Narrator.exe

  • File Path: C:\windows\SysWOW64\Narrator.exe
  • Description: Screen Reader

Hashes

Type Hash
MD5 BFB758841FC3EBBB98D9AFF1F530487F
SHA1 C9891AD96EBA140E85DE4EC18394C3B2D4A4440C
SHA256 59868A0B228CDD2A69EFC6B46E2D252F8BF694491E437BB32618ADC771541E51
SHA384 9A04450C81FD9D6F8BF0260D988222ABC4439C19F073F95A65EEC0741804F923D3B5A893005A44392FBB4816B429D58B
SHA512 601F7271CF338F0B542D1D0460DF1015E153D5C08648B670839A9A27DD24DEBA0E09D947C71C918AD1D704FB4D0C4B78C683C8C51D4898F71871DDC950E7171E
SSDEEP 1536:HwPf9iWBz6SE9zx4fBxzXi4qd6N3rArBOLrrLbwM+cJ:sliWh6f9FKi4Z+BO/fbV+O

Signature

  • Status: The file C:\windows\SysWOW64\Narrator.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: SR.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
  • Product Version: 6.3.9600.17415
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\Narrator.exe 93

Possible Misuse

The following table contains possible examples of Narrator.exe being misused. While Narrator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\narrator.exe*' DRL 1.0
sigma sysmon_narrator_feedback_persistance.yml title: Narrator's Feedback-Hub Persistence DRL 1.0
sigma sysmon_narrator_feedback_persistance.yml description: Detects abusing Windows 10 Narrator's Feedback-Hub DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe Narrator.exe *' DRL 1.0
atomic-red-team T1546.008.md Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md * Narrator: C:\Windows\System32\Narrator.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal narrator.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “Microsoft-Windows-Narrator” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2000 = “&About Narrator…” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Narrator” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “narrator.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.