sethc.exe

  • File Path: C:\Windows\system32\sethc.exe
  • Description: Accessibility shortcut keys

Hashes

Type Hash
MD5 062940BA26F1204EBD5F62DF37D0C3A7
SHA1 24FF66352198774F912DC27B7F3B310DAC311EC8
SHA256 52A9E16B777D1FFBBA54A686F9D77AE0AA622EC2FD7A501CEA398B7A53E64793
SHA384 F7594E16B8C4E083E2A1965C545206737ED35F392D26D2FE21D5D33CD879134A0E1E2427DA049B6383166280C164B0E5
SHA512 B710FD81AF5974B7FA7F075DB64D9CD63F5043C3A27BF53AAD3BD13A53A40E7EDDF3CA51941662F7288FE138D01F0EB926087052A28B0477FB3683D6D225E56E
SSDEEP 6144:U4AA83sWjfA/unAlGr66uFz2LJGRg4kLNnei36cw:RAAwE/ucFCdUc
IMP 22FF4F8C831128EFE52978F175ADCEC0
PESHA1 27AE2FD4296F9667AD93AFD92C5A356B5E5DF61E
PE256 6F009E2AD41F70DA5705D91C942C43CE8525AA1ADF19C201565E56387C05A448

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sethc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/52a9e16b777d1ffbba54a686f9d77ae0aa622ec2fd7a501cea398b7a53e64793/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\EaseOfAccessDialog.exe 71
C:\windows\system32\EaseOfAccessDialog.exe 65
C:\Windows\system32\EaseOfAccessDialog.exe 63
C:\Windows\system32\EaseOfAccessDialog.exe 68
C:\Windows\system32\sethc.exe 63
C:\windows\system32\sethc.exe 65
C:\Windows\system32\sethc.exe 72
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 66
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 61
C:\windows\SysWOW64\EaseOfAccessDialog.exe 66
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 66
C:\Windows\SysWOW64\sethc.exe 72
C:\windows\SysWOW64\sethc.exe 63
C:\Windows\SysWOW64\sethc.exe 72
C:\Windows\SysWOW64\sethc.exe 60

Possible Misuse

The following table contains possible examples of sethc.exe being misused. While sethc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\sethc.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe sethc.exe *' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Replace sticky keys binary (sethc.exe) with cmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md takeown /F C:\Windows\System32\sethc.exe /A MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
signature-base cn_pentestset_scripts.yar $s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “SETHC.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sethc.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.