Utilman.exe

  • File Path: C:\Windows\SysWOW64\Utilman.exe
  • Description: Utility Manager

Hashes

Type Hash
MD5 4F59EE095E37A83CDCB74091C807AFA9
SHA1 0980653AF6BB624B84E14A57EC860A6C2D76ADA2
SHA256 15690DA8F4651C5F67170D672B54F463FAF664E43903F35AC0DB0B0176DB61AE
SHA384 C00D701C166549F105A9E0E001D98A1598EC4240D7B25C6276E3D5AC37887316F274573EAC1E76BE79256A12F6D0EE60
SHA512 97CC78A8CEC79F04D089D8E1BF5509C497C81310FB74EA8A99DFDFEBC39C4150EDF264D2DB4B01E145D4CDB988E0EB31BA6444F62782D56E07B9ECC7800868F2
SSDEEP 1536:p6JfCO3s6d1inu89TIf40P+/VlqT+FhFKqzPlliSPTcqgoLSbgvVoZtn79/MVGhW:OfCkPi39u+/2T+FhFKsSpQ
IMP 4B4C1E1CAFB5E924F5C11455D2B07507
PESHA1 689DF64F6EB12F7FCA262A45A95B4745766D089A
PE256 C8519ADE4BBD11187B598831C658FD00F06E0A462F4760508532CC83FE4F8B06

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Utilman.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: utilman2.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.746 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.746
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/15690da8f4651c5f67170d672b54f463faf664e43903f35ac0db0b0176db61ae/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\Utilman.exe 49
C:\Windows\SysWOW64\Utilman.exe 54
C:\Windows\SysWOW64\Utilman.exe 57
C:\WINDOWS\SysWOW64\Utilman.exe 46

Possible Misuse

The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'utilman.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'utilman.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal utilman.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “utilman.exe” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “utilman.exe” or filename == “Utilman.exe” ) CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.