explorer.exe

  • File Path: C:\WINDOWS\SysWOW64\explorer.exe
  • Description: Windows Explorer

Hashes

Type Hash
MD5 B8744AC6493A5126DA7E2349D3DCAA9A
SHA1 263805F279030D72A1EAA57BE9E060CFE6990649
SHA256 D3E93D7C3F7BFBEF756D46EA2D55290669EE7C26D82F5F7A6010C1A49A3AA2EC
SHA384 B45C012FA76D04F34DB179825074111F969AAB7425CDF95845C7D28EDD15A6B119279C94009D3F1FDC35BB3FBC30F5D1
SHA512 BC5901E9F9B1951723DB7FD0A00A61BD7D2B16F782BAFBDBFB78D03D213CB70DEBF6A8632B56B3644256F0C1A0B181684750B422C67B63A49987A2AC4304133B
SSDEEP 98304:33twBJgX/DG+Q6t5Si9femwA2tHw6aSvw8a0cDM4:33twBJgX/6+Q6t5Si9femwA2tHha8wFH

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: EXPLORER.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of explorer.exe being misused. While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\explorer.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\explorer.exe' DRL 1.0
sigma image_load_uipromptforcreds_dlls.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\explorer.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml TargetImage: 'C:\Windows\Explorer.EXE' DRL 1.0
sigma proc_creation_win_embed_exe_lnk.yml ParentImage: C:\Windows\explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\explorer.exe' # dcomexec ShellBrowserWindow DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_renamed_megasync.yml ParentImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer.yml title: Proxy Execution Via Explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml description: Attackers can use explorer.exe for evading defense mechanisms DRL 1.0
sigma proc_creation_win_susp_explorer.yml - \explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - Legitimate explorer.exe run from cmd.exe DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml - User selecting a different installation folder (check for other sub processes of this explorer.exe process) DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - Image: 'C:\Windows\explorer.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma registry_event_modify_screensaver_binary_path.yml - '\explorer.exe' DRL 1.0
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Explorer.yml - c:\windows\explorer.exe  
LOLBAS Explorer.yml - c:\windows\sysWOW64\explorer.exe  
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Explorer.yml - Path: C:\Windows\explorer.exe  
LOLBAS Explorer.yml - Path: C:\Windows\SysWOW64\explorer.exe  
LOLBAS Explorer.yml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.  
LOLBAS Procdump.yml - Command: procdump.exe -md calc.dll explorer.exe  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml - '\Windows\explorer.exe' © ESET 2014-2018
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(20,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A3&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(22,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A2&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
signature-base apt_poisonivy_gen3.yar $s5 = “Explorer.exe” fullword wide CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “Explorer.exe "” fullword ascii /* PEStudio Blacklist: strings / / score: ‘16.05’ */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “EXPLORER.EXE” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.98’ / / Goodware String - occured 22 times */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s3 = “explorer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.97’ / / Goodware String - occured 31 times */ CC BY-NC 4.0
signature-base apt_rancor.yar $x2 = “CreateObject("Wscript.Shell").Run "explorer.exe ""http” ascii CC BY-NC 4.0
signature-base apt_stuxnet.yar $s1 = “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://bbs.yesmybi.net” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://user.qzone.qq.com/568148075” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “Codeeer Explorer.exe” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “explorer.exe” wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of explorer.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “explorer.exe” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “explorer.exe http://www.hackdos.com” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “Explorer.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “ERROR: FindProcessByName(‘explorer.exe’)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal explorer.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “EXPLORER.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “explorer.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.