Narrator.exe

  • File Path: C:\Windows\system32\Narrator.exe
  • Description: Screen Reader

Hashes

Type Hash
MD5 E70F18EA635D530B901D5EC31451DDB8
SHA1 C95F5A1434732269C107800A4425D9D9284851D7
SHA256 245ACF99ED057FD62FE0B1016F2D2D7B144A9246953BE01580794C0C8559052E
SHA384 A054C1E984811C2674808398E66C7ADE297EC4DE5E3EF2E60133FD1DA2536B9665B85E3B765058E095DD7D103BAD9AEF
SHA512 BB00562F227369CFAD1B0D8AFD64E30FCE9090228C590CA1155A2F9A12BE7055259F7297A3793DE6345EC032D2CE620E4FA01D090BBF9AE6A56DB71CA099EB70
SSDEEP 6144:4eAkMWcB6AOKGURBat2Zbb0qpMQQFgZKUVMLWF:DJVAEHt2ZUCAuVMiF

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SR.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Narrator.exe 32

Possible Misuse

The following table contains possible examples of Narrator.exe being misused. While Narrator.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\narrator.exe*' DRL 1.0
sigma sysmon_narrator_feedback_persistance.yml title: Narrator's Feedback-Hub Persistence DRL 1.0
sigma sysmon_narrator_feedback_persistance.yml description: Detects abusing Windows 10 Narrator's Feedback-Hub DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe Narrator.exe *' DRL 1.0
atomic-red-team T1546.008.md Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md * Narrator: C:\Windows\System32\Narrator.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal narrator.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “Microsoft-Windows-Narrator” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2000 = “&About Narrator…” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Narrator” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “narrator.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.