Utilman.exe

  • File Path: C:\Windows\SysWOW64\Utilman.exe
  • Description: Utility Manager

Hashes

Type Hash
MD5 D5C509CBBCFA569F0A6D65C6C66B0D93
SHA1 352673FB76C6BA6A9BBEE0D77E209F5AEDF9C7D5
SHA256 9320FA0D6F39EF9650B0BBACAF413977D0D9D8BEDA578E75EB30C2E73F5011B2
SHA384 2ADECFA6F1DE4CBC6CA711E55573D6567FB712BE72C28C58F4D81DA18D703C8C67633EED2F66AB77AAB1C512BAF9F9B9
SHA512 A6F5C4EC8B30FCC77D5A1E7649C333C7C88824B33AF40C2A623A3B6CEEB71E2EA344EAEE338E8B72FC827E0F61BE81EAE43BC1391CA530BDE9E16FD81BD3428F
SSDEEP 1536:p60YTyifMZJ1acl8I/I/H0tflbqXvFZFxFKAZzPlliSPTcqgoLSbgvVoZtnrqMVr:/QysOahIZf8/HFxFKAtNX0
IMP 4B4C1E1CAFB5E924F5C11455D2B07507
PESHA1 B65BB4F36A50EA50C13644610F3FC003208CF83F
PE256 A2FDEC93AB268AD89D3D67D3161B538142E099B82BB9E4368B2CA1E236FD942F

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Utilman.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: utilman2.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.488 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.488
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/9320fa0d6f39ef9650b0bbacaf413977d0d9d8beda578e75eb30c2e73f5011b2/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\Utilman.exe 46
C:\Windows\SysWOW64\Utilman.exe 57
C:\WINDOWS\SysWOW64\Utilman.exe 44

Possible Misuse

The following table contains possible examples of Utilman.exe being misused. While Utilman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\utilman.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe utilman.exe *' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with “cmd.exe” (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures “cmd.exe,” or another program that provides backdoor access, as a “debugger” for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the “debugger” program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal utilman.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win7 = “utilman.exe” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “utilman.exe” or filename == “Utilman.exe” ) CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.