Narrator.exe

  • File Path: C:\WINDOWS\system32\Narrator.exe
  • Description: Screen Reader

Hashes

Type Hash
MD5 15BD1083D0023B7C8B9FF75F5FA229D5
SHA1 DEAD18081A166AF0D65828CA1BDA9A64473F5A39
SHA256 D76555A28B771CAA8F1ECFE5995CE91A661B48CDC3AFCA2857117C4D3ECB6132
SHA384 4F8C1D85A510ECB2ED9FDC0E6915229F95A71BC6A8CF5B6F400BB783CC4379B12FAF30D87847C77C4466CD1EC99FC866
SHA512 330861EFE057C769AA5ACA8884B45B09AB4A0B2BC7B1448076DB7D39DCBDF6D01B2EF9227D0B43B74EC8D162DC4F21446F4B8F787B3D8A832B632DC5B6FC1498
SSDEEP 6144:FrMGgvq9I/FAq5djzIBtWag0e37l0NiiUGfiPvLPoAU+cyxRh0rr4x8:RgNdjqKNLl0NcGePcah0rA8
IMP D6C0E04BD4AC734AB64E548519ACBD2A
PESHA1 7AFAA5F094499F9BB161CC3EC9D52F120783C46F
PE256 E1D0F089E443FE2F3BDFB73A11C9232B95D8D9DBA59F178735BD23FF95F24420

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SR.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/d76555a28b771caa8f1ecfe5995ce91a661b48cdc3afca2857117c4d3ecb6132/detection

Possible Misuse

The following table contains possible examples of Narrator.exe being misused. While Narrator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma process_creation_stickykey_like_backdoor.yml - 'Narrator.exe' DRL 1.0
sigma win_install_reg_debugger_backdoor.yml - 'narrator.exe' DRL 1.0
sigma win_susp_atbroker.yml - Narrator DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' DRL 1.0
sigma sysmon_narrator_feedback_persistance.yml title: Narrator's Feedback-Hub Persistence DRL 1.0
sigma sysmon_narrator_feedback_persistance.yml description: Detects abusing Windows 10 Narrator's Feedback-Hub DRL 1.0
atomic-red-team T1546.008.md Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md * Narrator: C:\Windows\System32\Narrator.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal narrator.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “Microsoft-Windows-Narrator” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2000 = “&About Narrator…” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Narrator” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “narrator.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.