Narrator.exe

  • File Path: C:\Windows\system32\Narrator.exe
  • Description: Screen Reader

Hashes

Type Hash
MD5 E70F18EA635D530B901D5EC31451DDB8
SHA1 C95F5A1434732269C107800A4425D9D9284851D7
SHA256 245ACF99ED057FD62FE0B1016F2D2D7B144A9246953BE01580794C0C8559052E
SHA384 A054C1E984811C2674808398E66C7ADE297EC4DE5E3EF2E60133FD1DA2536B9665B85E3B765058E095DD7D103BAD9AEF
SHA512 BB00562F227369CFAD1B0D8AFD64E30FCE9090228C590CA1155A2F9A12BE7055259F7297A3793DE6345EC032D2CE620E4FA01D090BBF9AE6A56DB71CA099EB70
SSDEEP 6144:4eAkMWcB6AOKGURBat2Zbb0qpMQQFgZKUVMLWF:DJVAEHt2ZUCAuVMiF

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SR.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Narrator.exe 32

Possible Misuse

The following table contains possible examples of Narrator.exe being misused. While Narrator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'narrator.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'Narrator.exe' DRL 1.0
sigma proc_creation_win_susp_atbroker.yml - Narrator DRL 1.0
sigma registry_event_narrator_feedback_persistance.yml title: Narrator's Feedback-Hub Persistence DRL 1.0
sigma registry_event_narrator_feedback_persistance.yml description: Detects abusing Windows 10 Narrator's Feedback-Hub DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md * Narrator: C:\Windows\System32\Narrator.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal narrator.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “Microsoft-Windows-Narrator” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2000 = “&About Narrator…” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Narrator” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “narrator.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.