explorer.exe

  • File Path: C:\Windows\explorer.exe
  • Description: Windows Explorer

Hashes

Type Hash
MD5 C56BF71C18D9CB67F7B9986817A481BE
SHA1 E05B25105D7C0814F051BB81299D836B423FEA6E
SHA256 CBF28782A784112A777F37012BF170CBFAA2B2240A0CBB86A7038DEB59B989A9
SHA384 4DC62611C6CE1F914AC591088C7F8FDF6B8B3DF3AEA3DEFAB26CD48D9B2BA0F0574D4EFF924E44D484152ACCBF9A240E
SHA512 1EC71C110A1509276BCEAA3272529BA826D24B2BC471E49CD6359C8B9A58A79E4F0D24C28590EA292BA0D9CF3BB840F6961EC6A4F0095F74DD6484B9B17A5148
SSDEEP 49152:IIGPM3RviXR9lIJXJ2udyILYbbLTeBHP5iHsi0ST6UlSKYsAfLYvzEEPwiMw8A7v:ojbrAPoHsGFMw8a0cD
IMP 6F3CD846ACF8320190276CC9C905EDDC
PESHA1 3A28808002DD45210146D8C86B5F92298F077E6E
PE256 99088EDACF463A15CC14BD641B7B7B46C003F4B7F3F0689C0AC62F68138E6CBF

Runtime Data

Loaded Modules:

Path
C:\Windows\explorer.exe
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\ucrtbase.dll

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: EXPLORER.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/cbf28782a784112a777f37012bf170cbfaa2b2240a0cbb86a7038deb59b989a9/detection/

Possible Misuse

The following table contains possible examples of explorer.exe being misused. While explorer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\explorer.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\explorer.exe' DRL 1.0
sigma image_load_uipromptforcreds_dlls.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\explorer.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\explorer.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml TargetImage: 'C:\Windows\Explorer.EXE' DRL 1.0
sigma proc_creation_win_embed_exe_lnk.yml ParentImage: C:\Windows\explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\explorer.exe' # dcomexec ShellBrowserWindow DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml - 'C:\WINDOWS\Explorer.EXE' DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_renamed_megasync.yml ParentImage\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer.yml title: Proxy Execution Via Explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml description: Attackers can use explorer.exe for evading defense mechanisms DRL 1.0
sigma proc_creation_win_susp_explorer.yml - \explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - explorer.exe DRL 1.0
sigma proc_creation_win_susp_explorer.yml - Legitimate explorer.exe run from cmd.exe DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer DRL 1.0
sigma proc_creation_win_susp_explorer_break_proctree.yml - 'explorer.exe' DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks DRL 1.0
sigma proc_creation_win_susp_explorer_nouaccheck.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM DRL 1.0
sigma proc_creation_win_susp_razorinstaller_explorer.yml - User selecting a different installation folder (check for other sub processes of this explorer.exe process) DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml Image\|endswith: '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\explorer.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - Image: 'C:\Windows\explorer.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - 'C:\Windows\explorer.exe' DRL 1.0
sigma registry_event_modify_screensaver_binary_path.yml - '\explorer.exe' DRL 1.0
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Explorer.yml - c:\windows\explorer.exe  
LOLBAS Explorer.yml - c:\windows\sysWOW64\explorer.exe  
LOLBAS Explorer.yml Name: Explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Explorer.yml - Path: C:\Windows\explorer.exe  
LOLBAS Explorer.yml - Path: C:\Windows\SysWOW64\explorer.exe  
LOLBAS Explorer.yml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.  
LOLBAS Procdump.yml - Command: procdump.exe -md calc.dll explorer.exe  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml - '\Windows\explorer.exe' © ESET 2014-2018
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(20,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A3&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $sheet.Cells.Item(22,1) = “=EXEC("explorer.exe C:\Users\“&A1&"\AppData\Local\Temp\“&A2&"”)” MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Shell” “explorer.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
signature-base apt_poisonivy_gen3.yar $s5 = “Explorer.exe” fullword wide CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “Explorer.exe "” fullword ascii /* PEStudio Blacklist: strings / / score: ‘16.05’ */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s1 = “EXPLORER.EXE” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.98’ / / Goodware String - occured 22 times */ CC BY-NC 4.0
signature-base apt_putterpanda.yar $s3 = “explorer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘4.97’ / / Goodware String - occured 31 times */ CC BY-NC 4.0
signature-base apt_rancor.yar $x2 = “CreateObject("Wscript.Shell").Run "explorer.exe ""http” ascii CC BY-NC 4.0
signature-base apt_stuxnet.yar $s1 = “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://bbs.yesmybi.net” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s0 = “explorer.exe http://user.qzone.qq.com/568148075” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “Codeeer Explorer.exe” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “explorer.exe” wide CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of explorer.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “explorer.exe” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “explorer.exe http://www.hackdos.com” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “Explorer.exe” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “ERROR: FindProcessByName(‘explorer.exe’)” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal explorer.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “EXPLORER.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “explorer.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.