explorer.exe

  • File Path: C:\Program Files (x86)\Spybot - Search & Destroy 2\explorer.exe
  • Description: Malware Scanner

Hashes

Type Hash
MD5 93C039905E587E60842D0C8FF2E8988E
SHA1 DAAF67DAFE759EEDAFF88C124E4E14DB21E57115
SHA256 6E6D555985FDDA76C9926613C72A53E77E63B874532B3B631F30F475C32886ED
SHA384 3B44E6231539CB0B234EF1CF81C2BE9EB3039933241001324BF31A8CECDA58BD21BF9D1062323946D369982DF3C3C5BF
SHA512 C53753C29E500196B6211D9C738C942A8349463EBFD813EBCD1E8A9D4B4F3613564D5699A009631399961B62E55CBBB1B86262EF5B8FF0C14EBD9D7B2AF83792
SSDEEP 98304:cXSfswygMXZ0LQtFShzaWvrO9cWyKc1ByjAL5/iqt2Tg:Y0LQCvrscDBlZME
IMP 95B742C22A16AABE6F8CF41CC3DA58E3
PESHA1 5AC7D9ACBDF70172791893E60FFE6F665391A700
PE256 D88B7944619D6A4D6903297B6F05C12505F5CB98EDF1BEFA6085E942DDF7E043

Runtime Data

Window Title:

System Scan (Spybot - Search & Destroy 2.7, administrator privileges)

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df\comctl32.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RW-) C:\xCyclopedia File
(RWD) C:\Users File
(RWD) C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\ShmNPA_UnitVersioning_7900 Section
\Sessions\1\BaseNamedObjects\Spybot2.MMF.ConquestProgress Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\Windows\Theme2547664911 Section
\Windows\Theme3854699184 Section

Loaded Modules:

Path
C:\Program Files (x86)\Spybot - Search & Destroy 2\explorer.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 0B3FD32E39B247B09C8040571D6AD2F3
  • Thumbprint: 9A32249E9A6B9CF5C36B0749C81613524D37C594
  • Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Safer-Networking Ltd., O=Safer-Networking Ltd., L=Greystones, S=County Wicklow, C=IE, STREET=Unit 5 Watson & Johnson Centre, SERIALNUMBER=377893, OID.1.3.6.1.4.1.311.60.2.1.3=IE, OID.2.5.4.15=Private Organization

File Metadata

  • Original Filename: SDScan.exe
  • Product Name: Spybot - Search & Destroy
  • Company Name: Safer-Networking Ltd.
  • File Version: 2.7.64.191
  • Product Version: 2.7.64.0
  • Language: English (Ireland)
  • Legal Copyright: 2000-2018 Safer-Networking Ltd. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/6e6d555985fdda76c9926613c72a53e77e63b874532b3b631f30f475c32886ed/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDBootCD.exe 33
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe 30
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFiles.exe 32
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelp.exe 30
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe 33
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDLogReport.exe 32
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDPEStart.exe 32
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDPhoneScan.exe 40
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDPrepPos.exe 41
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDQuarantine.exe 30
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDRootAlyzer.exe 35
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSBIEdit.exe 32
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe 100
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScript.exe 36
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSettings.exe 27
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDShred.exe 35
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSysRepair.exe 32
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTools.exe 29
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe 36
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe 33
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWelcome.exe 33

Possible Misuse

The following table contains possible examples of explorer.exe being misused. While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_creation_system_file.yml - '*\explorer.exe' DRL 1.0
sigma sysmon_susp_desktop_ini.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma sysmon_logon_scripts_userinitmprlogonscript_proc.yml Image: '*\explorer.exe' DRL 1.0
sigma win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma win_impacket_lateralization.yml - '*\explorer.exe' # dcomexec ShellBrowserWindow DRL 1.0
sigma win_non_interactive_powershell.yml description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. DRL 1.0
sigma win_non_interactive_powershell.yml ParentImage\|endswith: '\explorer.exe' DRL 1.0
sigma win_susp_explorer_break_proctree.yml description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer DRL 1.0
sigma win_susp_explorer_break_proctree.yml - 'explorer.exe' DRL 1.0
sigma win_susp_userinit_child.yml Image: '*\explorer.exe' DRL 1.0
sigma win_system_exe_anomaly.yml - '*\explorer.exe' DRL 1.0
sigma win_system_exe_anomaly.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\explorer.exe' DRL 1.0
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Explorer.yml - c:\windows\explorer.exe  
LOLBAS Explorer.yml - c:\windows\sysWOW64\explorer.exe  
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Explorer.yml - Path: C:\Windows\explorer.exe  
LOLBAS Explorer.yml - Path: C:\Windows\SysWOW64\explorer.exe  
LOLBAS Explorer.yml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
atomic-red-team hta.md Using COM objects, mshta runs with no child processes. Explorer.exe spawns and executes cmd -> calc. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(20,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A3&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(22,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A2&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
signature-base apt_poisonivy_gen3.yar $s5 = “Explorer.exe” fullword wide CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “Explorer.exe "” fullword ascii /* PEStudio Blacklist: strings / / score: ‘16.05’ */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “EXPLORER.EXE” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.98’ / / Goodware String - occured 22 times */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s3 = “explorer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.97’ / / Goodware String - occured 31 times */ CC BY-NC 4.0
signature-base apt_rancor.yar $x2 = “CreateObject("Wscript.Shell").Run "explorer.exe ""http” ascii CC BY-NC 4.0
signature-base apt_stuxnet.yar $s1 = “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://bbs.yesmybi.net” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://user.qzone.qq.com/568148075” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “Codeeer Explorer.exe” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “explorer.exe” wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of explorer.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “explorer.exe” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “explorer.exe http://www.hackdos.com” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “Explorer.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “ERROR: FindProcessByName(‘explorer.exe’)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal explorer.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “EXPLORER.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “explorer.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.