Narrator.exe
- File Path:
C:\WINDOWS\system32\Narrator.exe - Description: Screen Reader
Hashes
| Type | Hash |
|---|---|
| MD5 | 15BD1083D0023B7C8B9FF75F5FA229D5 |
| SHA1 | DEAD18081A166AF0D65828CA1BDA9A64473F5A39 |
| SHA256 | D76555A28B771CAA8F1ECFE5995CE91A661B48CDC3AFCA2857117C4D3ECB6132 |
| SHA384 | 4F8C1D85A510ECB2ED9FDC0E6915229F95A71BC6A8CF5B6F400BB783CC4379B12FAF30D87847C77C4466CD1EC99FC866 |
| SHA512 | 330861EFE057C769AA5ACA8884B45B09AB4A0B2BC7B1448076DB7D39DCBDF6D01B2EF9227D0B43B74EC8D162DC4F21446F4B8F787B3D8A832B632DC5B6FC1498 |
| SSDEEP | 6144:FrMGgvq9I/FAq5djzIBtWag0e37l0NiiUGfiPvLPoAU+cyxRh0rr4x8:RgNdjqKNLl0NcGePcah0rA8 |
| IMP | D6C0E04BD4AC734AB64E548519ACBD2A |
| PESHA1 | 7AFAA5F094499F9BB161CC3EC9D52F120783C46F |
| PE256 | E1D0F089E443FE2F3BDFB73A11C9232B95D8D9DBA59F178735BD23FF95F24420 |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: SR.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/d76555a28b771caa8f1ecfe5995ce91a661b48cdc3afca2857117c4d3ecb6132/detection
Possible Misuse
The following table contains possible examples of Narrator.exe being misused. While Narrator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_install_reg_debugger_backdoor.yml | - 'narrator.exe' |
DRL 1.0 |
| sigma | proc_creation_win_stickykey_like_backdoor.yml | - 'Narrator.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_atbroker.yml | - Narrator |
DRL 1.0 |
| sigma | registry_event_narrator_feedback_persistance.yml | title: Narrator's Feedback-Hub Persistence |
DRL 1.0 |
| sigma | registry_event_narrator_feedback_persistance.yml | description: Detects abusing Windows 10 Narrator's Feedback-Hub |
DRL 1.0 |
| sigma | registry_event_stickykey_like_backdoor.yml | - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' |
DRL 1.0 |
| atomic-red-team | T1546.008.md | Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | * Narrator: C:\Windows\System32\Narrator.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| | MIT License. © 2018 Red Canary |
| signature-base | thor_inverse_matches.yar | description = “Abnormal narrator.exe - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $win7 = “Microsoft-Windows-Narrator” wide fullword | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $win2000 = “&About Narrator…” wide fullword | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp = “Software\Microsoft\Narrator” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “narrator.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.