Hashes

Type Hash
MD5 D45676C47616B9ABBFAEC97DD3B240A8
SHA1 DEFE4561F0A6B279CACC18E8B92728046709110C
SHA256 E13985D667F66B7A0082356F23270F61A57B8C2DD211B1E09D66D7970D7B4D6A
SHA384 2868B875D0A9A8A5D3DCDB4832D79BC268F7204486A5640043EF671393F9E02AF928E1102E64957BC8BF978A7A6EBD21
SHA512 227BFC40E7553A061B5E09C630897797C53DDD5E582D9D2D264AE28407D4320EC89EAF0E18680AC7D17699CFB327366BF9AACBB56CC743D72258B82B0D0FE0CD
SSDEEP 192:uOMwhqSgiDsX8xMxbPurbzEjd9/cGmSrsa1q18oDD9Ge8r1mDqW0lW:OwASH/qbGrbOc+rpo1ZDdtDqW0lW
IMP CBECBDF0E16268273DCA4CB132D15D23
PESHA1 25123A0F52177618E52128C2F505AFE6E2463742
PE256 28660B13BBC8C844CAA61992E330AE95F4E535299B73BA0FA419E9B73E9A15FE

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\Locator.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: locator.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/e13985d667f66b7a0082356f23270f61a57b8c2dd211b1e09d66d7970d7b4d6a/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\Locator.exe 43
C:\Windows\system32\Locator.exe 41
C:\WINDOWS\system32\Locator.exe 40

Possible Misuse

The following table contains possible examples of Locator.exe being misused. While Locator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)\n\nAdversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.\n\nRegsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nDetection: Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nPlatforms: Windows\n\nData Sources: Loaded DLLs, Process monitoring, Process command-line parameters, Windows Registry\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator\n\nRemote Support: No\n\nContributors: Casey Smith", © ESET 2014-2018
atomic-red-team T1218.010.md Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a “Squiblydoo” attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) MIT License. © 2018 Red Canary
signature-base apt_project_sauron_extras.yar $s4 = “Network Configuration Locator” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.