Narrator.exe
- File Path:
C:\Windows\system32\Narrator.exe - Description: Screen Reader
Hashes
| Type | Hash |
|---|---|
| MD5 | E70F18EA635D530B901D5EC31451DDB8 |
| SHA1 | C95F5A1434732269C107800A4425D9D9284851D7 |
| SHA256 | 245ACF99ED057FD62FE0B1016F2D2D7B144A9246953BE01580794C0C8559052E |
| SHA384 | A054C1E984811C2674808398E66C7ADE297EC4DE5E3EF2E60133FD1DA2536B9665B85E3B765058E095DD7D103BAD9AEF |
| SHA512 | BB00562F227369CFAD1B0D8AFD64E30FCE9090228C590CA1155A2F9A12BE7055259F7297A3793DE6345EC032D2CE620E4FA01D090BBF9AE6A56DB71CA099EB70 |
| SSDEEP | 6144:4eAkMWcB6AOKGURBat2Zbb0qpMQQFgZKUVMLWF:DJVAEHt2ZUCAuVMiF |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: SR.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\Narrator.exe | 32 |
Possible Misuse
The following table contains possible examples of Narrator.exe being misused. While Narrator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_install_reg_debugger_backdoor.yml | - 'narrator.exe' |
DRL 1.0 |
| sigma | proc_creation_win_stickykey_like_backdoor.yml | - 'Narrator.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_atbroker.yml | - Narrator |
DRL 1.0 |
| sigma | registry_event_narrator_feedback_persistance.yml | title: Narrator's Feedback-Hub Persistence |
DRL 1.0 |
| sigma | registry_event_narrator_feedback_persistance.yml | description: Detects abusing Windows 10 Narrator's Feedback-Hub |
DRL 1.0 |
| sigma | registry_event_stickykey_like_backdoor.yml | - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' |
DRL 1.0 |
| atomic-red-team | T1546.008.md | Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | * Narrator: C:\Windows\System32\Narrator.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| | MIT License. © 2018 Red Canary |
| signature-base | thor_inverse_matches.yar | description = “Abnormal narrator.exe - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $win7 = “Microsoft-Windows-Narrator” wide fullword | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $win2000 = “&About Narrator…” wide fullword | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp = “Software\Microsoft\Narrator” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “narrator.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.