| File name: | dism.bat |
| Full analysis: | https://app.any.run/tasks/1943c252-0a03-4e4b-962e-632514b5efab |
| Verdict: | Malicious activity |
| Analysis date: | March 21, 2024, 18:17:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with no line terminators |
| MD5: | B3EEA402371D4279E4CBEC81FA65EBE8 |
| SHA1: | 5C0F90A1F2A7ED2F8D63B6BEAE00CA6E8C1C9993 |
| SHA256: | 94ADCC5EAD3779D3B4E231B2848906B85D1B93C906615BDB1C8BC2FC91D66DE8 |
| SSDEEP: | 3:dWawtECPz2A3fN:fwlPh |
MALICIOUS
The DLL Hijacking
- DismHost.exe (PID: 4052)
SUSPICIOUS
Process drops legitimate windows executable
- Dism.exe (PID: 2036)
Starts a Microsoft application from unusual location
- DismHost.exe (PID: 4052)
Executable content was dropped or overwritten
- Dism.exe (PID: 2036)
The process creates files with name similar to system file names
- Dism.exe (PID: 2036)
INFO
Manual execution by a user
- wmpnscfg.exe (PID: 696)
- osk.exe (PID: 1368)
- cmd.exe (PID: 2548)
- osk.exe (PID: 3308)
- cmd.exe (PID: 4004)
Reads the computer name
- wmpnscfg.exe (PID: 696)
- DismHost.exe (PID: 4052)
Checks supported languages
- wmpnscfg.exe (PID: 696)
- DismHost.exe (PID: 4052)
Create files in a temporary directory
- Dism.exe (PID: 2036)
Reads the machine GUID from the registry
- DismHost.exe (PID: 4052)
Drops the executable file immediately after the start
- Dism.exe (PID: 2036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
60
Monitored processes
10
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 696 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1368 | "C:\Windows\system32\osk.exe" | C:\Windows\System32\osk.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Accessibility On-Screen Keyboard Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2036 | dism.exe /Online /Cleanup-image /Restorehealth | C:\Windows\System32\Dism.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Dism Image Servicing Utility Exit code: 87 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2548 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2648 | DISM.exe /Online /Cleanup-image /Restorehealth | C:\Windows\System32\Dism.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 740 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3256 | dism.exe /online /cleanup-image /restorehealth | C:\Windows\System32\Dism.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 740 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3308 | "C:\Windows\system32\osk.exe" | C:\Windows\System32\osk.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Accessibility On-Screen Keyboard Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3936 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\dism.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 740 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 4004 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 4052 | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\dismhost.exe {936EB9B2-9D83-4B3E-8C88-13A2F9169DF6} | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\DismHost.exe | Dism.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Dism Host Servicing Process Exit code: 0 Version: 6.1.7601.24499 (win7sp1_ldr.190612-0600) Modules
| |||||||||||||||
Total events
317
Read events
316
Write events
1
Delete events
0
Modification events
| (PID) Process: | (1368) osk.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp |
| Operation: | write | Name: | osk |
Value: 3 | |||
Executable files
31
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\DismCore.dll | executable | |
MD5:BAFED573EA730D8891EE7E8B96115411 | SHA256:E9FE0C7A2FE4C2C19A4E55F52118A3A093E9EE6C0A48D9D4292D940F881A24E0 | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\DismProv.dll | executable | |
MD5:3760C35AB2827D17DF7DED56F88336AC | SHA256:967654D4582578B4C8C659067C60F12C10ED372BF2AAA16A19033CACAB200C82 | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\CbsProvider.dll | executable | |
MD5:C5681F8A63C9544D2A6D93D5448606F5 | SHA256:0FB263E9A01773710C2491CBBFD4A02848457030FEDC0023EAC6BACAB828D1EA | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\en-US\IntlProvider.dll.mui | executable | |
MD5:187359D54BE36B9A20B14EA0A54CDDB8 | SHA256:B283A7CFA81342638FCC5EDE1E96499E70E90A72ECDC22110CC11BE593F9BAAD | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\en-US\SmiProvider.dll.mui | executable | |
MD5:DD31CC55818BDE492BA2EFEDF0FA3219 | SHA256:B2A1308D55A5D0A9AF9B7B0A10F096EF33E31067D99E146FB5F26E3C089E6D45 | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\CompatProvider.dll | executable | |
MD5:AA34ED1CEF804818B0C4BDAA5DF1A3E2 | SHA256:67CAF507F943FDC69FEC6C153B38EE765D571C50900A8986CEE2DE566941D1EB | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\en-US\LogProvider.dll.mui | executable | |
MD5:181620FDBDBC4DB69FB5D54AEB54EDDC | SHA256:A0B6C90317A7313D7C04C8ACFEE4DD2A7530130F18110570DF200C3B88699BB4 | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\DismHost.exe | executable | |
MD5:5E2E337F6F942B63428DB19355D6742B | SHA256:F60406C5D01B22F95C7F7298498475F0930550CBBF6BB31EB01E1E565FA175AE | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\en-US\MsiProvider.dll.mui | executable | |
MD5:98893D8D67951A2BD76AC23D0588CBF2 | SHA256:F9D4B2A4AEF6A7F4614E09D9BA3F7EBAA3783E28A988A0F188CDFA3A2A21B74E | |||
| 2036 | Dism.exe | C:\Users\admin\AppData\Local\Temp\56416BCE-8D17-4377-B6FD-397A6573A644\DismCorePS.dll | executable | |
MD5:9733B1D4E0EFCC3E11A133238B55F10F | SHA256:E07766D4908BAA9790D0C843E7A6E5CEE45DD17A84860B2CF0477D276392C97B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
DNS requests
Threats
Process | Message |
|---|---|
Dism.exe | PID=2036 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005) |
Dism.exe | PID=2036 Getting Provider OSServices - CDISMProviderStore::GetProvider |
Dism.exe | PID=2036 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect |
Dism.exe | PID=2036 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005) |
Dism.exe | PID=2036 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider |
Dism.exe | PID=2036 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider |
Dism.exe | PID=2036 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |
Dism.exe | PID=2036 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect |
Dism.exe | PID=2036 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider |
DismHost.exe | PID=4052 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider |