Utilman.exe

  • File Path: C:\WINDOWS\system32\Utilman.exe
  • Description: Utility Manager

Hashes

Type Hash
MD5 8733CD4DEFF08D1890BDB1E97A217335
SHA1 E64F7D32ACD1F95008B54DD905D4B6ADDC91D0EE
SHA256 EF6074ADEF9DA1CCA918668221E1CC8E44DC9C82F954F524C58A745A9C41C0DA
SHA384 3C0AB6B24BCE9500F65E5D4F08CB78876CBE9F133C7C72DEB90D6F434BAE11E981B546DA238480AA6CD23AEDDF430BFB
SHA512 C069ADE1E68C1D07C4A05F52C97A6EA4A3D02B9280F5D0CBB626D5DC2EF0901B94BE13353FAB2FD26076CA021929A40BE04015220B9384D8582005524C46441A
SSDEEP 3072:P6twcArkPApN+E9Nxm16FD3LBCvfsfV0dQND8po:GwsARNxm16FD7Kfq8w8
IMP 5DE640262CA6E90707E8AFE8003C83A6
PESHA1 26811BE1251A6BAF0CA4863A7169490CB2402D4F
PE256 A4FCAC192C7AE9F8F01935BBC6DC9B9F10A6272D99423548F53F5628A09572AD

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\Utilman.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: utilman2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/ef6074adef9da1cca918668221e1cc8e44dc9c82f954f524c58a745a9c41c0da/detection

Possible Misuse

The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma process_creation_stickykey_like_backdoor.yml - 'utilman.exe' DRL 1.0
sigma win_install_reg_debugger_backdoor.yml - 'utilman.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal utilman.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “utilman.exe” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “utilman.exe” or filename == “Utilman.exe” ) CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.