Utilman.exe

  • File Path: C:\windows\system32\Utilman.exe
  • Description: Utility Manager

Hashes

Type Hash
MD5 273D5E4FCF4CEFA06D81004CDE0948C9
SHA1 2ADDF1B90AC8E8400839CB944E1EB71F8D07B03D
SHA256 BC805CD4495D26926171D3AC40D6730870D8C81880DBD0D4AB5F9A25B3FCEBDD
SHA384 B82DD617E7D2094D805E33D221DC89709CC71F65DC43EF3DAF16CC7C6019BB043897E843D30F3BC120E0B1E1B02A1C4B
SHA512 D4DCE8896A5514BD03EE74B8C84DD384EED332EA5F0D0EF73EF5AB2F0B1CC582F63A364730AE41F732FC8B5B2294FAC3B7C67D962C118260C37833002D594680
SSDEEP 1536:xz24Sdpr3XK1ebVeYKBFMYJD6gk8Q6YlkyYr+g3g6or:x8uIsYKBJsc+uno

Signature

  • Status: The file C:\windows\system32\Utilman.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: utilman2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\utilman.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe utilman.exe *' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal utilman.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “utilman.exe” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “utilman.exe” or filename == “Utilman.exe” ) CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.