Utilman.exe
- File Path:
C:\Windows\SysWOW64\Utilman.exe
- Description: Utility Manager
Hashes
| Type |
Hash |
| MD5 |
8AD7C62A874D0DE5B2DC3823710364FC |
| SHA1 |
163BAA0B19D33C8351F2BBBEB5587DD1C56FC379 |
| SHA256 |
29E406A9926DA88330A9CA81BB16732E6B1693A61701E641B62634B71C384430 |
| SHA384 |
8B172825BB0BF34C08122489D0DA83F8BA2865A9CD86C790BB22D504C26A2900AA5BF33804BC585F6F3664537D04229C |
| SHA512 |
EECDEB426BE733DC4743EC423168808DBB48A06DF83F7F33D3EC824897D6FA164252679C3EFBD22626E9DBF782D2A3BD2169D4007C6DDBD663B6AEF23E0B8BBE |
| SSDEEP |
1536:U6YYGKrfg1PNsKf87M/Is+9DnFfFxbzphAVzPlliSPTcqgoLSbgvVoZtn5qMVGhk:6YGKb8dfAMMfXfA5vu7T |
Runtime Data
Loaded Modules:
| Path |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\Utilman.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266
- Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: utilman2.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source |
Source File |
Example |
License |
| sigma |
proc_creation_win_install_reg_debugger_backdoor.yml |
- 'utilman.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_stickykey_like_backdoor.yml |
- 'utilman.exe' |
DRL 1.0 |
| sigma |
registry_event_stickykey_like_backdoor.yml |
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' |
DRL 1.0 |
| atomic-red-team |
T1546.008.md |
Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.008.md |
| parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1546.012.md |
Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) |
MIT License. © 2018 Red Canary |
| signature-base |
thor_inverse_matches.yar |
description = “Abnormal utilman.exe - typical strings not found in file” |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
$win7 = “utilman.exe” wide fullword |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
( filename == “utilman.exe” or filename == “Utilman.exe” ) |
CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.