Utilman.exe

  • File Path: C:\windows\SysWOW64\Utilman.exe
  • Description: Utility Manager

Hashes

Type Hash
MD5 6D1BFCF8A39600F2EEDCCC54C3859B2A
SHA1 4E50272690884131B7CB57809C3A65D62865F3E6
SHA256 E45961A8602EBF4BFD718B2390EA37A823E0FE201F1873889454A838FBD29F21
SHA384 EC8572D42D26C2F9CB83BD74356BFCB223148406A3CB9DD013A08C2164CA0924A8253E7FE18CEABD7A40D4D4F9C3D39E
SHA512 22F4D3B7AB126A79939D3931EAA2F99CC308848643B2402C0B68DEC657FEA4A179C3E683152495A73978BF571D6427FB410380A7C55EB5968899FA5DF76CE68A
SSDEEP 1536:AVwJFfXhBPu+N5D7Ha/3IVLE191XVWVDyofZTibtHRRIAgibiiLBJ2U+vrP:ZhB9x7ul191XV3QL

Signature

  • Status: The file C:\windows\SysWOW64\Utilman.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: utilman2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'utilman.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'utilman.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal utilman.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “utilman.exe” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “utilman.exe” or filename == “Utilman.exe” ) CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.