Utilman.exe

  • File Path: C:\Windows\system32\Utilman.exe
  • Description: Utility Manager

Hashes

Type Hash
MD5 A117EDC0E74AB4770ACF7F7E86E573F7
SHA1 5CEFFB1A5E05E52AAFCBC2D44E1E8445440706F3
SHA256 B5BC4FCE58403EA554691DB678E6C8C448310FE59990990F0E37CD4357567D37
SHA384 596E40998BB8A644170322CD15368BFFD2AC1188638980AD6CBDA14DED207883E1B402F49796B768A97429DD14B88A6D
SHA512 72883F794FF585FE7E86E818D4D8C54FA9781CAB6C3FAC6F6956F58A016A91F676E70D14691CBE054AE7B7469C6B4783152FBB694E92B940D9E3595FE3F41D97
SSDEEP 1536:luCkS5WgGWiJnTxLyRZ/mDTO1gqoVDaBDH+dnl36sE5xoj0ChJ+QZXKBXzn2+32i:vWgNiNxLydm259d5xoxBXKdn2NV9
IMP 5D627EB225734CC5AB65AC8CA17925A5
PESHA1 6DCED86D1258A8A116B72720CC969AA75CEAADFE
PE256 A3C20D80F7C0F3AA9708E5EF867DCA00DCAE97BC47ACDDF9C39C35AEEE101AC6

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\Utilman.exe
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: utilman2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37/detection

Possible Misuse

The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma process_creation_stickykey_like_backdoor.yml - 'utilman.exe' DRL 1.0
sigma win_install_reg_debugger_backdoor.yml - 'utilman.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal utilman.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “utilman.exe” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “utilman.exe” or filename == “Utilman.exe” ) CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.