explorer.exe

  • File Path: C:\WINDOWS\SysWOW64\explorer.exe
  • Description: Windows Explorer

Hashes

Type Hash
MD5 00974A3EC781EE51D73C44F8FB64E85F
SHA1 1C933A34B133CBD236770A5CE503B7CD86C99BD3
SHA256 3F4B611114C73A1E72DC0E42D1FF6999B6615DBF44C6EFB11068D661660E17B6
SHA384 CAE459B5601F32AF755D521E0641A9DF76C1AB7686C93158EA1B015E03C3BC50E56E7E1BBD889941961A1BE7CAEBE656
SHA512 2F43ECB3C8018CEB47690838E8961116C8426A9F1121DD0B41111A21CB6E0BE909BC958FD10EEB7576EE160036A8038552BA54BC139E80A23BE2F2D67A186404
SSDEEP 98304:Uxw0o0BbRu2/FEmURvXNnlabPdIko257MwxfNyOQAd5uRYX63OwgxXuNjnBgYFFj:Uxw0o0ZRu2/FEmURvXibPdXxhQAd5uRj
IMP 2AF886897DDB5431D71D35DEEE5FBD1C
PESHA1 3B0C64F176172D63E96FEE2E396CA695889E898A
PE256 FC98DBFD39A5D560252FF09677ED3EE06F8C7738125B726471F68302C43BCA7C

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\explorer.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: EXPLORER.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.184 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.184
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/3f4b611114c73a1e72dc0e42d1ff6999b6615dbf44c6efb11068d661660e17b6/detection

Possible Misuse

The following table contains possible examples of explorer.exe being misused. While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\explorer.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\explorer.exe' DRL 1.0
sigma image_load_uipromptforcreds_dlls.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\explorer.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml TargetImage: 'C:\Windows\Explorer.EXE' DRL 1.0
sigma proc_creation_win_embed_exe_lnk.yml ParentImage: C:\Windows\explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\explorer.exe' # dcomexec ShellBrowserWindow DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_renamed_megasync.yml ParentImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer.yml title: Proxy Execution Via Explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml description: Attackers can use explorer.exe for evading defense mechanisms DRL 1.0
sigma proc_creation_win_susp_explorer.yml - \explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - Legitimate explorer.exe run from cmd.exe DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml - User selecting a different installation folder (check for other sub processes of this explorer.exe process) DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - Image: 'C:\Windows\explorer.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma registry_event_modify_screensaver_binary_path.yml - '\explorer.exe' DRL 1.0
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Explorer.yml - c:\windows\explorer.exe  
LOLBAS Explorer.yml - c:\windows\sysWOW64\explorer.exe  
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Explorer.yml - Path: C:\Windows\explorer.exe  
LOLBAS Explorer.yml - Path: C:\Windows\SysWOW64\explorer.exe  
LOLBAS Explorer.yml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.  
LOLBAS Procdump.yml - Command: procdump.exe -md calc.dll explorer.exe  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml - '\Windows\explorer.exe' © ESET 2014-2018
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(20,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A3&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(22,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A2&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
signature-base apt_poisonivy_gen3.yar $s5 = “Explorer.exe” fullword wide CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “Explorer.exe "” fullword ascii /* PEStudio Blacklist: strings / / score: ‘16.05’ */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “EXPLORER.EXE” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.98’ / / Goodware String - occured 22 times */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s3 = “explorer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.97’ / / Goodware String - occured 31 times */ CC BY-NC 4.0
signature-base apt_rancor.yar $x2 = “CreateObject("Wscript.Shell").Run "explorer.exe ""http” ascii CC BY-NC 4.0
signature-base apt_stuxnet.yar $s1 = “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://bbs.yesmybi.net” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://user.qzone.qq.com/568148075” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “Codeeer Explorer.exe” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “explorer.exe” wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of explorer.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “explorer.exe” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “explorer.exe http://www.hackdos.com” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “Explorer.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “ERROR: FindProcessByName(‘explorer.exe’)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal explorer.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “EXPLORER.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “explorer.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.