Windows Analysis Report
explorer.exe

Overview

General Information

Sample name: explorer.exe
Analysis ID: 1545839
MD5: 84f08c4724802e588df239588fbc581e
SHA1: d395076b44e7963e8fbd481e6b10c081dcafa100
SHA256: 5b982c482fee7d7342358aec9e8586ffe3034f58975813f357059a3e9c459b45
Tags: exeuser-lontze7
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: explorer.exe ReversingLabs: Detection: 23%
Source: explorer.exe Virustotal: Detection: 36% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for sample
Source: explorer.exe Joe Sandbox ML: detected
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: explorer.exe, explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: explorer.exe, 00000000.00000002.1237394481.000000014035C000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: explorer.exe, explorer.exe, 00000000.00000002.1237394481.000000014035C000.00000040.00000001.01000000.00000003.sdmp
Source: explorer.exe, explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
Source: explorer.exe, explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet/app-launch-failed

System Summary
barindex
PE file contains section with special chars
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
PE file contains more sections than normal
Source: explorer.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: explorer.exe Binary or memory string: OriginalFilename vs explorer.exe
Source: explorer.exe, 00000000.00000002.1237370652.000000014002B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCS2Cheat.dll2 vs explorer.exe
Source: explorer.exe, 00000000.00000003.1235207646.0000000000550000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCS2Cheat.dll2 vs explorer.exe
Source: explorer.exe, 00000000.00000002.1237326895.0000000140023000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCS2Cheat.dll2 vs explorer.exe
Source: explorer.exe Binary or memory string: OriginalFilenameCS2Cheat.dll2 vs explorer.exe
Source: explorer.exe Static PE information: Section: ZLIB complexity 0.9907014266304348
Source: explorer.exe Static PE information: Section: ZLIB complexity 1.0001302083333334
Source: explorer.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal80.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: unknown Process created: C:\Users\user\Desktop\explorer.exe
Source: C:\Users\user\Desktop\explorer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: explorer.exe ReversingLabs: Detection: 23%
Source: explorer.exe Virustotal: Detection: 36%
Source: explorer.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: explorer.exe String found in binary or memory: Learn more: https://aka.ms/dotnet/app-launch-failed Would you like to download it now?
Source: explorer.exe String found in binary or memory: %s App: %s Architecture: %s App host version: %s .NET location: %s Learn more: https://aka.ms/dotnet/app-launch-failed Download
Source: unknown Process created: C:\Users\user\Desktop\explorer.exe "C:\Users\user\Desktop\explorer.exe"
Source: C:\Users\user\Desktop\explorer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: explorer.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: explorer.exe Static file information: File size 3764752 > 1048576
Source: explorer.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x382800
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: explorer.exe, explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: explorer.exe, 00000000.00000002.1237394481.000000014035C000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: explorer.exe, 00000000.00000002.1237296389.0000000140017000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000000.00000003.1235133838.0000000000550000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: explorer.exe, explorer.exe, 00000000.00000002.1237394481.000000014035C000.00000040.00000001.01000000.00000003.sdmp
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name:
Source: explorer.exe Static PE information: section name: .themida
Source: explorer.exe Static PE information: section name: .boot
Source: explorer.exe Static PE information: section name: entropy: 7.9595214294322725

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\explorer.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\explorer.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\explorer.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\explorer.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\explorer.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\explorer.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\explorer.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\explorer.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\explorer.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\explorer.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\explorer.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\explorer.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\explorer.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\explorer.exe Process queried: DebugObjectHandle Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545839 Sample: explorer.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 80 11 Multi AV Scanner detection for submitted file 2->11 13 Machine Learning detection for sample 2->13 15 PE file contains section with special chars 2->15 17 2 other signatures 2->17 6 explorer.exe 1 2->6         started        process3 signatures4 19 Query firmware table information (likely to detect VMs) 6->19 21 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->21 23 Hides threads from debuggers 6->23 25 Tries to detect sandboxes / dynamic malware analysis system (registry check) 6->25 9 conhost.exe 6->9         started        process5
No contacted IP infos