explorer.exe

  • File Path: C:\Windows\SysWOW64\explorer.exe
  • Description: Windows Explorer

Hashes

Type Hash
MD5 AA0CA518E66F290FE0BAC6169473E8A9
SHA1 60E3F357B06AF9EB84FB9019BF08FB4DD109D4EC
SHA256 0D7CB0B75CD61CDFFE0E53910829FFA5C02C8759EBD27A49E2EF7A907A10E506
SHA384 9EF43F15495851E67AD8D758B34A318D8331631295C101DBE8FAF7FB1548B6F84795988D9C759F8C8EB03C613D252B33
SHA512 35ACAD9DA3161873B21F73516F351C8C6F7FD49DD2B8E23105E230D8DAB97C15607AF7F8EA3725F2C013D11CDB0B95CF26DD556E713ADC134EC8354CAB494869
SSDEEP 49152:7LSf3pfF98als35V86y45nxm2GwHEbcOeZaauUgrKo/Ww8A7/eFwjDvv:o3pf38LVs45nI2GwHEY1A9jrcw8a0cD
IMP FBEBD61CE702929C1F33B522FD572C5D
PESHA1 C8C30FDF3FD62E19528B0107BF1A200432CB6421
PE256 435B9896B5C6E8F54F375B5BBCDF1587319DB9B52D2AF7D50D1EB35AEE108DD0

Runtime Data

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\explorer.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: EXPLORER.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/0d7cb0b75cd61cdffe0e53910829ffa5c02c8759ebd27a49e2ef7a907a10e506/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\explorer.exe 40
C:\Windows\explorer.exe 29
C:\Windows\explorer.exe 33
C:\Windows\SysWOW64\explorer.exe 30

Possible Misuse

The following table contains possible examples of explorer.exe being misused. While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\explorer.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\explorer.exe' DRL 1.0
sigma image_load_uipromptforcreds_dlls.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\explorer.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml TargetImage: 'C:\Windows\Explorer.EXE' DRL 1.0
sigma proc_creation_win_embed_exe_lnk.yml ParentImage: C:\Windows\explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\explorer.exe' # dcomexec ShellBrowserWindow DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_renamed_megasync.yml ParentImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer.yml title: Proxy Execution Via Explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml description: Attackers can use explorer.exe for evading defense mechanisms DRL 1.0
sigma proc_creation_win_susp_explorer.yml - \explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - Legitimate explorer.exe run from cmd.exe DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml - User selecting a different installation folder (check for other sub processes of this explorer.exe process) DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - Image: 'C:\Windows\explorer.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma registry_event_modify_screensaver_binary_path.yml - '\explorer.exe' DRL 1.0
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Explorer.yml - c:\windows\explorer.exe  
LOLBAS Explorer.yml - c:\windows\sysWOW64\explorer.exe  
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Explorer.yml - Path: C:\Windows\explorer.exe  
LOLBAS Explorer.yml - Path: C:\Windows\SysWOW64\explorer.exe  
LOLBAS Explorer.yml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.  
LOLBAS Procdump.yml - Command: procdump.exe -md calc.dll explorer.exe  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml - '\Windows\explorer.exe' © ESET 2014-2018
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(20,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A3&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(22,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A2&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
signature-base apt_poisonivy_gen3.yar $s5 = “Explorer.exe” fullword wide CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “Explorer.exe "” fullword ascii /* PEStudio Blacklist: strings / / score: ‘16.05’ */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “EXPLORER.EXE” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.98’ / / Goodware String - occured 22 times */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s3 = “explorer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.97’ / / Goodware String - occured 31 times */ CC BY-NC 4.0
signature-base apt_rancor.yar $x2 = “CreateObject("Wscript.Shell").Run "explorer.exe ""http” ascii CC BY-NC 4.0
signature-base apt_stuxnet.yar $s1 = “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://bbs.yesmybi.net” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://user.qzone.qq.com/568148075” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “Codeeer Explorer.exe” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “explorer.exe” wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of explorer.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “explorer.exe” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “explorer.exe http://www.hackdos.com” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “Explorer.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “ERROR: FindProcessByName(‘explorer.exe’)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal explorer.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “EXPLORER.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “explorer.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.